WordPress REST API: publicly & anonymously accessible?

But, the alerts I have been receiving from various WordPress security plugins seem to indicate that any anonymous passerby who knows the API endpoints can access everything in your website, download it and do whatever they want with it?

Nope. That’s not at all true.

*Looks for coffee, find none.*

The REST API does expose public information on your site and yes, that includes usernames. That does not mean anyone can access your site using the REST API and do whatever they want. The API doesn’t permit unauthenticated clients (users) to do that.

*Looks more and mutters “coffee would be good” and finds none on the train.*

It’s an old discussion. There are those that believe that user IDs and email addresses should be closely guarded secrets or at least not easily discoverable. Note that WordPress does not expose email addresses though user IDs are easy to discover and enumerate. 😉

Some of us believe that unless you can reasonably guarantee that the data is private then don’t make it part of your security strategy. Strong passwords are something that you can control. Your user ID and email (like your name) is fairly public information.

That doesn’t mean you should publish your user ID and email, I’m just saying try not to lose sleep over it. Unless you’re one of the few then odds are very good you’ve shared your real email address with many people and sites.

If you’re concerned about it (and I get that too) then consider installing one of the security plugins in the WordPress repository.

https://wordpress.org/plugins/search.php?q=security

Not all of them will block that unauthenticated REST API access but at least one will.

• This reply was modified 7 years, 4 months ago by Jan Dembowski.

*Reads. Reads again. Raises hands and does the timeout thing*

“I don’t see the concern” isn’t really an adequate or even polite explanation.

That was certainly not anyones intention to be dismissive nor was Andrew’s reply impolite. No one here is saying that you do not have any right to be concerned and I’d appreciate if you read what was written and not project any tone into other people’s replies.

Here’s the thing: if you are not an unauthenticated user to your own site then the REST API, like RSS and others, is only for providing information that is already accessible in other ways. Those other ways have been around for years.

The REST API is just another interface into WordPress with the almost identical access based on an authenticated user’s level of access. Just as /wp-admin/ is and the XML-RPC interface. Nothing more, nothing less.

If you want to disable REST then there are some easy ways to do that. A plugin tends to be the most supportable way to do that.

https://wordpress.org/plugins/disable-json-api/

That plugin may be a great way to do that as this is from the plugin page.

As of WordPress 4.7, the filter provided for disabling the REST API has been removed. However, this plugin will now forcibly return an authentication error to any API requests from sources who are not logged into your website, which will effectively still prevent unauthorized requests from using the REST API to get information from your website

Emphasis added by me. If an unauthenticated request comes into your site then they requestor gets an authentication error and no data.

As I mentioned earlier, some security plugins will do that too.

https://wordpress.org/plugins/search.php?q=security

Wordfence does that by default I think. For a variety of reasons I don’t use any security plugins but they do have a lot of good utility.

and you can please just close this ticket.

I’ll mark this topic as “resolved” but be aware that just like you, we are all volunteers helping others. There’s no such thing as a ticket here. It’s not semantics; these are just conversations between people trying to help and understand.

• This reply was modified 7 years, 3 months ago by Jan Dembowski.