How to prevent to expose internal Wordpress data with JSON-API

Details
Category: Security
Also available:  German (DE) 
Hits: 4284

User Rating: 1 / 5

Star ActiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Wordpress is a commonly used CMS. But unfortunately a lot of people don't know access to internal data is possible for everybody via the JSPN-API if not explicitely disabled. Frankly I also didn't know this until now. Everybody using Wordpress should make sure to protect the JSON-API by requiring authentication for the API. Execute following steps to protect your Wordpress JSON-API:

 

 

First of all test whether the Wordpress JSON-API is accessible without authentication. Open in a browser https://<domain>/wp-json or https://<domain>/index.php/wp-json and if you receive a JSON document the API is open for everybody and should be proceted. Just add following code at the end of functions.php of you used theme:

add_filter( 'rest_authentication_errors', function( $result ) {
   if ( ! empty( $result ) ) {
      return $result;
   }
   if ( ! is_user_logged_in() ) {
     return new WP_Error( '401', 'not allowed.', array('status' => 401) );
   }
   return $result;
});

Now test the access again and you should get following reply:

{

   "code": 401, "message": "not allowed.", "data": {
      "status": 401
   }

}

 

References

FAQ developer.wordpress.org: https://developer.wordpress.org/rest-api/frequently-asked-questions/#can-i-disable-the-rest-api