Wordpress AddOn: slight tweak to avoid exploitation through Wordpress JSON-API

Hi all,

I just finished reading an article in a computer magazine dealing with the broad possibilities to access media and information on wordpress sites by accessing the JSON-API that comes with any wordpress installation. They provided some examples of things that can be accessed against the intent of the site owner. I don’t want to go in depth here, since this is originally a WP issue, but they provided a mitigation in form of a smal snippet of code which is meant to be added to the active Wordpress-Theme’s function.php. So I hat to edit a file exported to WP by Backlight.
It consists of a filter that allows access to the Wordpress JSON-API only if a Wordpress user is logged in (in another tab or window).
I tried it and so far it seems to work without side effects.

add_filter( ‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘401’, ‘not allowed.’, array(‘status’ => 401) );
return $result;

The article itself is not publicly available, but there is an abstract at https://www.heise.de/select/ct/2020/23/2024809460577976425

In most installations direct access to the JSON-API given through an URL consisting of the path to a wordpress iinstallation with an added /wp-json/ or sometimes it is /index.php/wp-.json/ instead.

The JSON-API of WP is rather verbose. There may be a possibility to disable it, but the new block editor requires it to be active. (Not that I would like or even propagate the use of the new editor in WP.)
It has endpoints for all the media uploaded to a wordpress site (including those which are not linked or published) and for user data.

Stay safe.
Best wishes

Thanks. I would need to do more research to determine whether I would really want to add this to our WP Theme Add-on. If you’re concerned about editing Backlight-generated files, though, you could add this in a child theme.

You could use a plugin like https://wordpress.org/plugins/wp-rest-api-authentication/ to do the same thing.

1 Like