REST API_iThemes setting

Resolved jaquezv
(@jaquezv)

3 years, 2 months ago

Currently going through website and I have several links that are giving me 401 Unauthorized. When I click on the bad link I get the following message: {“code”:”itsec_rest_api_access_restricted”,”message”:”You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.”,”data”:{status”:401}}

How does this setting get updated/corrected to fix these errors within my site? Is there a plugin that I need to add/run in WP for this? My domain has not changed so Velvet Blue would not work.

The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Support chandelierrr
(@shanedelierrr)

3 years, 2 months ago

Hi @jaquezv, thanks for reaching out!

Can you please try setting the REST API option to “Default Access” in the Security > Settings > Advanced > WordPress Tweaks and see if it resolves the 401 error?

I hope this helps!

Thread Starter jaquezv
(@jaquezv)

3 years, 2 months ago

The default setting states that it could give public access to information that we believe is private on the site; could you expand on this and/or give an example?

nlpro
(@nlpro)

3 years, 2 months ago

Hi @jaquezv,

A good example is the List Users endpoint:

https://www.example.com/wp-json/wp/v2/users

It can be used to retrieve a collection of users. By default this endpoint is publicly accessible. Very popular amongst brute force attackers …

+++++ To prevent any confusion, I’m not iThemes +++++

Plugin Support chandelierrr
(@shanedelierrr)

3 years, 2 months ago

@jaquezv, WordPress REST API allows other applications (mobile apps/websites) to interact with WP sites by sending and receiving data in JSON format. The application can then use this data to display or manipulate content on the site.

Per the official WP REST API documentation:

The REST API is a developer-oriented feature of WordPress. It provides data access to the content of your site, and implements the same authentication restrictions — content that is public on your site is generally publicly accessible via the REST API, while private content, password-protected content, internal users, custom post types, and metadata is only available with authentication or if you specifically set it to be so.

To add to nlpro’s example, the route wp-json/wp/v2/posts returns a list of posts (GET endpoint) and can accept an authenticated request to create posts (POST endpoint). You can view the available REST API endpoints here.

As brute-force attackers can use some publicly available endpoints, iTSec has a setting to Restrict Access to most REST API data. This will require a logged-in user for most requests and help block public requests to potentially private data. However, some third-party plugins/services require default access to the WP REST API to work, which could be what’s happening on your site. In this case, we recommend changing the setting to Default Access.

I hope this helps!

Plugin Support chandelierrr
(@shanedelierrr)

3 years, 2 months ago

Hi, I hope the information provided helped. Since we haven’t received a response, I’ll mark this post resolved. If you still need some assistance, feel free to open a new support topic, and we’d be happy to assist. Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘REST API_iThemes setting’ is closed to new replies.