User Rating: 1 / 5

Star ActiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Wordpress is a commonly used CMS. But unfortunately a lot of people don't know access to internal data is possible for everybody via the JSPN-API if not explicitely disabled. Frankly I also didn't know this until now. Everybody using Wordpress should make sure to protect the JSON-API by requiring authentication for the API. Execute following steps to protect your Wordpress JSON-API:

 

 

First of all test whether the Wordpress JSON-API is accessible without authentication. Open in a browser https://<domain>/wp-json or https://<domain>/index.php/wp-json and if you receive a JSON document the API is open for everybody and should be proceted. Just add following code at the end of functions.php of you used theme:

add_filter( 'rest_authentication_errors', function( $result ) {
   if ( ! empty( $result ) ) {
      return $result;
   }
   if ( ! is_user_logged_in() ) {
     return new WP_Error( '401', 'not allowed.', array('status' => 401) );
   }
   return $result;
});

Now test the access again and you should get following reply:

{

   "code": 401, "message": "not allowed.", "data": {
      "status": 401
   }

}

 

References

FAQ developer.wordpress.org: https://developer.wordpress.org/rest-api/frequently-asked-questions/#can-i-disable-the-rest-api

 

 

 

 

 

Add comment

*** Note ***

Comments are welcome. But in order to reject spam posts please consider following rules:
  1. Comments with string http are rejected with message You have no rights to use this tag
  2. All comments are reviewed by hand and thus it usually takes one day until a comment will be published.