Support » Plugin: Cerber Security & Limit Login Attempts » Disable REST API (Cerber v4.7.7) & WP v4.7.5 broken?

Viewing 9 replies - 1 through 9 (of 9 total)
  • enacta2

    (@enacta2)

    ^^ edit: Of course, replace “www.example.com” with your URL.

    Plugin Author Gioni

    (@gioni)

    Hi!

    No worries, it works nicely. You have to remove your IP address from the White IP Access List, http://wpcerber.com/quickhelp/

    enacta2

    (@enacta2)

    Hi,

    So I just tested Cerber again with new IP address, and you’re correct, /wp-json/ isn’t available. However, /wp-json/ is simply 404ing. This doesn’t seem ideal; is 404ing preferred over blocking with error message?

    If 404ing is preferred over error message for blocking, is redirecting with 301 a good idea?

    And, how does Cerber work differently (if it does) than Disable REST API plugin? Is Cerber more secure or less probable to break plugins that may use REST API?

    Thanks!

    • This reply was modified 1 month ago by enacta2.
    • This reply was modified 1 month ago by enacta2.
    Plugin Author Gioni

    (@gioni)

    If there is no active WP REST API on a website any malicious person/bot/hacker must see the 404 response. Why should they see something else? Cerber returns the 404 not found response for any protected (disabled) service on a website. And it means “No trespassing”.

    The vast majority of hackers use automated tools to discover what CMS is installed on a website, open ports, not patched vulnerabilities, etc. And usually, those tools go away when they see 404 responses. If they do not go away and generates a lot of 404 errors, they will be easily detected by any monitoring tool. Cerber will also get this tool soon.

    enacta2

    (@enacta2)

    If there is no active WP REST API on a website any malicious person/bot/hacker must see the 404 response. Why should they see something else?

    I don’t know, I was asking for your opinion. The only reason I’m asking is the standard way to disable Rest API is to have an error page, like this, as far as I have read:
    Screenshot of disabled REST API error message

    That screenshot isn’t loading for me, so here’s a copy/paste of the error message I’ve seen before:
    {"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}

    Thanks for you input on 404ing. I think 301 would better for SEO, but not sure if SEO increase outweighs security decrease.

    • This reply was modified 1 month ago by enacta2. Reason: Fixed link to image
    • This reply was modified 1 month ago by enacta2. Reason: Added error message because image isn't loading
    • This reply was modified 1 month ago by enacta2.
    enacta2

    (@enacta2)

    Hi Gioni,

    I don’t think this issue is resolved. Please, when you’re able, answer my questions about 404ing, for example, is 301 better than 404?

    Plugin Author Gioni

    (@gioni)

    What issue? I don’t see any issue here.

    enacta2

    (@enacta2)

    I don’t know if “issue” is the right word. That said, what I’m asking is would it be better to redirect /wp-json/ using 301 to another page, so it doesn’t 404 when using Cerber’s disable REST API feature?

    Basically I’m asking if you think it’s better to avoid 404 with a 301 redirect.

    Plugin Author Gioni

    (@gioni)

    It’s not about SEO. It’s all about defense and security. You should not say “sorry guys, I’ve disabled REST API”. This is how it looks with a 301 redirection or something like that. Consider all attempts to use disabled REST API as attempts to break into your house.

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.