The WordPress REST API
Let me first state that the REST API has been in the works for quite some time and is backed by very talented developers looking to add to the functionality that WordPress provides to it’s users and developers. It brings with it a ton of features that will continue to keep WordPress at the top of the Open Source Content Managment Systems CMS’s used by everyday bloggers to fortune 500 companies.
I recommend learning more about the API from their dedicated website which is full of information about how it works and how to work with it. http://v2.wp-api.org/
Security News About the REST API
Over the past few days, I’ve read a few articles from some of the best in the WordPress Security Space. Both WordFence and iThemes have both discussed the latest roll-out of 4.7 with deeper integration of the REST API. Below is a gist of both articles and their recommendations.
WordFence & the REST API
In the WordFence article, they start off by talking about some of the features that the REST API brings to WordPress and how developers will be embracing these new features in their development process.
Some of the noted features include publishing content directly from:
- Cloud
- Desktop
- Phone
- Tablet
Some of the concern comes in the form of another attack vector that hackers can utilize. The REST API allows for anonymous access and this means that anyone can list all the users of a website. This is definitely something to be concerned about. This will enable botnets to try and Bruteforce attack a website with the users credentials.
WordFence Solution
WordFence updated their security plugin with an additional feature that protects against user enumeration which is enabled by default. As they mention in their article, you should verify that it is set. Steps are:
- In your admin panel, navigate to the WordFence link in the sidebar
- Click the Options submenu link
- Scroll down towards the bottom section and locate the Login Security Options
- Make sure the Checkbox for Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API is checked.
WordFence understands the value that the REST API provides to both users and developers and chose to just target this one aspect of the REST API.
Original WordFence Article https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/
iThemes & the REST API
iThemes is a well-known theme and plugin shop in the WordPress Space. They also have expressed concerns over some aspects of the REST API and what it means for keeping your WordPress Powered website secure.
Some of their noted concerns are:
- The REST API authentication can bypass other authentication security features like Two-Factor authentication and reCAPTCHA. This becomes like a having multiple locks for your front door but leaving the window open. Albeit a window that you might only be aware of until someone probes your website for vulnerabilities.
- It also provides access to some information without authentication at all. As mentioned earlier, this is a concern.
iThemes Solution
While iThemes makes it clear that this might not be the best option, they feel strongly enough about the potential security issue that they have updated their free and premium plugin to give you an option to disable the REST API feature.
Here are the Steps:
- From the Admin Dashboard, visit the iThemes Security Settings Page
- Scroll down to WordPress Tweaks
- Click Configure Settings
- Scroll down to the REST API Section and choose either to completely disable the REST API, or require admin privileges or keep it enabled.
Disabling the REST API ensures that the API can’t bypass authentication measures protecting your website.
Require Admin Privileges only protects against anonymous users from accessing data
Enable REST API keeps all the built-in functionality without any protective measures.
Original iThemes Article https://ithemes.com/2016/12/09/how-to-disable-wordpress-rest-api/
Disable REST API Plugin
If you want to try a completely different solution you can try out https://wordpress.org/plugins/disable-json-api/ which takes care of removing the REST API functionlity for you.
How to Disable the REST API without a Plugin
Maybe you don’t use any security plugins. While I recommend that you reconsider and install either WordFence or iThemes or both, some like to take a manual approach to securing their site. If that’s you, then you can always include this code snippet into your functions.php file or use a plugin like Code Snippets which is ideal for those using themes they don’t control.
Note this only works on WordPress Versions less than 4.7
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
remove_action( 'template_redirect', 'rest_output_link_header', 11 );
Should you Disable the REST API?
It ultimately depends if you use any of the features of the REST API. Some plugins currently use it and developers are sure to start including functionality that will depend on this type of functionality. For now, I would take caution and if you’re not using any plugins that require it, then I would take the extreme measure of disabling the functionality.
Here is a list of plugins that use the WordPress REST API http://v2.wp-api.org/guide/plugins/
The Takeaway
Finding a balance between functionality and security is always difficult. I recommend assessing your website and it’s needs thoroughly to determine what you really need. You should also consider doing a security audit of your site to see if there are any issues that need to be addressed.
As always, thanks for reading and feel free to share. Till next time.