What’s the correct method to disable the WordPress REST API for guests?
Asked on Sep 22, 2025
Answer
To disable the WordPress REST API for guests, you can use a filter hook to restrict access to authenticated users only. This involves adding a small snippet of code to your theme's `functions.php` file or a custom plugin.
<!-- BEGIN COPY / PASTE -->
add_filter('rest_authentication_errors', function($result) {
if (!empty($result)) {
return $result;
}
if (!is_user_logged_in()) {
return new WP_Error('rest_forbidden', __('REST API restricted to authenticated users.'), array('status' => 401));
}
return $result;
});
<!-- END COPY / PASTE -->Additional Comment:
- This code uses the `rest_authentication_errors` filter to check if a user is logged in before allowing access to the REST API.
- Place this snippet in your theme's `functions.php` file or a custom plugin to ensure it executes correctly.
- Remember that this will block all unauthenticated users from accessing the REST API, which might affect some plugins or themes that rely on it.
- Test your site functionality after implementing this change to ensure it doesn't disrupt any necessary features.
Recommended Links: