WordPress Lab
Security & Performance June 2, 2026Difficulty: Intermediate

Disable Unused WordPress Features (REST API, Emojis, XML-RPC) via Functions.php

WordPress comes with many features out of the box, but many of them are not used by every site. Disabling these can reduce page load times and tighten security.

What we are disabling

REST API

If you don't use the block editor or a headles setup, the REST API often exposes unnecessary site data.

XML-RPC

A legacy bridge that is prime real-estate for brute-force attacks and DDOS.

Emojis

Loads additional scripts (wp-emoji-release.min.js) that add HTTP requests for minor visual features.

Implementation via functions.php

Add this snippet to your theme's functions.php file.

// Disable Emojis
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');

// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');

// Disable REST API (for non-admin users)
add_filter('rest_authentication_errors', function($result) {
    if ( !empty($result) ) return $result;
    if ( !current_user_can( 'administrator' ) ) {
        return new WP_Error( 'rest_forbidden', 'REST API disabled.', array( 'status' => 401 ) );
    }
    return $result;
});

Warning

Test these changes on a staging site first. Disabling the REST API can break some modern page builders and plugins that rely on it.

Technical Implementation Notice

These guides are intended for developers and administrators with access to the server environment. Always perform a full database and file backup before implementing custom code snippets.

Disable Unused WordPress Features (REST API, Emojis, XML-RPC) via Functions.php | WordPress Guide | Deepanshu Thakral