Home Blog WordPress Security WordPress REST API and the Security Worries

WordPress REST API

WordPress REST API and the Security Worries

The infrastructure of the WordPress REST API will be included in the core of WordPress version 4.4. The release of WordPress version 4.5 will also include a number of endpoints for the REST API. The addition of this new functionality in WordPress core has raised a few eyebrows. Many are already concerned and as usual, WordPress security is the hot topic. Before going into a frenzy let’s take a look at what the REST API is, and if from the WordPress security point of view it is something that you should worry about or not.

What is the WordPress REST API?

REST stands for Representational State Transfer. It is a state-less client-server protocol that is mostly used over the HTTP protocol. Just in case that does not mean much to you, REST is a standard protocol which is mostly used over the web and is not something specific to WordPress. Therefore the WordPress REST API makes  your WordPress website available as a web service. This means that other websites, mobile applications, desktop / server software and other components can programmatically retrieve data from your WordPress website easily and automatically, without the need to access the website from a browser. You can read the REST protocol and Web Services articles on Wikipedia for more information on these subjects.

Basic Example of How the WordPress REST API Works

To retrieve information from a target website you need to send a specific HTTP GET request that the REST API understands. For example in the case below I am sending an HTTP GET query to a local test website I have running on my test server.

Querying the WordPress REST API

As you can see from the above screenshot the website does not return any information that is not already publicly available, but it returns it a specific format that can be easily parsed and understood by other automated means. In the example below I am sending a HTTP request to get a list of all the posts saved on my test website. The request URL is http://www.local.com/wp-json/wp/v2/posts/

Using the WordPress REST API to list all posts

What Information Can be Retrieved from the WordPress API?

By default everyone can anonymously query the WordPress API running on your WordPress website to retrieve information which is already publicly available, such as posts, pages, media files etc.

Other WordPress REST API Uses and Authentication

The WordPress REST API can also be used to both retrieve and update user profile information or a post. Though such tasks can only be achieved once authenticated. Therefore in concept, the WordPress REST API allows the same functionality as a normal WordPress install does without the need of having a human friendly interface.

Does the WordPress REST API Pose Any New Security Risks?

The answer is yes and no. No because the information that is available via the WordPress REST API is already available to the public via other means, such as the website itself and RSS. The only difference between the front-end of the website, RSS and the REST API is the way the data is presented.

It might pose new security risks simply because at the end of the day it is an additional attack surface on WordPress. And from the security point of view, the more attack surfaces you have the more options attackers have to exploit. Though it will only be an actual security flaw if a vulnerability is identified in the REST API, which so far none have been found. So no need to worry for now and as long as you keep your WordPress up to date you should not have any problems.

How to Disable the WordPress REST API

If for some reason you want to disable the WordPress REST API you can add the following code snippet to your site-specific WordPress plugin or functions.php file.

add_filter('rest_enabled', '_return_false');
add_filter('rest_jsonp_enabled', '_return_false');

Stop Worrying About the Security of WordPress REST API

The new WordPress REST API code is vetted by many security professionals, like the core code of WordPress is. And yes, the WordPress core had its fair share of vulnerabilities but they were always addressed on time. So as long as you keep your WordPress up to date you should not have any issues. So stop worrying about the WordPress REST API and start planning your next big project. The new WordPress REST API opens a myriad of new development opportunities and we will definitely see WordPress at the core of much bigger internet based services.

2 thoughts on “WordPress REST API and the Security Worries

  1. Well, so far I was able to keep the URL routes to the REST API locked for non-admins, but now that more and more plugins need API access for anonymous frontend display, I am forced to open at least some routes.
    After reading your post (and others, too) about relying on the REST API being safe enough to be left open, I was a bit relieved.

    However, it still opens up some kind of “back door” – not in the way that secret content is revealed, but content is revealed and offered in a different way than what authors/publishers aim for when creating a site.
    It is hard to explain to customers that their site is not “hacked” when they make panic calls just because someone sent them an API link where all the content of their site is published as JSON.
    Also, what you say about fixing security holes might be true for WP Core, but not necessarily for the authors of plugins. But hey – if we don’t trust them we might as well not install their plugins at all …

    1. Indeed, many website owners are not technical so they tend to “panic” when they see an alert from some plugin about a request. It’s a question of training and awareness, and also our responsability to create better products and solutions that help users in a meaningul way, rather than falsely alerting them.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon