WP 4.4: remove json-api and X-Pingback from HTTP Headers

MAYBE TRY THIS
add_filter(‘rest_enabled’, ‘_return_false’);
add_filter(‘rest_jsonp_enabled’, ‘_return_false’);

IN functions.php

Hey romzen,

Thanks for your reply! I had this info already though. It disables the REST API and gives this message when you try to access https://www.example.com/wp-json/:

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

The HTTP Header pointing to it is still there however, so unfortunately it is not a solution.

I’m also trying to figure out how to remove the new rest api links, but from the HTML Head where wp_head() inserts it.

I’m able to do this with the other items like the RSD link, Feed links, etc by using a remove_action() function in the functions.php file.

Example: remove_action( 'wp_head', 'rsd_link' );

But I haven’t found any documentation on what the hook is (the “rsd_link” part in the example above) for the rest api that adds the new links through wp_head().

Anyone know what the hook is? I image the HTTP Header and HTML Head gets the info in a similar way.

Hello WatCystal,

You can use these lines to remove the REST API lines from the HTML Header:

remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
remove_action( 'wp_head', 'wp_oembed_add_discovery_links', 10 );

That works for me at least. Please report back if you also happen to find a way to remove it from the HTTP Header!

ok this is nice and better solution !

Unfortunately that is only for the header section in the HTML. I still have not found a way to remove the HTTP Headers.

Try the ‘wp_headers’ filter. Find the offending headers in the passed array. Unset those elements and return any remaining header elements for output.

Thanks blueclochard! That’s exactly what I needed.

For anyone removing the oembed links in the head, they can also remove the wp-embed.min.js added in the footer as well using:

wp_deregister_script('wp-embed');

Now we just need the HTTP Headers solution.

Okay, I tested WP 4.4 with default settings, but just found out that the X-Pingback header is not set if you disable pingbacks. This was fixed for 4.4 in ticket #20226. So that fixes that.

As for the REST API HTTP header: I tried for hours, even with the wp-headers filter as bcworkz suggested, but I just can’t seem to find a working solution.

In the end I opted for a simple workaround by adding this line to .htaccess:

<IfModule mod_headers.c>
Header always unset Link
</IfModule>

Even though it works for me, it will not be a solution to everybody. You need to use Apache and have mod_headers enabled. There are probably similar ways to unset headers on Nginx and ISS though.

If anybody still finds a way to disable this header using functions.php, please report back so that I can mark this topic as resolved.

Using “always” may not work on your particular website so try removing “always” if the htaccess code blueclochard posted above does not work on your website.
https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header

<IfModule mod_headers.c>
Header unset Link
</IfModule>

This Action seems to do the trick too.

// Remove the Link header for the WP REST API
// [link] => <https://www.example.com/wp-json/>; rel="https://api.w.org/"
remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );

AITpro, your solution works indeed. And it’s a better solution than using .htaccess. Thanks! Marking this topic as resolved.

Be careful with always the unsetting Link. It’s used for preloading in HTTP/2, so don’t follow this recommendation.

After long search this works for me with WP 4.4.2 to remove the X-pingback from the HTTP header:

/* Remove X-Pingback in the HTTP header */
add_filter(‘wp_headers’, function($headers) {
unset($headers[‘X-Pingback’]);
return $headers;
});

and this (solution of AITpro) works for me too to remove the link to Rest API in the HTTP header:
/* Remove link to Rest API in the HTTP header */
remove_action( ‘template_redirect’, ‘rest_output_link_header’, 11, 0 );