Safely disable WP REST API

Question

I am considering to improve security of my Wordpress website, and in doing so have come across WP REST API being enabled by default (since WP 4.4 if I\'m not mistaken).

Answer 1

You can disable it for requests other than localhost:

function restrict_rest_api_to_localhost() {
    $whitelist = [ '127.0.0.1', "::1" ];

    if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){
        die( 'REST API is disabled.' );
    }
}
add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );