Rocket.net
Disclosure: This site contains affiliate links. We may earn a commission when you sign up through our links at no extra cost to you.
Performance

WordPress REST API Optimization: Speed Up and Secure Your API Endpoints

By speedysite.net 9 min read

The WordPress REST API powers Gutenberg, mobile apps, and headless setups — but unconfigured, it can hurt performance and expose your site to abuse. Here's how to audit, optimize, and protect it.

Want the fastest WordPress hosting?

Rocket.net delivers 83ms average TTFB - up to 153% faster than competitors. Try it risk-free.

Start Your $1 Trial →

The WordPress REST API was introduced in WordPress 4.7 and has become the backbone of how WordPress communicates with itself and the outside world. Every time someone edits a post in Gutenberg, saves a draft, or uses a plugin that pulls external data, the REST API is almost certainly involved.

For many site owners, that’s invisible infrastructure — it just works. But on high-traffic sites, sites running page builders that make heavy use of block editing, or sites where the REST API is publicly accessible to unauthenticated visitors, it can become a meaningful source of performance overhead and even a target for abuse.

This guide covers how to audit your REST API usage, reduce its footprint, cache its responses, and secure it — without breaking the features that depend on it.

What Is the WordPress REST API (and Why Should You Care)?

The REST API is a set of URL endpoints that accept HTTP requests and return JSON responses. For example, visiting /wp-json/wp/v2/posts on most WordPress sites returns a JSON list of your recent posts.

This API powers several core WordPress features:

  • Gutenberg block editor — block saving, reusable blocks, post meta, and more
  • Application passwords — the authentication mechanism for external API clients
  • Comments via REST — some themes and plugins submit comments through the API
  • Plugin integrations — contact forms, e-commerce plugins, and membership platforms increasingly use REST calls for dynamic data

The problem is that by default, the REST API is publicly accessible. An unauthenticated visitor can query /wp-json/wp/v2/posts, /wp-json/wp/v2/users, and dozens of other endpoints — and each request hits your PHP runtime, bypassing page caching.

Step 1: Audit What REST API Endpoints Are Active

Before optimizing, understand what’s being exposed and used. The simplest way to browse your site’s REST API is to visit yourdomain.com/wp-json/ in a browser. This returns a JSON document listing every registered namespace and route.

For a more structured audit, install the Query Monitor plugin and look at the “HTTP API Calls” panel while using your site. This shows outbound API calls your own plugins are making, which is equally important — slow external API calls from inside your WordPress install affect page load times just as much as slow database queries.

You can also check your server access logs for requests matching /wp-json/. Look at:

  • Request volume — how many REST requests per minute?
  • Top endpoints — which routes are called most frequently?
  • Authenticated vs. unauthenticated — are bots hammering public endpoints?

Step 2: Restrict Unauthenticated Access (If You Don’t Need It)

If your site doesn’t use the REST API for public-facing features — no headless frontend, no public widgets pulling from the API — you can restrict access to authenticated users only. This dramatically reduces the attack surface and eliminates a class of bot traffic that can generate unnecessary PHP load.

Add this to your theme’s functions.php or a small custom plugin:

add_filter( 'rest_authentication_errors', function( $result ) {
    if ( ! empty( $result ) ) {
        return $result;
    }
    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )
        );
    }
    return $result;
});

Important: Don’t use blanket REST API disabling plugins that hook into rest_authentication_errors globally without testing thoroughly. Gutenberg requires authenticated REST access for logged-in editors. The snippet above returns a 401 only for unauthenticated (not-logged-in) requests, which is the safe approach.

If you use a plugin that relies on public REST access (a headless theme, a decoupled frontend, certain form plugins), test in staging first.

Step 3: Limit Exposed Endpoints

WordPress registers dozens of REST endpoints by default, and every installed plugin can add more. Many of these you may never use from the public side. You can selectively remove endpoints from the public response by filtering rest_endpoints:

add_filter( 'rest_endpoints', function( $endpoints ) {
    // Remove the users endpoint from public discovery
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
});

The /wp/v2/users endpoint in particular has been used by attackers to enumerate usernames — a common first step in brute-force attacks against the login page. Removing it from public discovery is a simple, low-risk hardening step.

Step 4: Cache REST API Responses

Page caching plugins typically cache full HTML page responses, but REST API responses are JSON — they’re usually served dynamically even when the underlying data rarely changes.

Option A: Server-Level HTTP Caching

If your REST API endpoints return content that changes infrequently (a list of categories, a featured posts widget, a product catalog), you can add cache-control headers:

add_filter( 'rest_post_dispatch', function( $result, $server, $request ) {
    if ( $request->get_route() === '/wp/v2/posts' ) {
        $result->header( 'Cache-Control', 'public, max-age=300' ); // 5 minutes
    }
    return $result;
}, 10, 3 );

Browsers, CDNs, and reverse proxies can then serve cached copies of these responses without hitting PHP. Only apply this to endpoints that return publicly-shareable, non-user-specific data.

Option B: WordPress Transient Caching

For REST endpoints that perform expensive queries or call external APIs, use WordPress transients to cache the computed result:

add_action( 'rest_api_init', function() {
    register_rest_route( 'myplugin/v1', '/featured-posts', array(
        'methods'  => 'GET',
        'callback' => function() {
            $cache_key = 'myplugin_featured_posts';
            $data = get_transient( $cache_key );

            if ( false === $data ) {
                // Expensive query here
                $data = get_posts( array( 'numberposts' => 5, 'meta_key' => '_is_featured', 'meta_value' => '1' ) );
                set_transient( $cache_key, $data, 5 * MINUTE_IN_SECONDS );
            }

            return rest_ensure_response( $data );
        },
        'permission_callback' => '__return_true',
    ) );
});

This ensures the query only runs once every 5 minutes, regardless of how many visitors or processes hit that endpoint.

Step 5: Protect Against REST API Abuse

The REST API accepts POST requests for creating/updating content and GET requests for reading it. Without rate limiting, bots can hammer your endpoints — not to exfiltrate data, but simply by making thousands of requests, consuming your PHP worker capacity.

A few practical protections:

Rate Limiting at the Server Level

If your host supports Nginx rate limiting or Cloudflare WAF rules, configure rate limits specifically for /wp-json/ routes. A rule limiting unauthenticated IPs to 30 requests per minute per IP is a reasonable starting point for most sites.

Block REST API access via Cloudflare (if needed)

If you see sustained bot traffic to REST API endpoints in your analytics, you can create a Cloudflare firewall rule to challenge or block requests to /wp-json/ from IPs that match bot patterns. This is more aggressive but appropriate for sites under active scraping pressure.

Disable XML-RPC alongside REST API hardening

XML-RPC is the older remote procedure call interface that predates the REST API. It’s a more common attack vector than the REST API. Unless a plugin explicitly requires it, disabling XML-RPC is a complementary step:

add_filter( 'xmlrpc_enabled', '__return_false' );

Step 6: Optimize Autosave and Block Editor API Calls

The Gutenberg editor makes frequent REST API calls as you type — autosaves, block validation, reusable block lookups. On shared or overloaded hosting, these can feel sluggish. On managed hosting with dedicated PHP workers, they’re snappy.

A few practical adjustments for the editor experience:

Increase the autosave interval (default is 60 seconds, reducing to 30 seconds is a common plugin default that generates unnecessary REST traffic):

add_filter( 'heartbeat_settings', function( $settings ) {
    $settings['interval'] = 120; // Seconds between autosaves
    return $settings;
});

Disable autosave entirely on low-traffic admin installs (not recommended for sites with multiple authors):

// Disable autosave for the block editor
add_action( 'enqueue_block_editor_assets', function() {
    wp_dequeue_script( 'autosave' );
});

Step 7: Monitor REST API Performance

Ongoing visibility matters. A few ways to keep tabs on REST API health:

  • Query Monitor (free plugin) — shows REST API timing in the admin bar while logged in, including slow endpoints
  • New Relic or Kinsta APM — if your host provides it, application performance monitoring can trace slow REST calls to specific plugins or queries
  • Server access logs — a simple grep wp-json access.log | awk '{print $7}' | sort | uniq -c | sort -rn gives you the most-hit endpoints at a glance

How Managed Hosting Changes the Equation

Most REST API performance problems trace back to two root causes: PHP workers getting saturated and no server-level caching for JSON responses.

On shared hosting, your PHP workers are shared with dozens of other sites. A burst of REST API traffic — a popular post getting shared, a plugin making a batch of API calls on save — can exhaust your worker pool and cause timeouts.

On managed WordPress hosting like Rocket.net, each site gets dedicated PHP workers and server-level page caching. The REST API benefits directly: responses that can be cached at the server level are cached, and authenticated endpoints that can’t be cached still run against dedicated resources rather than shared infrastructure.

Rocket.net also runs Cloudflare’s enterprise network, which means REST API requests benefit from edge caching for cacheable routes, and Cloudflare’s WAF provides a layer of bot protection for public API endpoints without additional configuration on your part.

If your site is at a point where REST API optimization matters — headless frontends, heavy Gutenberg use, WooCommerce with dynamic pricing — the infrastructure underneath those PHP calls matters more than any plugin configuration.

Start with a faster foundation — try Rocket.net managed WordPress hosting.

Summary

The WordPress REST API is essential infrastructure for modern WordPress sites. Left unconfigured, it can expose user data, accept unlimited bot traffic, and generate PHP load that bypasses your page cache. With a few targeted adjustments:

  1. Audit what endpoints are exposed and how heavily they’re used
  2. Restrict unauthenticated access if you don’t need it publicly
  3. Remove endpoints you don’t use (especially /wp/v2/users)
  4. Cache REST responses at the server level or via transients
  5. Rate limit public API access at the server or CDN layer
  6. Monitor REST API performance over time with Query Monitor or APM

None of these changes require paid plugins. But if you’re hitting REST API performance ceilings despite these optimizations, the most impactful single change is often moving to a managed hosting platform that gives you dedicated PHP workers and edge-level caching from day one.

Performance tip: Your hosting provider has a bigger impact on WordPress speed than any plugin or optimization. We've tested dozens of hosts - Rocket.net consistently delivers the best results.

View Rocket.net Pricing →
WordPress REST APIREST API optimizationWordPress API performancedisable REST APIREST API cachingWordPress headlessGutenberg API

Ready to switch to faster WordPress hosting?

Join thousands who've made the switch to Rocket.net. Try any plan for just $1.

Start Your $1 Trial

30-day money-back guarantee • Free migrations • No contracts

Related Articles

Performance

10 Best WordPress Caching Plugins for 2026 (Speed Test Results)

Comprehensive testing of the top WordPress caching plugins. Real performance data, pros/cons, and our honest recommendations for faster loading times.
Performance

How to Reduce Time to First Byte (TTFB) in WordPress

TTFB is one of the most impactful performance metrics for WordPress sites. Learn what causes slow TTFB and the most effective ways to fix it.
Performance

WordPress Image Optimization: A Complete Guide to Faster Load Times

Images are often the largest assets on a WordPress page. Learn how to compress, resize, convert to modern formats, and deliver images efficiently to dramatically improve page speed.