Safely disable WP REST API

Question

I am considering to improve security of my Wordpress website, and in doing so have come across WP REST API being enabled by default (since WP 4.4 if I\'m not mistaken).

Answer 1

Disabling REST API was not a bad idea, after all. It actually opened a huge hole in all websites!

In wordpress 4.4 there was a way

Here, I've found a possible solution with .htaccess but should be carefully tested in combination with whatever else is in your .htaccess file (e.g., pretty-url rules added by wordpress itself):

# WP REST API BLOCK JSON REQUESTS 
# Block/Forbid Requests to: /wp-json/wp/
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]
RewriteRule ^(.*)$ - [F]

A very drastic method, is also to have a 404.html webpage in your root and then add this line:

# WP REST API BLOCK JSON REQUESTS 
# Redirect to a 404.html (you may want to add a 404 header!) 
RewriteRule ^wp-json.*$ 404.html

Note that, unless you use a static page, i.e., not involved with wordpress functions, if you want to return a 404 error with an appropriate error page, this is a complete separate topic, with a lot of issues when Wordpress is involved