Title: WP REST API problem
Last modified: January 27, 2025

---

# WP REST API problem

 *  Resolved [herbafill](https://wordpress.org/support/users/herbafill/)
 * (@herbafill)
 * [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/)
 * Hi,
 * I started with disabling unauthorized REST API access, and everything was ok 
   until the QUICC Cloud image optimalization service wants to call home to me when
   the job finished and the site can get a new batch of optimized images. 
   It didn’t
   worked because the QUICC cloud using public REST API to call home. So I enabled
   the unauthorized REST API call, and then the QUICC services happily can call 
   to home. After a while I got a smart russian hacker which (I still don’t know
   how) impersonalized the admin, and called REST API with Insert User function 
   and implant an admin in to the site. Thanks God I catch it very soon (after a
   30 minutes of creating the user) and deleted it plus banned the whole ASN of 
   the guy. Can someone explains me how it is possible the create an admin user 
   through the REST API without logging in?The plugin audit log is saying the admin
   created a user successfully. I am the admin and I was not created the user nor
   using the REST API. The password is a random string managed by NordPass and the
   login form is filling out only through NordPass. Now I am very concerned to leave
   open the REST API. But I needed it for the cloud services. Can we restrict the
   REST API for an allow ip list only?
 * Best Regards

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Support [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/)
 * (@hjogiupdraftplus)
 * [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/#post-18270222)
 * Hi [@herbafill](https://wordpress.org/support/users/herbafill/)
 * It is possible to create the admin user using REST API but you need to be authenticated
   for that.
 * [https://developer.wordpress.org/rest-api/reference/users/#create-a-user](https://developer.wordpress.org/rest-api/reference/users/#create-a-user)
 * WP Security > Dashboard > Audit logs – User registration type filter have that
   stack trace. If you can share it using [https://pastebin.com/](https://pastebin.com/)
   with burn after read if possible it will be good.
 * You can not right now allow REST API to particular IPs.
 * We are working on feature you can whitelist particular plugin namespace so that
   only REST API endpoints are allowed.
 *  Thread Starter [herbafill](https://wordpress.org/support/users/herbafill/)
 * (@herbafill)
 * [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/#post-18270686)
 * Hi [@hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/)
 * Thank You for the reply. I did an unlisted paste on Pastebin. But in the stack
   trace there is nothing sensitive. Where I can send You the link and the password?
 * Best Regards
 *  Plugin Support [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/)
 * (@hjogiupdraftplus)
 * [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/#post-18271548)
 * Hi [@herbafill](https://wordpress.org/support/users/herbafill/),
 * You can share that pastebin.com link here if it is ok for you.
 * Regards
 *  Thread Starter [herbafill](https://wordpress.org/support/users/herbafill/)
 * (@herbafill)
 * [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/#post-18272920)
 * Hi [@hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/)
 * here it is
 * [https://pastebin.com/DU0gAfpk](https://pastebin.com/DU0gAfpk)
 * Best Regards
 *  Plugin Support [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/)
 * (@hjogiupdraftplus)
 * [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/#post-18274794)
 * Hi [@herbafill](https://wordpress.org/support/users/herbafill/),
 * I can see there is {site_url}/index.php is being called not actual rest endpoint`/
   wp/v2/users`
 * Can you please cross chek if you have any plugin code which suppose to create
   user with rest request on local as it might be you logged in as admin during 
   that script might be calling this REST call. Though it is hard to say and required
   proper investigation there.
 * Regards

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘WP REST API problem’ is closed to new replies.

 * ![](https://ps.w.org/all-in-one-wp-security-and-firewall/assets/icon-256x256.
   png?rev=2798307)
 * [All-In-One Security (AIOS) – Security and Firewall](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/)
 * [Active Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/reviews/)

## Tags

 * [firewall](https://wordpress.org/support/topic-tag/firewall/)

 * 5 replies
 * 2 participants
 * Last reply from: [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/)
 * Last activity: [1 year, 4 months ago](https://wordpress.org/support/topic/wp-rest-api-problem/#post-18274794)
 * Status: resolved