Disable REST API Anonymous Access? | ww.wp.xz.cn

Resolved linux4me2
(@linux4me2)

9 years, 6 months ago

With WordPress 4.7, the REST API allows anonymous access to a site’s user’s userid, username, gravatar hash and website URL All anyone has to do is visit a WordPress 4.7 site via the URL example.com/wp-json/wp/v2/users and they get a nice list of userids for all the admins.

Before WordPress 4.7, it was possible to disable the REST API with a filter, but that no longer seems to work.

Maybe the folks at WordPress are going to plug this hole, but if not, it would be great if you could add protection against anonymous access to the REST API to the Shield plugin.

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author Paul
(@paultgoodchild)

9 years, 6 months ago

Yep, we’re on it. We plan to release the update early tomorrow.

Thread Starter linux4me2
(@linux4me2)

9 years, 6 months ago

Awesome! Thanks, Paul.

Plugin Author Paul
(@paultgoodchild)

9 years, 6 months ago

Just in-case you haven’t got it yet, it’s in v5.6.0 and is under Lockdown > System

Thread Starter linux4me2
(@linux4me2)

9 years, 6 months ago

I just tried it out, and it works perfectly. Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Disable REST API Anonymous Access?’ is closed to new replies.

4 replies
2 participants
Last reply from: linux4me2
Last activity: 9 years, 6 months ago
Status: resolved