WordPress comes with many features out of the box, but many of them are not used by every site. Disabling these can reduce page load times and tighten security.
What we are disabling
REST API
If you don't use the block editor or a headles setup, the REST API often exposes unnecessary site data.
XML-RPC
A legacy bridge that is prime real-estate for brute-force attacks and DDOS.
Emojis
Loads additional scripts (wp-emoji-release.min.js) that add HTTP requests for minor visual features.
Implementation via functions.php
Add this snippet to your theme's functions.php file.
// Disable Emojis
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Disable REST API (for non-admin users)
add_filter('rest_authentication_errors', function($result) {
if ( !empty($result) ) return $result;
if ( !current_user_can( 'administrator' ) ) {
return new WP_Error( 'rest_forbidden', 'REST API disabled.', array( 'status' => 401 ) );
}
return $result;
});Warning
Test these changes on a staging site first. Disabling the REST API can break some modern page builders and plugins that rely on it.