Disable REST API
Disable REST API blocks anonymous access to WordPress core REST endpoints (users, settings, themes, and similar) while leaving logged-in staff and third-party plugin REST routes untouched in the default mode.
What it does
Section titled “What it does”Two modes:
- Disable public access only (default) - anonymous users cannot hit WordPress core REST namespaces; logged-in users keep access; third-party plugin routes (WooCommerce, forms, etc.) stay available.
- Disable completely - blocks REST for everyone unless a route is allowed via filter; can break the block editor, apps, and plugins.
Optional Remove REST API link from HTML head also strips discovery from head, Link header, and XML-RPC RSD output.
When to use it
Section titled “When to use it”Enable it if:
- You want to stop anonymous scraping of
/wp-json/wp/v2/usersand similar core routes. - Staff still need the block editor (use public-only mode).
- You want to hide REST discovery links from public HTML.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”- REST API mode
- Disable public access only (recommended)
- Disable completely (confirm dialog on save)
- Remove REST API link from HTML head (default on)
How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules.
- Open Security or search for “Disable REST API”.
- Toggle Disable REST API on.
- Keep Disable public access only unless you fully understand complete disable, then save.
How to test it
Section titled “How to test it”- Enable public-only mode, then request
/wp-json/wp/v2/userswhile logged out. - ✅ Pass: request is rejected for anonymous users.
- Request the same URL while logged in as an administrator.
- ✅ Pass: access works for authenticated users.
- ❌ Fail: confirm mode setting, module toggle, and that the route is a core namespace (third-party routes are not blocked in public mode).
Troubleshooting
Section titled “Troubleshooting”- Block editor broken. You likely enabled Disable completely - switch back to public-only.
- WooCommerce Store API still open. Expected in public-only mode; only core namespaces are restricted for anonymous users.
- Discovery link still in HTML. Enable Remove REST API link from HTML head and clear caches.
What does Disable REST API do?
In the default mode it blocks anonymous access to WordPress core REST routes while logged-in users and third-party plugin routes keep working.
Is Disable REST API free?
Yes. Enable it under WP PowerSuite -> Modules.
Will public-only mode break the block editor?
No. Logged-in users keep REST access. Complete disable mode can break the block editor.
Does it block WooCommerce REST?
Not in public-only mode. Third-party plugin REST routes are left alone unless you use Disable completely.
How do I turn Disable REST API off?
Go to WP PowerSuite -> Modules, find Disable REST API, and toggle it off.
Developer notes (hooks & filters)
Source: modules/disable-rest-api/module.php.
Boot: critical · context: admin, frontend, ajax, rest.
Hooks: rest_authentication_errors, optional removal of rest_output_link_wp_head / rest_output_link_header / rest_output_rsd.
Filters for integrations: wpps_disable_rest_api_block_route, wpps_disable_rest_api_allow_route.