Skip to content

Remove WordPress REST API links

November 11th, 2019 WordPress Tips A padlock and a chain locking a greenish fence

When using the WordPress REST API, it might be needed to hide some WP REST API links from the page source to the outside world. Here’s how to do that.

Remove WordPress REST API Links

Let’s say you have added your own endpoint to the WP REST API, and do not want to publicly show it in the page source. There are two places the WP REST API link is added to the page source:

To remove these links we simply remove the functions that are hooked to wp_head and template_redirect

// Hide WP REST API links in page headers
remove_action( 'wp_head', 'rest_output_link_wp_head', 10);
remove_action( 'template_redirect', 'rest_output_link_header', 11);

Be aware that if REST API calls are done via AJAX, the browser shows the URL that is called, and it is visible to the public.

Bonus: Clear the WP-JSON index

If you have the WP REST API active, and don’t want people to see what endpoints are available, use the code below.

// Hide WP REST API JSON index
add_filter('rest_index', 'nstrm_hide_wp_json_index');
function nstrm_hide_wp_json_index( $response ){
return array();

If you want to further customize the WP REST API, use the plugin Disable REST API. This plugin disables all endpoint of the WP REST API and allows you to enable individual endpoints.

About Marcel Bootsman

Marcel discovered the web in 1995. Since then he has paid attention to and worked with lots of technologies and founded his own WordPress oriented business in 2009.

Currently Marcel is Business Development Manager Dutch & DACH Markets at Kinsta where he helps Kinsta's client base grow with Managed WordPress, Application, Database and Static site hosting.

You can contact Marcel on a diverse range of online platforms. Please see the Connect section on the homepage for the details.