One-click WordPress REST API protection. Turn Off REST API blocks anonymous access to your /wp-json endpoints, so bots cannot enumerate your usernames or scrape your content, while your theme, your plugins, and the block editor keep working normally. Then reopen only the exact routes you need with a per-route allow list.
1-ClickSetup
Per-RouteAllow List
WP 7.0Compatible
GPL v3Open Source
Click to enlarge
How it protects your site
Protection
- Blocks anonymous requests to
/wp-json - Stops user enumeration via
/wp/v2/users - Keeps your content from being scraped through the public API
Control, not breakage
- Per-route allow list to reopen only what you need
- The block editor keeps full access (it runs logged in)
- Fine-tune access with the
tora_grant_rest_apifilter
Clarity
- A Site Health check confirms the restriction is intentional
- Optionally hide REST discovery links and headers from your page source
Compatibility
- Works on nginx and Apache alike
- Runs at the WordPress request level, no server config files
- No external services, no tracking
Free and open source. No account needed.Install from your WordPress dashboard and close your REST API to the public in one click.
Free and open source, always. No premium tier, no account, no tracking, and no upsell. Turn Off REST API is GPL v3 and does one job well.
What It Stops
- Anonymous user enumeration
- Public content and data scraping
- REST API based bots and probes
- All-or-nothing API exposure
Requirements
- WordPress 4.7 or later
- PHP 7.4 or later
- Any host (nginx or Apache)
- GPL v3, fully open source
Installation
- In WordPress, go to Plugins > Add New and search Turn Off REST API.
- Click Install Now, then Activate. Protection is on by default.
- Open Settings > Turn Off REST API to review the route allow list.
- Check any route or namespace you want to keep public, then save.

