Overview

There are three (3) common solutions:
  1. Use a plugin to block access to the Rest API (MOST RECOMMENDED WAY)
  2. Create a redirect rule in .htaccess configuration to block all requests to the vulnerable URL.
  3. Modify source code

Note

In minimal cases, with the new Gutenberg UI, there are some issues to restrict to the REST API while keeping WordPress functional. In some cases saving post fails with Gutenberg because the request to the API is blocked but using the classic editor the post is processed.

Method 1: Using a WordPress plugin,

From experience, we recommend using either Disable REST API or iThemes Security.

Using Disable REST API plugin

  1. From within your WordPress dashboard, go to Add Plugin.
  2. Search for the plugin called Disable REST API or iThemes Security (or others with good reviews on the same issue)
  3. Install and activate the plugin, and that's it

Using iThemes Security plugin

  1. From within your WordPress dashboard, go to Add Plugin.
  2. Search for the plugin called iThemes Security REST API 
  3. Install and activate the plugin
  4. In iThemes settings, go to WordPress Tweaks
  5. Scroll down to REST API, select the option for Restricted Access. That's it.

wordpress-tweaks-ithemes-security.JPG

WordPress Tweaks

 

rest-security-in-ithemes-plugin_-_original.JPG

REST API options in iThemes Security settings

iThemes Security is a multi-functional security plugin for WordPress. If you're using to restrict REST API, then consider it's other features to protect your site.

Note:

You can also directly download the recommended plugins from the following link and upload it through your WordPress dashboard or FTP application.

 

Method 2: Use a redirect rule in the .htaccess configuration file

# BLOCK REQUEST TO WP REST API
# Block/Forbid Requests to: /wp-json/wp/
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]
RewriteRule ^(.*)$ - [F]

 

Method 3: Modify source code in WordPress

You can disable the functionality using your child theme's functions.php file.
 

To remove the default post types from the API:

add_action( 'plugins_loaded', function () {
remove_filter( 'init', '_add_extra_api_post_type_arguments' );
});

If you want to remove all endpoints from the API:

add_action( 'plugins_loaded', function () {
remove_filter( 'rest_api_init', 'create_initial_rest_routes' );
});

Ref: https://github.com/WP-API/WP-API/issues/2338

 

Alternative code for functions.php file

add_filter( 'rest_authentication_errors', function( $result ) {
    if ( ! empty( $result ) ) {
        return $result;
    }
    if ( ! is_user_logged_in() ) {
        return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
    }
    return $result;
});

 

How to verify the REST API is disabled/protected in WordPress

  • Visit the following URL replacing example.com with your website's address: **example.com**/?rest_route=/wp/v2/users/1
  • You should see a message  in your browser that says something like the following:
{"code":"rest_cannot_access","message":"DRA: Only authenticated users can access the REST API.","data":{"status":401}}
 

Why disable/protect the REST API in WordPress

If public access is allowed to the REST API, then it could disclose valid usernames. Those usernames could then be used by attackers to launch password-guessing attacks (brute force attacks) against your login page or through other methods such as xmlrpc.php POST requests. Additionally, attackers could intentionally make incorrect password attempts to lockout valid users from the website.
 
 

Links for additional information on this topic

Links for Penetration Testers

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.