WordPress: block anonymous Rest API access

The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.

The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.

Every now and then though, features get added that are problematic from an admin or user point of view.  The main issue with the bulk of these changes is that they cannot be disabled easily. I have disabled Emojis and XML-RPC here on this site for instance.

The new REST API functionality for instance may be used by anyone to list all user accounts of the WordPress installation.

This in itself is not enough to gain access, but once you know more about a site, you could run brute force attacks against the site, try to guess passwords, or use social engineering to get access to the site.

To be fair, the new API does not expose anything to the public that is not available already somewhere else on the site.

List all user accounts

wordpress enumerate users

To list all user accounts on a site that runs WordPress 4.7 (or newer presumably), all you have to do is append /wp-json/wp/v2/users to its domain name.

You could set a filter previously in WordPress to block access to the information. This filter appears to have been removed in version 4.7.

The only option you have to block the information from being revealed to anyone, is to install a plugin that protects the site from that.

WordPress: Block anonymous REST API access

block rest api wordpress

A rather simple, but effective plugin is Disable REST API. All it does is return a "not unauthorized" message to anonymous requests to display REST API data.

The plugin returns an error message for any request that is not made by a logged in user of the particular site.

There is also Wordfence, a plugin that adds security options and protection to WordPress sites.

Closing Words

The data that the REST API makes available to anonymous requests is available elsewhere on the public part of WordPress already. The main gain that attackers get from it is that it lists the data in a nice format that saves them time, as they don't have to crawl various parts of the site anymore to retrieve the information. (via Born City)

Summary
Article Name
WordPress: block anonymous Rest API access
Description
The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.
Author
Publisher
Ghacks Technology News
Logo
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to WordPress: block anonymous Rest API access

  1. no name December 27, 2016 at 10:09 am #

    Hello,

    the WordPress-Plugin "Cerber Security & Limit Login Attempts" can block the REST API too:
    https://de.wordpress.org/plugins/wp-cerber/

  2. Scott December 27, 2016 at 5:03 pm #

    Hello Martin,
    Great post (per usual). I too disable emoji, XML-RPC, and a few other unnecessary processes. Mostly as a speed measure, but it has a secondary security benefit as well. Do you use that plugin or have you done it manually?

    • Martin Brinkmann December 27, 2016 at 5:19 pm #

      I prefer to do it manually whenever possible, but use plugins otherwise.

  3. jasray December 27, 2016 at 5:51 pm #

    "The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.

    Every now and then though, features get added that are problematic from an admin or user point of view."

    No Windows 10 Whiners? Or is it different? One has a choice in WordPress? Block all the new features because one may be problematic?

Leave a Reply