WordPress.org

Ready to get started?Download WordPress

Forums

JSON API
Security Issues and Stolen Information? (9 posts)

  1. PGrizz
    Member
    Posted 2 years ago #

    Hi, I've never used an API with WordPress before and I'm not that familiar with using APIs in general, but I had a question regarding potential security risks:

    Since the JSON API is allowing all data from a WordPress site to be outputted and accessed, what's stopping anybody from grabbing all the data? I ask because I've setup the plugin to output data to mobile apps, and the developer has been able to access all of our database without ever needing to give them a password or unique API key... Can anyone who knows I'm using WordPress and potentially the JSON plugin now take my database's content and even potentially use it themselves once stealing?

    http://wordpress.org/extend/plugins/json-api/

  2. hermanvandermaas
    Member
    Posted 2 years ago #

    Can anyone who knows I'm using WordPress and potentially the JSON plugin now take my database's content and even potentially use it themselves once stealing?

    I would say the answer is yes. By using this JSON API you basically set up a public web service. Anyone who knows the base URL of your JSON API can query your database. The only way I can think of to secure a webservice is to set a long and difficult to guess URL (Dashboard > Settings > JSON API > API Base). E.g: http://www.yourdomain.com/hdjjriu34984764jjfdjkjdhhsjhdg879348.

  3. Bill Dennen
    Member
    Posted 2 years ago #

    Thanks hermanvandermaas. That helps, but if you use that URL anywhere in public, it's no longer obscure or difficult to guess!

  4. archon810
    Member
    Posted 2 years ago #

    By having a website on the web, you're also in danger of someone scraping you - it's not as structured, but is being done on a regular basis every day. So really, it's the same thing, you're just making the data a little more available. I'd say for those who steal content, it's easier to just scrape than use this API that you may or may not provide.

  5. Bill Dennen
    Member
    Posted 2 years ago #

    The JSON API exposes more data (author usernames come to mind).

    You may be hiding the author usenames on your site, but if you have JSON API plugin enabled, this info is exposed.

  6. neonWired
    Member
    Posted 2 years ago #

    Anything you publish on the web is open and public unless you password protect it. That's the bottom line.

    It would be interesting, however, to use oAuth to secure data. It's a bit of work but I can't think of any reason it wouldn't be doable.

  7. Bill Dennen
    Member
    Posted 2 years ago #

    The problem is that I can code my theme so that author usernames are NOT published to the world. But, using this plugin, they are published without me knowing about it. This plugin exposes everything, for better or worse.

  8. neonWired
    Member
    Posted 2 years ago #

    You do make a good point there, though I think you're situation is unique as the plugin only exposes what most themes do anyway which is why it probably doesn't bother with any authorization.

    If it is necessary to hide certain data you could always hack to core controller to hide it.

  9. Saurabh Shukla
    Member
    Posted 2 years ago #

    Wouldn't it be nice to add some oAuth to this plugin!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags