Skip to content
Statamic Peak Marcel Bootsman

Remove WordPress REST API links

November 11th, 2019 WordPress Tips A padlock and a chain locking a greenish fence

When using the WordPress REST API, it might be needed to hide some WP REST API links from the page source to the outside world. Here’s how to do that.

Remove WordPress REST API Links

Let’s say you have added your own endpoint to the WP REST API, and do not want to publicly show it in the page source. There are two places the WP REST API link is added to the page source:

To remove these links we simply remove the functions that are hooked to wp_head and template_redirect

1// Hide WP REST API links in page headers
2remove_action( 'wp_head', 'rest_output_link_wp_head', 10);
3remove_action( 'template_redirect', 'rest_output_link_header', 11);

                
php

Be aware that if REST API calls are done via AJAX, the browser shows the URL that is called, and it is visible to the public.

Bonus: Clear the WP-JSON index

If you have the WP REST API active, and don’t want people to see what endpoints are available, use the code below.

1// Hide WP REST API JSON index
2add_filter('rest_index', 'nstrm_hide_wp_json_index');
3function nstrm_hide_wp_json_index( $response ){
4    return array();
5}

                
php

If you want to further customize the WP REST API, use the plugin Disable REST API. This plugin disables all endpoint of the WP REST API and allows you to enable individual endpoints.

About Marcel Bootsman

Marcel discovered the web in 1995. Since then he has paid attention to and worked with lots of technologies and founded his own WordPress oriented business nostromo.nl in 2009.

Currently Marcel is Marketing Manager for the Dutch Market at Kinsta where he helps Kinsta's client base grow in the Managed WordPress and Application & Database hosting arena.

You can contact Marcel on a diverse range of online platforms. Please see the Connect section on the homepage for the details.