REST API – Deactivated
Removing Unnecessary Connectivity
In this short post I am going to talk about two moderate WordPress security concerns. These are features that are conceived with the best intentions and intended to spice-up WordPress usability and general extensibility across multiple devices but which can result in potential security problems.
There are currently two such items in WordPress and these are XML-RPC and the REST API.
Firstly, lets have a look at XML-RPC which is controlled by the xmlrpc.php file in the WP root.
What is it?
In short, it is a legacy component that is intended to enable cross-platform communication and integration. As you may have guest it uses XML (Extensible Markup Language) to encode and structure data that is transmitted to and from your WP core via HTTP. Already it sounds like an open door to hackers? – Which it can be – though not quite as risky as the REST API which we will discuss shortly.
Why is it dangerous?
Simply because it is a potential doorway into your WP “back-end” and it is often targeted by brute force attacks from bots and hackers attempting to gain access by trying thousands of password combinations.
Very few WP sites make any reasonable use of XML-RPC and if this function is absolutely not required then It is advisable to disable it. It is better to do this with the aid of a good security plug-in such as I-Themes Security or by adding a simple rule to your htaccess file as below. This rule will block access to the xmlrpc.php file. Don’t just delete the file in the root directory.
XML-RPC is very much a legacy feature of WP which may eventually disappear but at the time of writing V 5.6.2 is still making use of it.
How to Disable XML-RPC
Use the I-Themes Security plugin : –
SETTINGS ➔ WORDPRESS TWEAKS ➔ DISABLE XML-RPC
Alternatively you can disable XML-RPC by adding a file blocking rule to your htaccess file.
Add the following code just before the # BEGIN WordPress comment.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
CAUTION – small errors in the htaccess file can make your site inaccessible. Work on htaccess at your own risk
Next we will look at the REST API As discussed above this has a similar but much more sophisticated function.
What is it?
REpresentational State Transfer is a relatively new addition to the WordPress engine-room and in many ways is a more sophisticated and even more extensible alternative to the old XML-RPC method. The REST API has many funky features and some very cool uses. It is great for dynamically linking mobile aps with your site, or its features, thus enabling fully interactive two-way communication. It can be a useful asset to business. However, setting up a REST API in a reliable and secure way is quite specialised and has little use for many of us with a typical information site.
So again, if you are not using this feature of WP it does need to be disabled. As with XML-RPC, REST does not disappear if it is unused. Think of these functions as being always-on or permanently open windows or unlocked doors to your site.
Why is it dangerous?
The REST API also provides a potential login port to your WordPress back-end and database that will be a target for brute-force attackers. However, REST also has a rather unpleasant habit of making large amounts of sensitive info about your site and installation public. It does this by outputting configuration details in JSON format which is easily “human readable”. The REST API will contain information about all of your plugins and even the user names of registered site admins and editors. When REST API is enabled on your installation then simply appending wp-json to the end of your URL can reveal a shocking amount of information about your WordPress installation.
How to Disable REST API
Disabling the REST is a bit more complicated than XML-RPC and I list the procedures below. This requires the removal of items populating both the header.php and also the HTTP header.
The REST API can also be disabled with the I-Themes security plugin by going to the WordPress Tweaks panel and disabling it there.
Disabling REST API manually requires the addition of three items to the functions file thus: –
// Disable REST API link tag
remove_action(‘wp_head’, ‘rest_output_link_wp_head’, 10);
// Disable Rest API wp-json for non admins
add_filter( ‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘rest_not_logged_in’, ‘Not logged in.’, array( ‘status’ => 401 ) );
}
if ( ! current_user_can(‘administrator’ ) ) {
return new WP_Error(‘rest_not_admin’, ‘Not an administrator.’, array( ‘status’ => 401 ) );
}
return $result;
});
// Remove REST link from http header
remove_action( ‘template_redirect’, ‘rest_output_link_header’, 11);
In a previous post about cleaning up the WP header file I also talked about removing various REST links.
« Clean up WordPress Header | Lubuntu 20.04 LTS »
Prestburyweb