How to Change the REST API Path and Secure WordPress APIs with WP Ghost
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Change the WordPress REST API path, hide the API URL from your site header, disable unauthenticated API access, and block the rest_route backdoor with WP Ghost (formerly Hide My WP Ghost). The default /wp-json endpoint exposes your site data to bots and scanners. Secure it in minutes.
The WordPress REST API exposes your site data through the /wp-json endpoint. While plugins and the block editor rely on it for admin actions, leaving it at the default path allows bots to enumerate users, posts, and configuration data without authentication. Attackers can discover admin usernames by visiting /wp-json/wp/v2/users, which returns a list of authors with their login names.
WP Ghost gives you four layers of REST API protection: change the path, hide the URL from your header, disable access for non-logged-in users, and block the rest_route fallback parameter.
Why You Need to Secure the REST API
| Default REST API (exposed) | With WP Ghost (secured) |
|---|---|
| /wp-json accessible to everyone | Custom path only you know |
| User enumeration via /wp/v2/users | Non-logged-in access blocked, returns 404 |
| API URL visible in page header | Link tag removed from source code |
| rest_route parameter bypasses path change | rest_route parameter disabled |
How to Secure the REST API with WP Ghost
Activate Safe Mode or Ghost Mode
Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
In both Safe Mode and Ghost Mode, WP Ghost keeps the default wp-json name by default because many plugins rely on this path. WP Ghost hides the path from the frontend source code, but you can customize it further for stronger security.
Change the wp-json Path
Go to WP Ghost > Change Paths > API Security. Find the Custom wp-json Path field. Enter a custom name (e.g., “my-api” instead of “wp-json”). Click Save.
No files are changed
WP Ghost does not physically change any files. The REST API handler stays in the same location. WP Ghost uses rewrite rules to create the custom path. Deactivating restores the default /wp-json/ path instantly.
Update Permalink Settings
After changing the wp-json path, WordPress may need a moment to register the new route. Go to Settings > Permalinks and click Save Changes (you do not need to change anything, just re-save). This flushes the rewrite rules and ensures WordPress recognizes the new API path.
Hide REST API URL Link
By default, WordPress advertises the REST API URL in your site’s HTML header as a link tag. This tells bots exactly where your API lives, even if you changed the path. This option removes that header tag.
Go to WP Ghost > Change Paths > API Security. Switch on Hide REST API URL Link. Click Save.
This hides the URL but does not block API access. To block unauthenticated access entirely, use the next option.
Disable REST API Access
This blocks non-logged-in users from accessing the REST API entirely. Bots and visitors get a 404. Logged-in users (administrators, editors, etc.) can still use the API normally, so the block editor and admin functions are unaffected.
Go to WP Ghost > Change Paths > API Security. Switch on Disable REST API Access. Click Save.
Third-party services
If you use services that connect to your site’s REST API (analytics, marketing tools, mobile apps, Zapier), whitelist their IP addresses at WP Ghost > Firewall > Whitelist so they can still access the API while everyone else is blocked.
Disable rest_route Parameter Access
WordPress supports a backdoor to the REST API through the rest_route query parameter. Even if you change the wp-json path, someone can access the API through yourdomain.com/?rest_route=/wp/v2/users. This option blocks that fallback.
Go to WP Ghost > Change Paths > API Security. Switch on Disable rest_route Parameter Access. Click Save.
With both the wp-json path changed and the rest_route parameter disabled, there is no way for unauthenticated users to reach your REST API through default WordPress methods.
Verify with a Security Check
After making your changes, verify everything is working. Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the API path is changed and access is properly restricted.
Frequently Asked Questions
What is the difference between Hide REST API URL Link and Disable REST API Access?
Hide REST API URL Link removes the API link tag from your site’s HTML header. The API is still accessible if someone knows the URL. Disable REST API Access blocks all unauthenticated requests to the API entirely. Logged-in users are unaffected. For maximum security, enable both.
Why do I need to disable rest_route too?
WordPress has a fallback: attackers can access the API via ?rest_route=/wp/v2/users even if you changed the wp-json path. Disabling the rest_route parameter closes this backdoor completely.
Will disabling the REST API break my site?
No. WP Ghost only blocks access for non-logged-in visitors. The block editor, admin dashboard, and all plugin functionality continue working normally for logged-in users. If third-party services need API access, whitelist their IPs at WP Ghost > Firewall > Whitelist.
Will this affect my SEO?
No. The REST API is not used by search engines for crawling or indexing. Disabling or changing the API path has zero impact on search rankings, sitemaps, or page indexing.
Does WP Ghost modify WordPress core files?
No. API path changes and access restrictions are handled through URL rewrite rules and WordPress filters. Deactivating WP Ghost restores all defaults instantly.
Related Tutorials
Disable XML-RPC Access – block the other major remote communication protocol.
Customize All WordPress Paths – change every WordPress path including the API.
Firewall and Geo Security – configure the 8G Firewall and IP whitelisting.
Activate Security Tweaks – hide WordPress fingerprints from source code.
Website Security Check – verify your configuration after making changes.
