Development

WordPress block anonymous Rest API access

WordPress block anonymous Rest API access

The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.

The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.

Every now and then though, features get added that are problematic from an admin or user point of view.  The main issue with the bulk of these changes is that they cannot be disabled easily. I have disabled Emojis and XML-RPC here on this site for instance.

The new REST API functionality for instance may be used by anyone to list all user accounts of the WordPress installation.

This in itself is not enough to gain access, but once you know more about a site, you could run brute force attacks against the site, try to guess passwords, or use social engineering to get access to the site.

To be fair, the new API does not expose anything to the public that is not available already somewhere else on the site.

List all user accounts

To list all user accounts on a site that runs WordPress 4.7 (or newer presumably), all you have to do is append /wp-json/wp/v2/users to its domain name.

You could set a filter previously in WordPress to block access to the information. This filter appears to have been removed in version 4.7.

The only option you have to block the information from being revealed to anyone, is to install a plugin that protects the site from that.

WordPress: Block anonymous REST API access

A rather simple, but effective plugin is Disable REST API. All it does is return a "not unauthorized" message to anonymous requests to display REST API data.

The plugin returns an error message for any request that is not made by a logged in user of the particular site.

There is also Wordfence, a plugin that adds security options and protection to WordPress sites.

Closing Words

The data that the REST API makes available to anonymous requests is available elsewhere on the public part of WordPress already. The main gain that attackers get from it is that it lists the data in a nice format that saves them time, as they don't have to crawl various parts of the site anymore to retrieve the information. (via Born City)

Pelit Battle for Wesnoth Tutorial
Battle for Wesnoth Tutorial
The Battle for Wesnoth is one of the most popular open source strategy games that you can play at this time. Not only has this game been in developmen...
Pelit 0 A.D. Tutorial
0 A.D. Tutorial
Out of the many strategy games out there, 0 A.D. manages to stand out as a comprehensive title and a very deep, tactical game despite being open sourc...
Pelit Unity3D Tutorial
Unity3D Tutorial
Introduction to Unity 3D Unity 3D is a powerful game development engine. It is cross platform that is it allows you to create games for mobile, web, d...