Safely disable WP REST API
From the author original question I've chosen option 2 that came from wordpress official recommendations(https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api). So just put in your functions.php to let only logged in users use the rest api:
add_filter( 'rest_authentication_errors', function( $result ) { if ( ! empty( $result ) ) { return $result; } if ( ! is_user_logged_in() ) { return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) ); } return $result;});
You can disable it for requests other than localhost:
function restrict_rest_api_to_localhost() { $whitelist = [ '127.0.0.1', "::1" ]; if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){ die( 'REST API is disabled.' ); }}add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );
Disabling REST API was not a bad idea, after all.It actually opened a huge hole in all websites!
In wordpress 4.4 there was a way
Here, I've found a possible solution with .htaccess but should be carefully tested in combination with whatever else is in your .htaccess file (e.g., pretty-url rules added by wordpress itself):
# WP REST API BLOCK JSON REQUESTS # Block/Forbid Requests to: /wp-json/wp/# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETERewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]RewriteRule ^(.*)$ - [F]A very drastic method, is also to have a 404.html webpage in your root and then add this line:
# WP REST API BLOCK JSON REQUESTS # Redirect to a 404.html (you may want to add a 404 header!) RewriteRule ^wp-json.*$ 404.htmlNote that, unless you use a static page, i.e., not involved with wordpress functions, if you want to return a 404 error with an appropriate error page, this is a complete separate topic, with a lot of issues when Wordpress is involved