WordPress security explained
WordPress security explained

Why it’s important to restrict access to the WP REST API

Critical bug allows unauthorized visitors to edit any post on your website

Do you have a WordPress powered website? Congratulations! You offer a great tool for hackers right from the day zero. It’s a WordPress REST API which is enabled by default. The WP REST API allows performing almost any action or administrative tasks on a website remotely. The WP REST API is enabled by default starting WordPress version 4.7.0.

The WordPress REST API is not quite mature technology and its code contains some bugs nowadays. That’s why you need to restrict access to the REST API with a security plugin like WP Cerber. Please, take it seriously, guys, because I’ve got some bad news for you. Recently, right after a new version of WordPress 4.7 has been released, a critical bug has been found. This bug allows unauthorized visitors to edit any post on your website. The bug has been found by Ryan Dewhurst and has been fixed by WordPress team in WordPress 4.7.2.

The previous version WordPress 4.7.1 which has been announced as Security and Maintenance Release and has fixes for eight bugs. Unfortunately, the REST API bug has not yet been fixed. That leaves unprotected millions of websites around the world. It’s hard to believe but updating WordPress on shared hostings may take up to several weeks. How many websites have been hacked and infected?

Meantime, since the REST API has been silently enabled for each website, 20 (twenty) bugs have been discovered and fixed. It’s quite a lot of bugs for technology that allows anyone to perform administrative tasks on a website in a background mode.

The WP Cerber Security plugin allows you to restrict or block access to the REST API completely. No matter how many bugs the REST API has. To enable protection just go to the Hardening tab on the plugin admin page and check Block access to the WordPress REST API.

After you’ve blocked the REST API you have three options to fine tune protection:

  • Specify namespace exceptions for the REST API if it’s needed. For instance, if you use the Contact Form 7 plugin, the namespace is contact-form-7 for the Jetpack plugin it’s jetpack.
  • Check Allow REST API for logged in users if you want to allow using the REST API for any authorized WordPress user without limitation.
  • Permit access to the REST API for a specific IP address or an IP network by adding them to the White IP Access List. Read more: Using IP Access Lists to protect WordPress


Last posts from WordPress security blog

I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments