Block Root REST API Route using custom &/or iThemes

For all REST API routes, the rest_api_init action hook fires when preparing to serve a REST API request. The request URI ($_SERVER[‘REQUEST_URI’]) can be inspected with a regular expression to detect the root (e.g. wp-json) and the route (e.g. /wp/v2/posts) of the request. You can then decide what to return to the client (e.g. WP_Error, friendly message, Link Relation Names with alternative routes, etc).


Found the code snippet below here. You could try adding a conditional statement with Regex on the Request_URI inside the rest_authentication_errors callback to see if it is effective for filtering requests.

    add_filter( 'rest_authentication_errors', 'wp_snippet_disable_rest_api' );
    function wp_snippet_disable_rest_api( $access ) {
        return new WP_Error( 'rest_disabled', __('The WordPress REST API has been disabled.'), array( 'status' => rest_authorization_required_code()));