WordPress comes with a REST (see https://restfulapi.net/rest-architectural-constraints/) API (application programming interface) which is enabled by default. Its purpose is to allow system communication between an external server with a WordPress installation. Some examples are: query the latest n articles, create a user programmatically or create a post programmatically. You can take a look what’s going on by typing https://yourwebsite.com/wp-json/wp/v2/posts into your browsers address bar.

If you haven’t heard of these URLs, the term wp-json, nor about the REST API, chances are you’re not using it. That said, you should be safe to disable it.

By doing so, you also reduce the public URLs of your website – basically to about 50%. Any request to one of your URLs (including the API URLs) cause your servers to use resources (like CPU, RAM, disk, etc) to process the request and to build and send a response. When you deactivate the REST API URLs, you also reduce the risk of unwanted crawlers and bots to bring down your server by flooding your server with requests.

The plugin Disable WP REST API does exactly what its name suggests. Assuming your WordPress installation supports Composer, you can install it, like this:

composer require wpackagist-plugin/disable-wp-rest-api

The WordPress Block Editor heavily relies on the REST API, as it interacts with WordPress without reloading the page. If you’re using it, you need to keep the REST API activated for logged-in users. Alternatively consider using the Classic Editor.

There are other popular plugins though, Contact Form 7 for example, which rely on the REST API. So the best general advice is to test your plugins functionality after deactivating the REST API.

If you’re a 100% sure, that you don’t need and want to deactivate the REST API, you could also do it in your Nginx configuration. You can do so by adding a location block inside your server block.

server {    ...    location ~ /wp-json/ {        deny all;    }}

Continue to part 14 of my tutorial series: Replacing WordPress Cron and Scheduled Actions with a real cronjob.