Restrict access to WordPress REST API
It's time to take control of WordPress REST API
WP Cerber Security allows you to restrict or completely block access to WordPress REST API which is enabled by default. To enable protection go to the Hardening tab and enable Block access to the WordPress REST API except any of the following.
If you use Contact Form 7, Jetpack or another plugin that make use of REST API, you need to whitelist its REST API namespaces as described below.
Permit access to a particular REST API namespace
What’s namespace? Namespace is a part of a request URL that allows WordPress to recognize what plugin or a part of code must serve a certain REST API request. To get the namespace, take a string between /wp-json/ and the next slash in the REST URL. Every plugin that utilizes REST API uses its own unique namespace. The table below shows namespaces for some plugins.
Plugin | Namespace |
Contact Form 7 | contact-form-7 |
Caldera Forms | cf-api |
Yoast SEO | yoast |
Jetpack | jetpack |
Specify namespace exceptions for REST API if it’s needed as shown on the screenshot
Permit your users to use REST API
Enable Allow REST API for logged in users if you want to allow using REST API for any authorized (logged in) WordPress user without limitation.
Restrict access to WordPress REST API by IP address or IP network
To permit access to REST API for a specific IP address or an IP network add them to the White IP Access List.
To block access to REST API for a specific IP address or an IP network add them to the Black IP Access List.
Read more: Using IP Access Lists to protect WordPress
Protection against REST API user enumeration
To stop user enumeration and block access to users details via REST API you just need to enable Stop user enumeration setting on the Hardening WordPress tab. This security feature is designed to detect and prevent hackers from scanning your site for user names and user details. When it’s enabled Cerber Security blocks both, the REST API user enumeration and traditional user enumeration requests for author archive pages with URL like /?author=n. So nobody will have access to the user details via REST API unless you permit access to them as described above.
What is REST API, anyway?
In a nutshell it’s a technology that allows two different piece of code (applications) to talk to each other and exchange data in a standardized way. Using REST API enables developers to create, read and update WordPress content from external applications running on a different computer or a website. The WP REST API is enabled by default starting WordPress version 4.7.0.
Read more: Why it’s important to restrict access to the WP REST API
Developers documentation: https://developer.wordpress.org/rest-api/
Next steps that’ll strengthen your WordPress security
- How to block spam user registrations
- How to block spam form submissions
- How to block a WordPress user
- How to block access from a specific IP address
- How to disable using a specific username
What’s the Cerber Security, anyway? It’s a complete security solution for WordPress which is evolved from a simple yet effective limit login attempts plugin.
OK. But how do I know whether a plugin uses the REST API so I have to add it to the namespace access-list?
1. From the documentation on a plugin.
2. Checking for REST API requests on the Live Traffic page: just click the small “REST API” button above the table.
3. If you know the REST API namespace that is used by a plugin you can search for requests by entering that REST API namespace on the Advanced search form in the “URL contains” field.
4. Disable REST API in the settings completely and check how the plugin works. If the plugin doesn’t work anymore, that means it uses REST API. To find out its namespace look for “Request to REST API denied” events the Activity page.
Mmm… thnx, but that does not really make me happy. I checked e.g. the contact form and that worked because the REST API works for the administrator. For me small blogger with 22 plugins operational this becomes a nuisance and a lot of time and work. Can’t this be done automatically eg by suggesting or something?
And while we are talking, why should I not permit /oembed/ as a permitted namespace? It seems to be used by a robot (and of course Cerber blocks it correctly 🙂 ).
For other questions I will use the support blog as I normally do.
Sorry for the kind of abuse of this blog. Won’t do it again.