Overview
- Use a plugin to block access to the Rest API (MOST RECOMMENDED WAY)
- Create a redirect rule in .htaccess configuration to block all requests to the vulnerable URL.
- Modify source code
Note
In minimal cases, with the new Gutenberg UI, there are some issues to restrict to the REST API while keeping WordPress functional. In some cases saving post fails with Gutenberg because the request to the API is blocked but using the classic editor the post is processed.
Method 1: Using a WordPress plugin,
From experience, we recommend using either Disable REST API or iThemes Security.
Using Disable REST API plugin
- From within your WordPress dashboard, go to Add Plugin.
- Search for the plugin called Disable REST API or iThemes Security (or others with good reviews on the same issue)
- Install and activate the plugin, and that's it
Using iThemes Security plugin
- From within your WordPress dashboard, go to Add Plugin.
- Search for the plugin called iThemes Security REST API
- Install and activate the plugin
- In iThemes settings, go to WordPress Tweaks
- Scroll down to REST API, select the option for Restricted Access. That's it.
WordPress Tweaks
REST API options in iThemes Security settings
iThemes Security is a multi-functional security plugin for WordPress. If you're using to restrict REST API, then consider it's other features to protect your site.
Note:
You can also directly download the recommended plugins from the following link and upload it through your WordPress dashboard or FTP application.
- Disable REST API - https://wordpress.org/plugins/disable-json-api/
- iThemes Security - https://wordpress.org/plugins/better-wp-security/
Method 2: Use a redirect rule in the .htaccess configuration file
# BLOCK REQUEST TO WP REST API
# Block/Forbid Requests to: /wp-json/wp/
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]
RewriteRule ^(.*)$ - [F]
Method 3: Modify source code in WordPress
To remove the default post types from the API:
add_action( 'plugins_loaded', function () {
remove_filter( 'init', '_add_extra_api_post_type_arguments' );
});If you want to remove all endpoints from the API:
add_action( 'plugins_loaded', function () {
remove_filter( 'rest_api_init', 'create_initial_rest_routes' );
});
Alternative code for functions.php file
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
}
return $result;
});
How to verify the REST API is disabled/protected in WordPress
- Visit the following URL replacing example.com with your website's address: **example.com**/?rest_route=/wp/v2/users/1
- You should see a message in your browser that says something like the following:
{"code":"rest_cannot_access","message":"DRA: Only authenticated users can access the REST API.","data":{"status":401}}Why disable/protect the REST API in WordPress
Links for additional information on this topic
- digwp - Securing the WP REST API
- stackoverflow.com - Safely disable WP REST API
- wpengine - REST API Vulnerability
- wpsuperstars - A Quick Start Guide To The WordPress REST API
Comments
Article is closed for comments.