The latest version of WordPress comes with new features in REST API that can utilize plugins, applications, services, or the WordPress Core itself.
Πολλές φορές όμως ορισμένα από τα νέα χαρακτηριστικά που προσθέτουν οι προγραμματιστές της Automattic δεν χρησιμοποιούνται από όλους τους διαχειριστές της δημοφιλής πλατφόρμας blogging. Για παράδειγμα στο SecNews we don't use Emojis and XML-RPC.
The new REST API functionality, for example, can be used by anyone in the list of WordPress users.
This alone is not enough to give access to site features, but it does enable someone malicious user to discover all usernames and with brute force attacks try to guess the passwords they use. Of course it can also use social engineering to collect more data.
It should be mentioned that the new API does not expose anything more than the names of the users, which are already available somewhere else on the website anyway. It just shows them the list of all WordPress users' accounts.
To see all user accounts on each site running WordPress 4.7 you should go to:
http://domain_name/wp-json/wp/v2/users
Let's see now how you can block access to this information. You can do this by installing one Plugin or adding code in functions.php located in the folder containing the theme you are using.
The plugin is called Disable REST API and as its name implies will disable the REST API by displaying an "Unauthorized Access" message on anonymous requests requesting data from the REST API.
Let's also see the code you can add to the functions.php:
// * Disable REST API $ current_WP_version = get_bloginfo ('version'); if (version_compare ($ current_WP_version, '4.7', '> =')) {Force_Auth_Error (); } else {Disable_Via_Filters (); } function Force_Auth_Error () {add_filter ('rest_authentication_errors', 'only_allow_logged_in_rest_access'); } function Disable_Via_Filters () {// Filters for WP-API version 1.x add_filter ('json_enabled', '__return_false'); add_filter ('json_jsonp_enabled', '__return_false'); // Filters for WP-API version 2.x add_filter ('rest_enabled', '__return_false'); add_filter ('rest_jsonp_enabled', '__return_false'); // Remove REST API info from head and headers remove_action ('xmlrpc_rsd_apis', 'rest_output_rsd'); remove_action ('wp_head', 'rest_output_link_wp_head', 10); remove_action ('template_redirect', 'rest_output_link_header', 11); } function only_allow_logged_in_rest_access ($ access) {if (! is_user_logged_in ()) {return new WP_Error ('rest_cannot_access', __ ('REST API is NOT for YOU! Sorry pal.', 'disable-json-api'), array ( 'status' => rest_authorization_required_code ())); } return $ access; }
