In WordPress, an API (Application Programming Interface) allows different software systems or applications to talk to each other. This lets them share information and perform specific tasks on websites and within the software itself.
WordPress provides several APIs to help plugin and theme developers easily interact with the platform and add new features and integrations.
You can also use third-party APIs to connect other online services with your WordPress website. For example, APIs let you display maps and weather data on your site or allow WordPress to use a more reliable email service.
How Does an API Work?
An API is an ‘Application Programming Interface’. In other words, it provides a set of rules and tools that let different software programs talk to each other. One program requests information, and the other provides it.
Think of a waiter in a restaurant. They carry your order to the kitchen (your request) and bring back the food (the response).
An API acts as a bridge between applications in a similar way. It allows them to share data so they can perform tasks together.
APIs are commonly used on the internet and are essential for building powerful and user-friendly software. They make it easier for developers to create new applications and services without having to build everything from scratch.
In particular, WordPress uses APIs to extend its functionality beyond its core features.
Unique API keys are used to authenticate and control access to an API. Each user, developer, or application that accesses the API requires their own key. These keys are usually generated by the API provider and need to be pasted into the settings in WordPress or your plugin.
APIs Used by WordPress
The WordPress core development team has provided several APIs. These allow other developers to add new features to WordPress and integrate it with other systems.
Let’s take a look at some of the most important WordPress APIs.
The REST API
The REST API is the most important WordPress API. Developers can use it to access, create, update, and delete content in WordPress remotely. The data is shared in the JSON format.
For example, the REST API is used by the free Redirection plugin when redirecting URLs, and WordPress itself uses it for the full site editor.
If the REST API is disabled, then you will encounter the blank site editor issue when you attempt to use the full site editor. And during setup, the Redirection plugin checks that the REST API is enabled to be sure that it will work correctly.
The REST API can be used to create custom themes, build mobile apps, integrate content from WordPress into other websites, and much more.
The XML-RPC API
The XML-RPC API has been a part of WordPress for a long time and serves as an older method for remote communication.
It allows external services to interact with a WordPress site, enabling actions like publishing posts, managing comments, and accessing user information remotely. It is also used by the WordPress mobile apps.
However, due to its security vulnerabilities, its usage has become less popular in favor of the more modern REST API.
The Heartbeat API
The Heartbeat API was introduced in WordPress 3.6 to allow your website to schedule one-off or recurring events. By default, this API checks for events that are due every 60 seconds and then performs them.
For example, it can be used to autosave posts, schedule posts, show when another author is working on a post, enable plugin developers to display notifications in real time, and much more.
The Widgets API
The Widgets API lets developers create custom widgets that users can easily add and customize in their WordPress themes.
It provides a standardized way to create, manage, and display these widgets, enhancing the user experience and customization options within WordPress themes.
Third-Party APIs
Besides these WordPress APIs, WordPress can also use third-party APIs to connect with other web services and share information with them. These include social media platforms, payment gateways, and other third-party applications.
Let’s take a practical look at how APIs can be used to add the features you need to WordPress.
Using APIs in WordPress
You can use APIs to add new features to your WordPress website in almost endless ways. Here are a few tutorials that will give you an idea of what’s possible:
- The Google Places API lets you add Google Maps in WordPress.
- The Google reCAPTCHA API lets you avoid spam on the WordPress comment form.
- The Google Cloud Platform API lets you add a Google Calendar or customer reviews page.
- The OpenWeather API lets you show weather forecasts in WordPress.
- The SendLayer API lets you fix the WordPress not sending email issue.
- The IndexNow API lets you speed up SEO results.
- The GTmetrix API lets you improve WordPress site performance.
- The WPForms and Zapier APIs let you get SMS text messages from your WordPress forms.
Disabling Unneeded APIs Can Improve WordPress Security
WordPress APIs are useful because they give third-party plugins and tools access to your site.
However, they can also potentially be used by hackers to bring down your website, such as sending a huge number of requests that can disable your website in a DDoS attack.
That’s why we recommend you improve WordPress security by disabling any APIs that are not being used by your website.
Disable the XML-RPC API in WordPress
The XML-RPC API is used by a handful of older plugins and WordPress mobile apps. If you are not using any of these plugins, then you can safely disable the API.
There are several ways to disable XML-RPC in WordPress, such as enabling a WPCode snippet or installing a plugin.
Disable the REST API in WordPress
You can also disable the REST API, but before you do, you should make certain that none of your themes or plugins rely on it.
Like the XML-RPC API, you can disable it using WPCode or installing a plugin.
The benefit of using the Disable REST API plugin method is that it doesn’t disable the API altogether. Instead, it blocks requests from unauthorized sources.
Reducing Heartbeat API Calls
While we don’t recommend disabling the Heartbeat API, you can reduce its activity using WP Rocket or their standalone Heartbeat Control plugin.
By default, the Heartbeat API pings back every 60 seconds. We recommend reducing this to at least 120 seconds.
We show you how to do this in our guide on how to fix a slow-loading WordPress dashboard.
We hope this article helped you learn more about APIs in WordPress. You may also want to see our Additional Reading list below for related articles on useful WordPress tips, tricks, and ideas.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.