The engine for the API has existed in WordPress since v4.4, but additional functionality and endpoints are a continual project. While this is very exciting news for many reasons – and many plugins, themes, and even pieces of WordPress core are already beginning to use the REST API – it is also not functionality that every site admin is going to want enabled on their website if not necessary.
As of WordPress 4.7, the filters provided for disabling the REST API were removed. To compensate, Disable REST API will forcibly return an authentication error to any API requests from sources who are not logged into your website, which will effectively still prevent unauthorized requests from using the REST API to get information from your website.
For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the rest_enabled filter provided by the API to disable the API functionality. However, it is strongly recommended that all site owners run the most recent version of WordPress except where absolutely necessary.
Disable REST API maintained by Dave McHale.