You can “block” them, by simply removing their existence from the REST Server.
WP provides a filter for the REST API endpoints, you simply have to filter this with your routes. The below is a simple PHP Class that does this for you. All you need to do is provide the array of routes. I’ve added some examples.
Basically if any API route contains any of the strings in your $my_custom_routes array, they’ll be retained. If not, they’ll be discarded and will no longer be available.
Put this somewhere it’ll load before the REST API gets initiated, such as your functions.php.
class Filter_Rest_Api_Endpoints {
private $my_routes;
public function __construct( $routes ) {
$this->my_routes = $routes;
add_filter( 'rest_endpoints', array( $this, 'run_filter' ) );
}
public function run_filter( $endpoints ) {
foreach ( $endpoints as $route => $endpoint ) {
$keep_route = false;
foreach ( $this->my_routes as $my_route ) {
if ( strpos( $route, $my_route ) !== false ) {
$keep_route = true;
break;
}
}
if ( !$keep_route ) {
unset( $endpoints[ $route ] );
}
}
return $endpoints;
}
}
function hook_my_api_routes_filter() {
$my_custom_routes = array(
'users',
'/my/v1/custom/route/1',
'/my/v1/custom/route/2'
);
new Filter_Rest_Api_Endpoints( $my_custom_routes );
}
add_action( 'rest_api_init', 'hook_my_api_routes_filter' );
Of course, this isn’t recommended as you will likely break normal functionality in other parts of the site, but it’s here if you need it.