In this very short post, we will present a way to hide the publicly available endpoints in Wordpress by default from nosy, not logged in users.
To allow only logged in users to view the endpoints generated by WP, add the following code:
function mytheme_only_allow_logged_in_rest_access( $access ) {
if( ! is_user_logged_in() ) {
return new WP_Error(
'rest_cannot_access',
__( 'Only authenticated users can access the REST API.', 'disable-json-api' ),
array('status' => rest_authorization_required_code())
);
}
return $access;
}
add_filter( 'rest_authentication_errors', 'mytheme_only_allow_logged_in_rest_access' );Version with administrator access
function mytheme_only_allow_logged_in_rest_access( $access ) {
if( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) {
return new WP_Error( 'rest_cannot_access', __( 'Only authenticated users can access the REST API.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) );
}
return $access;
}
add_filter( 'rest_authentication_errors', 'mytheme_only_allow_logged_in_rest_access' );Default endpoint list
add_filter( 'rest_endpoints', 'show_default_endpoints' );
function show_default_endpoints( $endpoints ) {
var_export( array_keys( $endpoints ) );
die;
}Removing only default endpoints
add_filter( 'rest_endpoints', 'remove_default_endpoints' );
function remove_default_endpoints( $endpoints ) {
return array( );
}