WordPress Development
The WordPress REST API Explained: Endpoints, Authentication, and Custom Routes
The WordPress REST API turns your site into a content platform any application can talk to. Here is everything developers need to know.
The WordPress REST API turns your WordPress site into a headless content platform, letting external applications, mobile apps, and JavaScript frontends read and write content over HTTP. Understanding it opens a new category of WordPress possibilities.
What the WordPress REST API is
Every WordPress site running version 4.7 or later exposes a REST API at /wp-json/wp/v2/. This API allows any application that can make HTTP requests to interact with WordPress content without loading the admin interface. The API uses standard HTTP methods: GET to retrieve data, POST to create, PUT/PATCH to update, and DELETE to remove. Responses are returned in JSON format.
| Endpoint | Method | What it does |
|---|---|---|
| /wp-json/wp/v2/posts | GET | Fetch published posts (paginated) |
| /wp-json/wp/v2/posts/{id} | GET | Fetch a single post by ID |
| /wp-json/wp/v2/posts | POST | Create a new post (authenticated) |
| /wp-json/wp/v2/pages | GET | Fetch published pages |
| /wp-json/wp/v2/users/me | GET | Fetch current authenticated user |
| /wp-json/wp/v2/media | POST | Upload a media file (authenticated) |
Authentication methods
Read operations on public content require no authentication. Write operations require authentication:
For the vast majority of REST API use cases, Application Passwords are the simplest and most secure option. Generate one per application, grant only the role permissions needed, and revoke instantly if compromised.
Common use cases
Headless WordPress
Headless WordPress uses the REST API (or WPGraphQL) to decouple content management from the frontend. Your content editors use the familiar WordPress admin; your frontend is built with React, Next.js, or Vue. The frontend fetches content from the REST API and renders it independently.
Mobile apps
A native iOS or Android app can use the REST API to display blog content, enable user registration and login, accept submissions, or manage any WordPress content type without requiring a WebView.
Custom dashboards and integrations
Connect WordPress to external services: sync new WooCommerce orders to a CRM, post new blog entries to Slack, pull post data into a custom analytics dashboard.
Registering custom REST API endpoints
Extend the REST API with your own endpoints using register_rest_route() in your theme’s functions.php or a custom plugin. The function takes a namespace, a route pattern, and an array specifying HTTP methods, a callback function, and a permission callback.
Every custom endpoint must define a permission_callback. Never use __return_true for write endpoints. Always check current_user_can() for the appropriate capability to prevent unauthenticated data modification.
Security considerations
- Disable user enumeration if not needed:
/wp-json/wp/v2/usersexposes usernames by default. Filter to disable for unauthenticated requests - Rate limiting: WordPress has no built-in REST API rate limiting. Add it via a plugin or server-level rules for public-facing APIs
- HTTPS only: never expose a REST API over HTTP. All API traffic must be encrypted
- Principle of least privilege: create a dedicated low-privilege user for API access rather than using an admin account
Building a headless WordPress site or custom API integration?
Simple Automation Solutions develops custom REST API integrations and headless WordPress solutions for businesses worldwide.
Frequently asked questions
Can I disable the WordPress REST API entirely?+
You can restrict the REST API to authenticated users only by returning a WP_Error for unauthenticated requests. Disabling it entirely is not recommended because WordPress core features including the Gutenberg editor depend on the REST API internally. Restricting unauthenticated access is the appropriate approach.
What is the difference between the REST API and WPGraphQL?+
The REST API uses fixed endpoints returning predefined data structures. WPGraphQL exposes a single GraphQL endpoint where the client specifies exactly what data it needs. GraphQL eliminates over-fetching and under-fetching. For complex headless builds, WPGraphQL is increasingly preferred. For simple integrations, the REST API is simpler to work with.
Does the REST API affect my site performance?+
REST API requests run through the same WordPress PHP boot process as a page load. High-volume API traffic can strain server resources. For frequently-requested endpoints, add object caching via Redis or Memcached to reduce database load.
