The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.
The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.
Every now and then though, features get added that are problematic from an admin or user point of view. The main issue with the bulk of these changes is that they cannot be disabled easily. I have disabled Emojis and XML-RPC here on this site for instance.
The new REST API functionality for instance may be used by anyone to list all user accounts of the WordPress installation.
This in itself is not enough to gain access, but once you know more about a site, you could run brute force attacks against the site, try to guess passwords, or use social engineering to get access to the site.
To be fair, the new API does not expose anything to the public that is not available already somewhere else on the site.
To list all user accounts on a site that runs WordPress 4.7 (or newer presumably), all you have to do is append /wp-json/wp/v2/users to its domain name.
You could set a filter previously in WordPress to block access to the information. This filter appears to have been removed in version 4.7.
The only option you have to block the information from being revealed to anyone, is to install a plugin that protects the site from that.
A rather simple, but effective plugin is Disable REST API. All it does is return a "not unauthorized" message to anonymous requests to display REST API data.
The plugin returns an error message for any request that is not made by a logged in user of the particular site.
There is also Wordfence, a plugin that adds security options and protection to WordPress sites.
The data that the REST API makes available to anonymous requests is available elsewhere on the public part of WordPress already. The main gain that attackers get from it is that it lists the data in a nice format that saves them time, as they don't have to crawl various parts of the site anymore to retrieve the information. (via Born City)
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.