WordPress REST API and the Security Worries

Last updated on August 31st, 2018 by Robert Abela. Filed under WordPress Security News

The infrastructure of the WordPress REST API will be included in the core of WordPress version 4.4. The release of WordPress version 4.5 will also include a number of endpoints for the REST API. The addition of this new functionality in WordPress core has raised a few eyebrows. Many are already concerned and as usual, WordPress security is the hot topic. Before going into a frenzy let’s take a look at what the REST API is, and if from the WordPress security point of view it is something that you should worry about or not.

What is the WordPress REST API?

REST stands for Representational State Transfer. It is a state-less client-server protocol that is mostly used over the HTTP protocol. Just in case that does not mean much to you, REST is a standard protocol which is mostly used over the web and is not something specific to WordPress. Therefore the WordPress REST API makes  your WordPress website available as a web service. This means that other websites, mobile applications, desktop / server software and other components can programmatically retrieve data from your WordPress website easily and automatically, without the need to access the website from a browser. You can read the REST protocol and Web Services articles on Wikipedia for more information on these subjects.

Basic Example of How the WordPress REST API Works

To retrieve information from a target website you need to send a specific HTTP GET request that the REST API understands. For example in the case below I am sending an HTTP GET query to a local test website I have running on my test server.

Querying the WordPress REST API

As you can see from the above screenshot the website does not return any information that is not already publicly available, but it returns it a specific format that can be easily parsed and understood by other automated means. In the example below I am sending a HTTP request to get a list of all the posts saved on my test website. The request URL is http://www.local.com/wp-json/wp/v2/posts/

Using the WordPress REST API to list all posts

What Information Can be Retrieved from the WordPress API?

By default everyone can anonymously query the WordPress API running on your WordPress website to retrieve information which is already publicly available, such as posts, pages, media files etc.

Other WordPress REST API Uses and Authentication

The WordPress REST API can also be used to both retrieve and update user profile information or a post. Though such tasks can only be achieved once authenticated. Therefore in concept, the WordPress REST API allows the same functionality as a normal WordPress install does without the need of having a human friendly interface.

Does the WordPress REST API Pose Any New Security Risks?

The answer is yes and no. No because the information that is available via the WordPress REST API is already available to the public via other means, such as the website itself and RSS. The only difference between the front-end of the website, RSS and the REST API is the way the data is presented.

It might pose new security risks simply because at the end of the day it is an additional attack surface on WordPress. And from the security point of view, the more attack surfaces you have the more options attackers have to exploit. Though it will only be an actual security flaw if a vulnerability is identified in the REST API, which so far none have been found. So no need to worry for now and as long as you keep your WordPress up to date you should not have any problems.

How to Disable the WordPress REST API

If for some reason you want to disable the WordPress REST API you can add the following code snippet to your site-specific WordPress plugin or functions.php file.

add_filter('rest_enabled', '_return_false');
add_filter('rest_jsonp_enabled', '_return_false');

Stop Worrying About the Security of WordPress REST API

The new WordPress REST API code is vetted by many security professionals, like the core code of WordPress is. And yes, the WordPress core had its fair share of vulnerabilities but they were always addressed on time. So as long as you keep your WordPress up to date you should not have any issues. So stop worrying about the WordPress REST API and start planning your next big project. The new WordPress REST API opens a myriad of new development opportunities and we will definitely see WordPress at the core of much bigger internet based services.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

11 comments

Is there any forms of caching or limiting built-in? Otherwise I’d see it as a pretty nice vector for DoS-type attacks, where an attacker would hit an endpoint and asking for a bunch of database intensive operations.

Robert Abela 25/11/2015

Hello Jasper,

Very good point though there is no need for cache or better, if you want you can configure it at web server level. As explained in the post the data available through REST API is already publicly available, so as much as an attacker can create a DoS-type attack on the REST API he can do the same on the website. Actually, requesting something from the REST API is more efficient than when requesting it from the interface since the request and response contain much less data (the interface itself) so in a way, it is more efficient.

Usually when working with REST APIs, the API will allow for means of limiting output and pagination that might not be available to normal WordPress blogs. Requesting 1000 posts from the API will likely be more work for the server, than requesting the standard 10 pages from the frontpage of the website, even including the rendering of the 10 pages.

Robert Abela 26/11/2015

Good point. I am not aware of any limitations so far but definitely something worth looking into.

Daniel 26/11/2015

Hi Robert, very interesting. Do you know how is the authentication going to be? For security reasons we had practically to disable xml-rpc as a preset: we got tired of all the brute force attacks to login this way. Is there going to be an authorization key or a similar solution to prevent this problem?

Cheers,

Daniel

Robert Abela 26/11/2015

Hello Daniel,

Yes there will be since the new REST API will support Basic HTTP authentication, AUTH 1.0 and 2.0

overstatement 13/12/2016

“The new WordPress REST API code is vetted by millions” – this is the biggest misconception ever. There are nowhere near as many people looking at the code and even less capable of spotting vulnerabilities in it. Even stating that 200 people look at each line of code is most likely an overstatement.

Robert Abela 02/01/2017

Hello, thank you for your feedback. I changed it to “vetted by many”. Let’s not forget that many companies which use WordPress, including Government Agencies have their own security teams, or hire third party security professionals to audit their web farm / environment. And if WordPress is installed, it is tested as well. In fact many vulnerabilities that were previously reported in WordPress were reported from private companies who were doing a security audit for a customer of theirs.

Paul Gilzow 13/01/2017

> No because the information that is available via the WordPress REST API is already available to the public via other means

Not necessarily. You can remove all instances of exposure of user names from your site, but the REST API re-exposes those user names via the user endpoint: https://developer.wordpress.org/rest-api/reference/users/

v4.7.1 changed that to only exposing authors for post types included in the REST API, but the default post type is included by default in the REST API, and _any_ author for the default post is then included in the user endpoint even if they haven’t published anything yet. In addition, the user endpoint still exposes the username.

For now the only way around it is to remove the user endpoints from the REST API: https://gist.github.com/gilzow/3b000f07aca9218a505a4827ad002154

neversaynever 16/02/2017

So are we going to pretend that you didn’t just tell people not to worry about this feature and then on Jan 26th this code that was vetted by millions/many people had a priv escalation that allowed remote code execution?

Robert Abela 18/02/2017

Hello,

I back all that I said in this blog post. In fact I conclude the blog post with the following “Though it will only be an actual security flaw if a vulnerability is identified in the REST API, which so far none have been found. So no need to worry for now and as long as you keep your WordPress up to date you should not have any problems.”

In fact yes it had a vulnerability (like all other software) and those who updated their WordPress were not hacked.

Leave a Reply

Your email address will not be published. Required fields are marked *