| 开发者 | ksym04 |
|---|---|
| 更新时间 | 2026年6月28日 03:25 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv3 |
| 版权网址: | 版权信息 |
/wp-json endpoints receive an authentication error instead of your site data, while logged in users, your theme, and your plugins keep working normally.
By default WordPress exposes a large amount of information through the REST API, including your list of user accounts and usernames, published content, and details about your site. For most sites that open, unauthenticated access is unnecessary and only widens the attack surface for user enumeration and content scraping. Turn Off REST API closes the WordPress REST API to the public in one click, then gives you a clear settings screen to reopen only the specific REST API routes you actually need.
Why turn off the WordPress REST API?
/wp-json/wp/v2/users.tora_grant_rest_api filter, so developers can extend or override the logic for custom roles, application passwords, or trusted requests.
turn-off-rest-api folder to /wp-content/plugins/.Log out of your site (or open a private browser window) and visit https://your-site.com/wp-json. You should see an authentication error instead of a list of routes and data. Logged in users will still see the normal response.
No. The block editor runs as a logged in user, so it keeps full REST API access. Only unauthenticated requests are blocked.
Yes. Open Settings, then Turn Off REST API, check the route or namespace you want to keep open, and save. Everything else stays blocked.
Yes. The plugin works at the WordPress request level and does not depend on any web server configuration files.
Yes. Use the tora_grant_rest_api filter to return true or false based on your own logic. By default it returns whether the current user is logged in.