WordPress REST API: publicly & anonymously accessible?
-
I am a little confused about the WordPress REST API and haven’t found any documentation that clearly and decisively answers my questions. I guess I stupidly assumed that the REST API would be something internal to your own WordPress installation so that plugins, themes and even the WordPress core could more efficiently access your database and infrastructure and that you would authenticate 3rd parties to access your API as you deemed fit for your business and web endeavors.
But, the alerts I have been receiving from various WordPress security plugins seem to indicate that any anonymous passerby who knows the API endpoints can access everything in your website, download it and do whatever they want with it?
I think that’s a little too big of a leap, to go from serving individual pages to allowing complete dumps of everything in a format that makes it easy to take off with it and re-use it however, with no indication of who took it and what they are doing with it.
Not only that, but it appears that the 4.7 implementation doesn’t even stick to supposed “public” information but reveals usernames and data to anyone who can perform the GET request, unless you happen to be using a security plugin that blocks that part of the API?
I am just baffled that site owners do not have the option to authenticate only the plugins, themes and 3rd parties that they actually want to have access to their website data.
Unless I am understanding this whole situation incorrectly? I would really appreciate some clarification.
Thanks!
- The topic ‘WordPress REST API: publicly & anonymously accessible?’ is closed to new replies.