WordPress happens to be a highly popular platform for blog and website building and management. However, it has continued to be vulnerable to security threats that creep in via susceptible security loopholes. Something that a lot of people are not aware of is the fact that REST-API can cause serious privacy and security concerns for your site and the overall sensitive user data. It is true that the REST API significantly contributes to improving the WordPress performance but it also is a hot-point that can puncture the security cover on your site. To make sure that you do not fall at this receiving end, you must understand how REST API works.
Something as simple as adding a line of words can provide access to the valid usernames of your website to hackers along with other readable information. And you don’t want that, right? Hackers can easily gain access to your sites’ Posts, pages, categories, tags, comments, media, users, and settings through WordPress REST API in a machine-readable JSON format.
Hence, a lot of developers know that disabling the REST-API is an important step. It helps in the prevention of user data leak and also keeps content scraping at bay. WordPress developers and others who are aware of this fact use several plugins such as Disable REST API or REST API Toolbox when they want to disable the REST API.
Why the threat with WordPress REST API?
Did you know that when somebody is looking to retrieve information from a particular website, there is a need for sending a specific HTTP GET request? The REST API in function is supposed to understand this request and respond accordingly. With WordPress API, everyone is able to retrieve the public information available on the site. We are talking about posts, pages, media files, etc. If somebody wants to retrieve this information, they can anonymously do so by querying the WordPress API running on your WordPress site. RESET API is a clear entry gate for theft, plagiarism, and user data compromise.
The threat is real. If you want to check this for yourself, simply type the URL to your site, followed by wp-JSON/wp/v2/posts. You will now be able to see your WordPress site’s JSON data.
Now anyone can use tools to simply retrieve data present on your WordPress site. Scary, right? This is simply making it easy for content thieves to pounce on your site’s content and other sensitive user data after you have completed your WordPress blog setup or the website operation.
Since the WordPress REST API is enabled by default, there has to be a reason for its default enabling. It is simply there so that plugins can rely on their functionality on the REST API. So, if you want to disable the REST API on your WordPress site, you must restrict it to authenticated users, as advised by the experts.
The WordPress REST API Mistakes to look out for
You are vulnerable if the REST API on your WordPress site is enabled which it is, by default. However, if you are making the mistakes mentioned herein, you are welcoming the threat with open arms.
Make sure that you do not display sensitive information on your website because now you know that the REST API shows all data by default. After you are clear on the display of sensitive information on your website, you must never make the mistake of not securing your live site with basic security checks in place. Two-Factor authentication and protecting your login credentials fall in the action pointers for this number.
An encrypted connection will go a long way if your website has a lot of sensitive data that you cannot afford to get compromised with. Using a VPN can help you take care of this. If you are looking for a great VPN service, you can compare NordVPN vs IPVanish and look for your options.
You must also make sure that while you are setting up authentication for your WordPress site, you are using an encrypted connection. Apart from these smart decisions, anything and everything that you do to make your WordPress site secure and free from security vulnerabilities will help you immensely.
Securing the WordPress REST API
To keep this threat in check, you can do two things. You can either choose to disable the REST API for all non-logged users or go ahead with the option of disabling only the REST user’s endpoint.
So, if you are ready to disable the WordPress REST API, you can use plugins such as the Disable REST API plugin. This plugin lets you simply set it up and stay rested for the things it can take care of. Once you have uploaded and activated the REST API, your site data would not be accessible.
You can set up the plugin by uploading the disable-JSON-api directory to the /wp-content/plugins/ directory via FTP. You can also upload the disable-JSON-api_v#.#.zip file to the ‘Plugins->Add New’ page into your WordPress admin area. Once done, you can simply visit the ‘Plugins’ menu and activate the plugin and let it do its job.
You can also try the Disable WP REST API by Jeff Star to get the work done. The plugin is fast and lightweight and it disables the WP REST API for non-logged visitors without the need for any configuration. It also disables the REST header in HTTP response for all users and disables the REST links in HTML head for all users.
If you really are questioning the threat and want to zero in on a particular explanation, it would be fair to say that WordPress REST API does pose a threat. For the arguments rising around the fact that there are other different ways such as RSS to retrieve this information and that WordPress REST API is not the only culprit, we have a statement to make. REST API does present the retrieved information in a manner that can be really compromised and used to the benefit of the hackers. So, it would really help if you disable the REST API for your WordPress website and keep the WordPress up to date.