WordPress Security


WordPress REST API what is it?

The WordPress REST API is an interface that developers can use to access WordPress from outside the WordPress installation itself. You can access it using JavaScript, which means it can be used to create interactive websites and apps.

REST stands for Representational State Transfer and API stands for Application Programming Interface.

To put it more simply, an API is a set of code that allows one system to interact or “interface” with another. If you add a Google map to your WordPress website, you have to use the Google Maps API, which allows your WordPress website to interface with Google Maps.

WordPress already has multiple APIs, for things like plugins, settings and shortcodes. These can be used by plugin and theme developers to interact with the WordPress core to create shortcodes and add settings screens to the WordPress admin panel.

What is REST or Representational State Transfer?

Representational State Transfer or REST provides standards that web systems can use to interface with each other. Without REST, two systems wouldn’t be able to understand each other and be able to send data back and forth.

For an application to be RESTful, it must conform to five principles:

  1. Uniform interface. The URLs used to access resources in the system have to be uniform, consistent and accessible via a common approach such as GET.
  2. Client-server. Client applications and server applications must be separate, so that they can be developed independently of each other. If the server-side technology (i.e. WordPress) changes, the server-side application (an app, for example) must still be able to access it via the same method.
  3. Stateless. The server doesn’t change state when a new request is made using the API. It does not store the requests that have been made.
  4. Cacheable. All resources must be cacheable, to improve speed and conformance to web standards. Caching can be implemented on the server or client-side.
  5. Layered system. A RESTful system lets you use multiple layers to access it, storing data in intermediate servers if it needs to. The server cannot tell if the final client is directly connected to it.

All of these constraints relate to webpages and applications and govern the way an application can interface with the WordPress REST API, it means that a third-party website or a mobile app can access your WordPress database, fetch data from it and add data to it.

The WordPress REST API is the best way to access or modify WordPress data asynchronously without slowing down your website.

Is the WordPress REST API enabled?

The best way to check is to visit this URL: If you see some information which seems related to our WordPress REST API, it works. If you see something, it means that, at least, our WordPress REST API is enabled. Otherwise, that is not working and we will need to understand why.

So, if you text on a new tab and if the REST API is enabled but restricted to logged in users, you will see the following, on Chrome:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}
WordPress REST API access risks

It is very easy to underestimate the amount of data that is made available via the REST API, such as posts, pages, categories, tags, comments, taxonomies, media, users and settings. For most of these types of data, public access can be useful, but that easy access invites potential abuse. Just like with RSS feeds, RESTful delivered JSON content is easily scraped and used for spam, phishing, plagiarism or even adsense.

What are the risks?

For everything except the user data, the risks are the same as for RSS feeds. Scrapers can steal your content regardless of format. If you make it easy for people to steal your content, they will. Content is content, so whether they are grabbing the data via RSS or JSON format, the REST API makes it easier than ever for anyone to manipulate your website’s content, categories, tags, meta, settings and much more.

For user data, we enter a whole new level of risk. With user data, the information is personal, so there is a potential privacy risk. Even worse, for every user, their “Name” by default is their “Display Name”, which defaults to the registered “Username” unless otherwise specified. This means that your website’s registered usernames are publicly available and there is a serious security risk.

Disable the WordPress REST API

How to Disable the WordPress REST API? If you do not want applications to be able to access your website’s data using the REST API, you can disable it by adding some code to your theme’s functions.php file or by developing your own plugin. In your plugin, add just these two lines:

add_filter( 'json_enabled', '__return_false' );
add_filter( 'json_jsonp_enabled', '__return_false' );

This will completely disable the REST API for your website but it may have side effects on your admin screens so make sure that everything works OK once you’ve added those two lines of code.

Hello REST API or Hello Dolly?

Have you been working a lot with the WordPress REST API lately? Then, the Hello Dolly plugin should now be your go-to plugin when you need to test the plugins endpoint. At least, you will be rewarded with a positive message in your dashboard.

Leave a Reply

Your email address will not be published.