Disable REST API by default, making it opt-in rather than always-on
|Reported by:||mor10||Owned by:|
Disable the REST API by default and enable it only when the site admin requests it or a theme or plugin is dependent on it for full functionality.
For sites that do not take advantage of the REST API, its always-on status is not beneficial. Its sole function in this scenario is for 3rd parties to gain access to content. This should be an active decision made by the site owner/admin, not a global decision made by the application.
I propose three changes to address this issue:
- REST API is disabled by default and site admin is given the option to enable it during initial install and later via a toggle on the Settings view. Admin should be allowed to toggle the REST API status at any time, akin to how search engine crawling is controlled.
- A define( ‘WP_REST_API’, false ); option is introduced in wp-config.php to globally enable/disable REST API.
- Theme and plugin authors can declare REST API dependency in their setup. When the theme/plugin is activated, the site admin is notified this requires the REST API to be enabled allowing transparency and handing the decision to the admin.
With these three enhancements, the REST API will be available for those who want to use it, rely on it, and/or want to open their content to consumption from 3rd parties while keeping it disabled for those who do not want to use it or, maybe most importantly, are not aware what this feature is and have no use for it.