From 1d0b4ba3ab5fd4ccea410342d5d211c27b6bdf30 Mon Sep 17 00:00:00 2001
From: Mohsin Rasool <mohsin.rasool@gmail.com>
Date: Tue, 30 Jul 2019 19:54:22 +0500
Subject: [PATCH] Disabling REST API for non-authenticated users.

It is not safe to expose users and all the entities publicly unless needed. So, added code to disable it as per the recommendation of the original Author @ https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api
---
 wordpress-hack-without-plugin.php | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/wordpress-hack-without-plugin.php b/wordpress-hack-without-plugin.php
index 1b648b3..b10e654 100644
--- a/wordpress-hack-without-plugin.php
+++ b/wordpress-hack-without-plugin.php
@@ -128,6 +128,22 @@ function restrict_page() {
  * Disable Editing in Dashboard (add to wp-config.php)
  */
 define( 'DISALLOW_FILE_EDIT', true );
+
+add_filter( 'rest_authentication_errors', 'rest_authentication_errors');
+
+/**
+ * Disable REST API for not users that are not logged in.
+ */
+function rest_authentication_errors( $result ) {
+    if ( ! empty( $result ) ) {
+        return $result;
+    }
+    if ( ! is_user_logged_in() ) {
+        return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
+    }
+    return $result;
+}
+
 ?>
 
 /*=== CSS ===*/
@@ -152,4 +168,4 @@ function restrict_page() {
 
 <Files *.php>
 deny from all
-</Files>
\ No newline at end of file
+</Files>