Disable the REST API with a Plugin:
If you want to try a completely different solution you can try out https://wordpress.org/plugins/disable-json-api/ which takes care of removing the REST API functionlity for you.
Disable the REST API without a Plugin:
Maybe you don’t use any security plugins. While I recommend that you reconsider and install either WordFence or iThemes or both, some like to take a manual approach to securing their site. If that’s you, then you can always include this code snippet into your functions.php file or use a plugin like Code Snippets which is ideal for those using themes they don’t control.
Note this only works on WordPress Versions less than 4.7
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
remove_action( 'template_redirect', 'rest_output_link_header', 11 );