WordPress: block anonymous Rest API access

The most recent version of WordPress ships with new REST API capabilities which plugins, apps, services, or the WordPress core can utilize.

The WordPress development team pushes new features to WordPress all the time. Many of those features improve the functionality of WordPress significantly.

Every now and then though, features get added that are problematic from an admin or user point of view.  The main issue with the bulk of these changes is that they cannot be disabled easily. I have disabled Emojis and XML-RPC here on this site for instance.

The new REST API functionality for instance may be used by anyone to list all user accounts of the WordPress installation.

This in itself is not enough to gain access, but once you know more about a site, you could run brute force attacks against the site, try to guess passwords, or use social engineering to get access to the site.

To be fair, the new API does not expose anything to the public that is not available already somewhere else on the site.

List all user accounts

To list all user accounts on a site that runs WordPress 4.7 (or newer presumably), all you have to do is append /wp-json/wp/v2/users to its domain name.

You could set a filter previously in WordPress to block access to the information. This filter appears to have been removed in version 4.7.

The only option you have to block the information from being revealed to anyone, is to install a plugin that protects the site from that.

WordPress: Block anonymous REST API access

A rather simple, but effective plugin is Disable REST API. All it does is return a "not unauthorized" message to anonymous requests to display REST API data.

The plugin returns an error message for any request that is not made by a logged in user of the particular site.

There is also Wordfence, a plugin that adds security options and protection to WordPress sites.

Closing Words

The data that the REST API makes available to anonymous requests is available elsewhere on the public part of WordPress already. The main gain that attackers get from it is that it lists the data in a nice format that saves them time, as they don't have to crawl various parts of the site anymore to retrieve the information. (via Born City)