WordPress: block anonymous Rest API access

Martin Brinkmann
Dec 27, 2016
Updated • Jan 4, 2018
Development, Misc
|
5

The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.

The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.

Every now and then though, features get added that are problematic from an admin or user point of view.  The main issue with the bulk of these changes is that they cannot be disabled easily. I have disabled Emojis and XML-RPC here on this site for instance.

The new REST API functionality for instance may be used by anyone to list all user accounts of the WordPress installation.

This in itself is not enough to gain access, but once you know more about a site, you could run brute force attacks against the site, try to guess passwords, or use social engineering to get access to the site.

To be fair, the new API does not expose anything to the public that is not available already somewhere else on the site.

List all user accounts

wordpress enumerate users

To list all user accounts on a site that runs WordPress 4.7 (or newer presumably), all you have to do is append /wp-json/wp/v2/users to its domain name.

You could set a filter previously in WordPress to block access to the information. This filter appears to have been removed in version 4.7.

The only option you have to block the information from being revealed to anyone, is to install a plugin that protects the site from that.

WordPress: Block anonymous REST API access

block rest api wordpress

A rather simple, but effective plugin is Disable REST API. All it does is return a "not unauthorized" message to anonymous requests to display REST API data.

The plugin returns an error message for any request that is not made by a logged in user of the particular site.

There is also Wordfence, a plugin that adds security options and protection to WordPress sites.

Closing Words

The data that the REST API makes available to anonymous requests is available elsewhere on the public part of WordPress already. The main gain that attackers get from it is that it lists the data in a nice format that saves them time, as they don't have to crawl various parts of the site anymore to retrieve the information. (via Born City)

Summary
WordPress: block anonymous Rest API access
Article Name
WordPress: block anonymous Rest API access
Description
The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Giuseppe Ceroni said on June 9, 2019 at 11:42 am
    Reply

    You can take a look to REST XML-RPC Data Checker (https://wordpress.org/plugins/rest-xmlrpc-data-checker/) plugin: it allows an extended access control to the XML-RPC and REST APIs.

    REST Api is enabled by default and you should to know that this way, a WordPress instance is potentially leaking data (for example anyone could be able to copy easily your published contents natively, get the list of all users or retrieve other information that you didn’t want to be public).

  2. jasray said on December 27, 2016 at 5:51 pm
    Reply

    “The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.

    Every now and then though, features get added that are problematic from an admin or user point of view.”

    No Windows 10 Whiners? Or is it different? One has a choice in WordPress? Block all the new features because one may be problematic?

  3. Scott said on December 27, 2016 at 5:03 pm
    Reply

    Hello Martin,
    Great post (per usual). I too disable emoji, XML-RPC, and a few other unnecessary processes. Mostly as a speed measure, but it has a secondary security benefit as well. Do you use that plugin or have you done it manually?

    1. Martin Brinkmann said on December 27, 2016 at 5:19 pm
      Reply

      I prefer to do it manually whenever possible, but use plugins otherwise.

  4. no name said on December 27, 2016 at 10:09 am
    Reply

    Hello,

    the WordPress-Plugin “Cerber Security & Limit Login Attempts” can block the REST API too:
    https://de.wordpress.org/plugins/wp-cerber/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.