Hi all,
I just finished reading an article in a computer magazine dealing with the broad possibilities to access media and information on wordpress sites by accessing the JSON-API that comes with any wordpress installation. They provided some examples of things that can be accessed against the intent of the site owner. I don’t want to go in depth here, since this is originally a WP issue, but they provided a mitigation in form of a smal snippet of code which is meant to be added to the active Wordpress-Theme’s function.php. So I hat to edit a file exported to WP by Backlight.
It consists of a filter that allows access to the Wordpress JSON-API only if a Wordpress user is logged in (in another tab or window).
I tried it and so far it seems to work without side effects.
add_filter( ‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘401’, ‘not allowed.’, array(‘status’ => 401) );
}
return $result;
});
The article itself is not publicly available, but there is an abstract at https://www.heise.de/select/ct/2020/23/2024809460577976425
In most installations direct access to the JSON-API given through an URL consisting of the path to a wordpress iinstallation with an added /wp-json/ or sometimes it is /index.php/wp-.json/ instead.
The JSON-API of WP is rather verbose. There may be a possibility to disable it, but the new block editor requires it to be active. (Not that I would like or even propagate the use of the new editor in WP.)
It has endpoints for all the media uploaded to a wordpress site (including those which are not linked or published) and for user data.
Stay safe.
Best wishes
Michael