Support » Everything else WordPress » WordPress REST API: publicly & anonymously accessible?

  • Resolved snowboardmommy

    (@snowboardmommy)


    I am a little confused about the WordPress REST API and haven’t found any documentation that clearly and decisively answers my questions. I guess I stupidly assumed that the REST API would be something internal to your own WordPress installation so that plugins, themes and even the WordPress core could more efficiently access your database and infrastructure and that you would authenticate 3rd parties to access your API as you deemed fit for your business and web endeavors.

    But, the alerts I have been receiving from various WordPress security plugins seem to indicate that any anonymous passerby who knows the API endpoints can access everything in your website, download it and do whatever they want with it?

    I think that’s a little too big of a leap, to go from serving individual pages to allowing complete dumps of everything in a format that makes it easy to take off with it and re-use it however, with no indication of who took it and what they are doing with it.

    Not only that, but it appears that the 4.7 implementation doesn’t even stick to supposed “public” information but reveals usernames and data to anyone who can perform the GET request, unless you happen to be using a security plugin that blocks that part of the API?

    I am just baffled that site owners do not have the option to authenticate only the plugins, themes and 3rd parties that they actually want to have access to their website data.

    Unless I am understanding this whole situation incorrectly? I would really appreciate some clarification.

    Thanks!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Hi @snowboardmommy, I was reading into this a moment ago and there are means to add authentication to the API so that people must log in before using it. It’s disabled by default: http://v2.wp-api.org/guide/authentication/

    I’m not sure what concerns you when you say people can download everything from your website. They can gain access to things that are already public.

    In regards to usernames, in WordPress versions prior to 4.7 usernames could still be searched. It just wasn’t considered a security concern as there is no strength is usernames. Usernames are not a string of random characters with symbols and letters like a password, they are easily guessable. The advice has always been to use a secure password.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    But, the alerts I have been receiving from various WordPress security plugins seem to indicate that any anonymous passerby who knows the API endpoints can access everything in your website, download it and do whatever they want with it?

    Nope. That’s not at all true.

    *Looks for coffee, find none.*

    The REST API does expose public information on your site and yes, that includes usernames. That does not mean anyone can access your site using the REST API and do whatever they want. The API doesn’t permit unauthenticated clients (users) to do that.

    *Looks more and mutters “coffee would be good” and finds none on the train.*

    It’s an old discussion. There are those that believe that user IDs and email addresses should be closely guarded secrets or at least not easily discoverable. Note that WordPress does not expose email addresses though user IDs are easy to discover and enumerate. 😉

    Some of us believe that unless you can reasonably guarantee that the data is private then don’t make it part of your security strategy. Strong passwords are something that you can control. Your user ID and email (like your name) is fairly public information.

    That doesn’t mean you should publish your user ID and email, I’m just saying try not to lose sleep over it. Unless you’re one of the few then odds are very good you’ve shared your real email address with many people and sites.

    If you’re concerned about it (and I get that too) then consider installing one of the security plugins in the WordPress repository.

    https://wordpress.org/plugins/search.php?q=security

    Not all of them will block that unauthenticated REST API access but at least one will.

    • This reply was modified 3 years, 6 months ago by Jan Dembowski.

    Thanks for your responses.

    @anevins: The authentication article link ( http://v2.wp-api.org/guide/authentication/ ), to me seems to describe how to authenticate your app to a wordpress installation, not how to institute API authentication on your wordpress installation, in order to control who is accessing the API

    My main concern:

    The API /posts and /pages endpoints allow a download of everything in one, nice neat JSON package than can be ported anywhere for anything.

    This is very different from having to crawl through an entire website page by page to access the content. I realize that this can be done anyway, but the REST API seems to be giving greater ease of access the data in a format that is very easily portable.

    @jdembowski
    I’m not as fussed about the usernames individually, that was mainly an example, and I appreciate you clearing up that usernames are considered “public information” by WordPress. That is very illuminating.

    I am mainly concerned about whether I have any control over who is accessing the API endpoints for my website. Right now, it appears to be “everyone”.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    The API /posts and /pages endpoints allow a download of everything in one, nice neat JSON package than can be ported anywhere for anything.

    Did you know there has always been an API of your posts and pages in WordPress core? This is through the use of RSS feeds. It’s nothing new, the API just provides additional formats. I don’t see the concern.

    Well, thanks then for just dismissing my concern and not helping me understand.

    “I don’t see the concern” isn’t really an adequate or even polite explanation.

    I personally do not consider an RSS feed and and API to be equivalent but I don’t feel like arguing about it either.

    The API documentation is not updated to include the fact that the API is part of the core in 4.7, and not a plugin anymore, so it’s actually more confusing than helpful.

    But, I guess I will just wait for the API documentation to hopefully be updated and you can please just close this ticket.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    *Reads. Reads again. Raises hands and does the timeout thing*

    “I don’t see the concern” isn’t really an adequate or even polite explanation.

    That was certainly not anyones intention to be dismissive nor was Andrew’s reply impolite. No one here is saying that you do not have any right to be concerned and I’d appreciate if you read what was written and not project any tone into other people’s replies.

    Here’s the thing: if you are not an unauthenticated user to your own site then the REST API, like RSS and others, is only for providing information that is already accessible in other ways. Those other ways have been around for years.

    The REST API is just another interface into WordPress with the almost identical access based on an authenticated user’s level of access. Just as /wp-admin/ is and the XML-RPC interface. Nothing more, nothing less.

    If you want to disable REST then there are some easy ways to do that. A plugin tends to be the most supportable way to do that.

    https://wordpress.org/plugins/disable-json-api/

    That plugin may be a great way to do that as this is from the plugin page.

    As of WordPress 4.7, the filter provided for disabling the REST API has been removed. However, this plugin will now forcibly return an authentication error to any API requests from sources who are not logged into your website, which will effectively still prevent unauthorized requests from using the REST API to get information from your website

    Emphasis added by me. If an unauthenticated request comes into your site then they requestor gets an authentication error and no data.

    As I mentioned earlier, some security plugins will do that too.

    https://wordpress.org/plugins/search.php?q=security

    Wordfence does that by default I think. For a variety of reasons I don’t use any security plugins but they do have a lot of good utility.

    and you can please just close this ticket.

    I’ll mark this topic as “resolved” but be aware that just like you, we are all volunteers helping others. There’s no such thing as a ticket here. It’s not semantics; these are just conversations between people trying to help and understand.

    • This reply was modified 3 years, 6 months ago by Jan Dembowski.
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WordPress REST API: publicly & anonymously accessible?’ is closed to new replies.