Remove the REST API Link from WordPress Head

Open your WordPress site’s source code and look for this:

<link rel='https://api.w.org/' href='https://yoursite.com/wp-json/' />

That’s the REST API discovery link. It tells browsers and applications where to find your WordPress REST API endpoint. It’s on every page of your site, visible to everyone.

While the REST API itself is essential for modern WordPress (Gutenberg needs it), advertising its location in public HTML is a different matter entirely.

What is the REST API link?

WordPress adds this tag so that external applications can automatically discover your REST API endpoint. It’s part of the REST API’s auto-discovery mechanism — an application can fetch any page on your site, parse this tag, and know where to send API requests.

The REST API itself handles everything from the Gutenberg editor to WooCommerce to Contact Form 7. It’s not something you want to disable entirely.

But the discovery link in is separate from the API itself. Removing the link doesn’t disable the API — it just stops advertising its location.

Why should you care?

Information disclosure. The link confirms that the REST API is available and reveals its exact URL. Attackers and scanners use this for reconnaissance — knowing the API location lets them probe for vulnerabilities, enumerate users, and discover content.

You probably don’t need auto-discovery. External applications that need your REST API should know the endpoint already. Auto-discovery is a convenience for automated tools — many of which are security scanners.

The quick fix

// Remove REST API link from head
remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );

// Also remove the Link header from HTTP responses
remove_action( 'template_redirect', 'rest_output_link_header', 11 );

This removes the discovery link and HTTP header. The REST API itself continues working perfectly — Gutenberg, plugins, and everything else that uses the API internally is unaffected.

The one-click solution

OvKit includes Remove REST API Link under Features → Cleanup. One toggle.

FAQ

### Will removing this break the Gutenberg editor?

No. Gutenberg knows the REST API endpoint from WordPress’s internal JavaScript configuration, not from the HTML tag. Removing the discovery link doesn’t affect any admin functionality.

### Is this the same as disabling the REST API?

No. This only removes the auto-discovery link from your HTML. The REST API remains fully functional. If you want to restrict specific API endpoints (like the users endpoint), that’s a separate security measure.

### Should I combine this with blocking the REST API users endpoint?

Yes. Removing the discovery link reduces reconnaissance, and blocking the users endpoint prevents username harvesting. They complement each other as part of a layered security approach.

---

Related reads:

• Your WordPress REST API Is Leaking User Data — Here’s the Fix
• What Is the RSD Link in WordPress and Can You Remove It?
• WordPress Shortlinks in Head: What They Are and How to Remove