Locking down some endpoints?

  • Resolved fredbradley

    (@fredbradley)


    8 years, 3 months ago

    It seems a bit of a security risk that the :users endpoint (/wp/v2/users) shows a public viewer the usernames of the site’s users.

    This surely, is the same argument regarding why you should always change your default username away from ‘admin’? And makes a password hack attempt much easier.

    https://wordpress.org/plugins/rest-api/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    8 years, 3 months ago

    It seems a bit of a security risk that the :users endpoint (/wp/v2/users) shows a public viewer the usernames of the site’s users.

    These will only be users who have published a post. Any details present in the response are details already publicly exposed through RSS and other means.

    jespardk

    (@jespardk)

    8 years, 2 months ago

    I agree with Fred.

    This should not be left open by default. Also, the argument does not hold true when you’re using custombuilt themes that don’t display any author/user information in the first place.

    It’s not a blatant security risks, but it is kind of a weird move to publicize all your admin-accounts like that. By DEFAULT.

    darrinb

    (@dbmartin)

    8 years, 2 months ago

    Does it expose user names? Or display name? Which field is it pulling?

    jespardk

    (@jespardk)

    8 years, 2 months ago

    /wp-json/wp/v2/users exposes the following data:

    id: 1,
    name: “Firstname Lastname”,
    url: “”,
    description: “”,
    link: “http://example.com/author/author-page/”,
    avatar_urls: {},
    slug: “author-slug”,
    _links: {}

    Precise usernames are pretty easy to guess based on this information.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Locking down some endpoints?’ is closed to new replies.