and like us on FB

The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON (JavaScript Object Notation) objects. Since version 4.7 of the platform, the API is available by default without need for a plugin. If you’re new to the API concept and you’d like to see an example of returned data (and assuming you’re using an up-to-date version of WordPress), visit the following URL in your browser: http://www.YourDomain.com/wp-json/wp/v2/posts/ (replace YourDomain.com with your own domain).

The REST API is brilliant. It’s a platform agnostic API that can be built into any application in any number of ways. For developers, the API has introduced the opportunity to build applications that weren’t possible via the XML-RPC functionality (made available in WordPress 3.4, and turned on by default since WordPress 3.5). We’ve integrated the API into our Social Media and Marketing Platform to communicate with our client websites, and we’re slowly doing away with the features and functions that relied on older methods.

If you’re not using the REST API, it’s best to disable the feature. Leaving it exposed makes all your data available in a way that gives RSS -scrapers gooey night-dreams, and it opens up your site to usage outside of your control. The three example WordPress filters that follow are written to limit API usage in different ways. If you’re not using the API and don’t want anybody else snooping around, we have a plugin download below that completely disables the feature.

Disable All REST API Access

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

Disable Endpoints for Logged Out Users

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

Enable Endpoints With Valid API Key

The following is a basic example. A more robust means of authentication is expected (perhaps integrated into user options). WordPress recommends OAuth authentication, application passwords, or basic authentication for external applications, and cookie-based authentication for internal plugins. Depending upon your application, you might also consider measuring or rate-limiting user usage.

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

The &apikey=123456 should be appended to all your requests. You may also pass credentials or an API key in the header request as follows:

The above example will delete a post with ID of 1234 (obviously authentication is required for such actions). However, passing usernames and passwords is a less-than-ideal means of accomplishing the task. Passing a public encryption key that is interpreted server-side might mitigate some of the risks with this method… however, it’s beyond the scope of this article.

Actions

If you’re removing the API completely, the following will remove additional API features.

Resource

We’ll share lots of funky API functions in the future.

Download Plugin

The plugin is intended for those that wish to disable the WordPress REST API features to all users. If you’re a client, do not install this; our plugin disables access to unauthorized applications and white-lists our platform.

Title: Disable The WordPress Rest API
Description: Disable access to the WordPress REST API.
Download: WP Plugin (V0.1) | | Plugin Page

Shortt URL for this post: http://shor.tt/Bm8