Why it’s important to restrict access to the WP REST API
Critical bug allows unauthorized visitors to edit any post on your website
Do you have a WordPress powered website? Congratulations! You offer a great tool for hackers right from the day zero. It’s a WordPress REST API enabled by default. The WP REST API allows performing almost any action or administrative tasks on a website remotely. WordPress REST API is enabled by default starting WordPress version 4.7.0.
But it’s not quite mature technology and its code contains some bugs nowadays. That’s why you need to restrict access to the REST API with a security plugin like WP Cerber. Please, take it seriously, guys, because I’ve got some bad news for you. Recently, right after a new version of WordPress 4.7 has been released, a critical bug has been found. This bug allows unauthorized visitors to edit any post on your website. The bug has been found by Ryan Dewhurst and has been fixed by WordPress team in WordPress 4.7.2.
The previous version WordPress 4.7.1 which has been announced as Security and Maintenance Release and has fixes for eight bugs. Unfortunately, the REST API bug has not yet been fixed. That leaves unprotected millions of websites around the world. It’s hard to believe but updating WordPress on shared hostings may take up to several weeks. How many websites has been hacked and infected?
Since REST API has been silently enabled for each website, 20 (twenty) bugs have been discovered and fixed. It’s quite a lot of bugs for technology which allows anyone to perform administrative tasks on a website in a background mode.
The WP Cerber security plugin allows you to block access to the REST API completely. No matter how many bugs REST API has. To enable protection just go to the Hardening tab on the plugin admin page and check Block access to the WordPress REST API. Optionally you can permit access to the REST API for hosts from the White IP Access List. Read more: Using IP Access Lists to protect WordPress
Last posts from WordPress security blog
- Brute-force, DoS, and DDoS attacks – what’s the difference? 04/10/2017
- WP Cerber 4.5 03/22/2017
- Instant mobile and browser notifications with Pushbullet 03/20/2017
- Best WordPress Plugins for Two-Factor Authentication 03/15/2017
- WordPress 4.7.3 – six security issues has been fixed 03/06/2017
Let's make things clear with these intruder activities that happens every day with any website. How are they dangerous? What tools or plugin can mitigate them? What are chances that we can do that successfully?
WP Cerber allows you to easily enable desktop and mobile notifications and get all those notifications from your WordPress instantly and for free. In a desktop browser, you will get popup messages even if you logged out of your WordPress. Last posts from WordPress security blog Brute-force, DoS, and DDoS attacks – [...]