The latest version of WordPress comes with new features in REST API that can utilize plugins, applications, services, or the WordPress Core itself.
Many times, however, some of the new features added by Automattic developers are not used by all managers of the popular blogging platform. For example, in SecNews we do not use Emojis and XML-RPC.
The new REST API functionality, for example, can be used by anyone in the list of WordPress users.
This alone is not enough to give access to functions of the site, but it enables a malicious user to discover all the usernames and with brute force attacks to try to guess the passwords they use. Of course he can also use social engineering to collect more data.
It should be mentioned that the new API does not expose anything more than the names of the users, which are already available somewhere else on the website anyway. It just shows them the list of all WordPress users' accounts.
To see all user accounts on each site running WordPress 4.7 you should go to:
http://domain_name/wp-json/wp/v2/users
Let's now see how you can deny access to this information. You can do this by installing a plugin or adding code to the functions.php located in the folder that contains the theme you are using.
The plugin is called Disable REST API and as its name implies will disable the REST API by displaying an "Unauthorized Access" message on anonymous requests requesting data from the REST API.
Let's also see the code you can add to the functions.php:
//*Disable REST API $current_WP_version = get_bloginfo('version'); if ( version_compare( $current_WP_version, '4.7', '>=' ) ) { Force_Auth_Error(); } else { Disable_Via_Filters(); } function Force_Auth_Error() { add_filter( 'rest_authentication_errors', 'only_allow_logged_in_rest_access' ); } function Disable_Via_Filters() { // Filters for WP-API version 1.x add_filter( 'json_enabled', '__return_false' ); add_filter( 'json_jsonp_enabled', '__return_false' ); // Filters for WP-API version 2.x add_filter( 'rest_enabled', '__return_false' ); add_filter( 'rest_jsonp_enabled', '__return_false' ); // remove REST API info from head and headers
remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' ); remove_action( 'wp_head', 'rest_output_link_wp_head', 10 ); remove_action( 'template_redirect', 'rest_output_link_header', 11 ); } function only_allow_logged_in_rest_access( $access ) { if( ! is_user_logged_in() ) { return new WP_Error( 'rest_cannot_access', __( 'REST API is NOT for YOU! Sorry pal.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) ); } return $access; }
