0 Day Analytics

How to Hide or Change wp-json in WordPress (Without Breaking Your Site)

By sdobreff on · 4 min read · REST API · API, endpoint, REST, restrinc, secure
Table of Contents

The WordPress REST API is a powerful feature that allows your website to communicate with external applications, plugins, and services. By default, it is available at the /wp-json/ endpoint.

Many website owners want to hide or change this endpoint for security or customization reasons. In this guide, you’ll learn what’s possible, what’s not, and how to do it safely.

What is the /wp-json/ Endpoint?

The /wp-json/ route is the default base path for the WordPress REST API. It provides structured data (JSON) for posts, pages, users, and more.

/wp-json/wp/v2/posts

This endpoint is used by:

  • The Gutenberg block editor
  • Mobile apps
  • WooCommerce and other plugins
  • External integrations

Can You Rename /wp-json/?

Short answer: No, not completely.

WordPress does not provide a built-in option to fully rename the REST API endpoint. However, you can modify the prefix and control access.

PHP
\add_filter( 'rest_url_prefix', function () {
    return 'my-api';
});

Result:

  • /wp-json/wp/v2/posts → /my-api/wp/v2/posts

Method 2: Hide wp-json via .htaccess (Apache)

APACHE
RewriteEngine On
RewriteRule ^wp-json/(.*)$ /my-api/$1 [R=301,L]

Method 3: Nginx Configuration

NGINX
location /wp-json/ {
    return 301 /my-api/;
}

Method 4: Restrict REST API Access

PHP
\add_filter( 'rest_authentication_errors', function ( $result ) {
    if ( ! \is_user_logged_in() ) {
        return new \WP_Error( 'rest_not_logged_in', 'Not logged in', array( 'status' => 401 ) );
    }
    return $result;
});

Best Practice

  • Change prefix
  • Restrict access
  • Test on staging
  • Monitor API usage

Advanced: Suppress or Harden Specific REST API Endpoints

Instead of disabling or hiding the entire REST API, a smarter approach is to control specific endpoints. This allows you to keep functionality while improving security.

How to Disable (Suppress) a Specific Endpoint

You can remove access to specific REST routes using a filter.

Example: Disable access to posts endpoint /wp-json/wp/v2/posts

PHP
\add_filter( 'rest_endpoints', function ( $endpoints ) {
    if ( isset( $endpoints[ '/wp/v2/posts' ] ) ) {
        unset( $endpoints[ '/wp/v2/posts' ] );
    }
    return $endpoints;
});

What this does:

  • Removes the posts endpoint from the REST API
  • Prevents public access
  • May break features that rely on it (e.g. Gutenberg)

Alternative: Disable Only GET Requests (Safer)

If you want to keep functionality but prevent public data exposure:

PHP
\add_filter( 'rest_pre_dispatch', function ( $result, $server, $request ) {

    if ( $request->get_route() === '/wp/v2/posts' && $request->get_method() === 'GET' ) {
        return new WP_Error( 'rest_disabled', 'Posts endpoint disabled.', array(' status' => 403 ) );
    }

    return $result;

}, 10, 3);

Why this is better:

  • Keeps internal functionality working
  • Blocks public reading of posts via API

How to Harden a Specific Endpoint

You can restrict access to only authenticated users or specific roles.

Example: Protect /wp-json/wp/v2/posts

PHP
\add_filter( 'rest_authentication_errors', function ( $result ) {

    if ( ! empty( $result ) ) {
        return $result;
    }

    $route = $_SERVER['REQUEST_URI'];

    if ( strpos( $route, '/wp-json/wp/v2/posts' ) !== false ) {

        if ( ! \is_user_logged_in() ) {
            return new WP_Error( 'rest_forbidden', 'Authentication required.', array( 'status' => 401 ) );
        }

    }

    return $result;
});

Role-Based Protection (Advanced)

You can allow only specific roles (e.g. admins):

PHP
\add_filter( 'rest_authentication_errors', function ( $result ) {

    if ( !empty( $result ) ) {
        return $result;
    }

    if ( strpos( $_SERVER['REQUEST_URI'], '/wp-json/wp/v2/posts' ) !== false ) {

        if ( ! \current_user_can( 'manage_options' ) ) {
            return new WP_Error( 'rest_forbidden', 'Admins only.', array( 'status' => 403 ) );
        }

    }

    return $result;
});

Nginx-Level Hardening (Extra Layer)

You can also restrict access at the server level:

NGINX
location ~ ^/wp-json/wp/v2/posts {
    allow 123.123.123.123;
    deny all;
}

This blocks access for everyone except your IP.

Best Practice for Endpoint Security

  • Do NOT disable endpoints blindly
  • Restrict only what you don’t need
  • Use authentication where possible
  • Combine application-level and server-level protection

This approach gives you a balance between security and functionality.

FAQ

Can I completely rename wp-json in WordPress?

No. You can change the prefix, but the original endpoint may still exist internally.

Is hiding wp-json enough for security?

No. It only reduces visibility. Proper security requires access control and monitoring.

Will this break plugins?

It can. Many plugins rely on the REST API, so always test changes first.

What is the safest method?

Changing the prefix combined with restricting access is the safest approach.

Conclusion

You can’t fully rename the /wp-json/ endpoint, but you can hide, modify, and secure it effectively without breaking your site.

Want to go further?
Learn how to fully secure your API endpoints in our complete guide:

WordPress REST API Security Best Practices

← WP_List_Table Tutorial: How to Create & Extend Admin Tables in WordPress WordPress REST API Security Best Practices →
Share this page
Back to top