WordPress REST API Mistakes That are Making Your Site Insecure

WordPress REST API Mistakes That are Making Your Site Insecure

The REST API came with big hopes for modernizing and improving WordPress performance. I’m a huge fan, but if you don’t understand how the API works, it can lead to mistakes that end in big security holes for your site, especially if you’re not a developer.

In this post, I want to share some of the common errors users not familiar with the WordPress REST API make so you can keep your site safe.

Elementary API Dear Watson

So, what is the WordPress REST API? The WordPress REST API functions like a bridge that can connect a wide variety of applications to WordPress.

Sound complicated? With the Gutenberg editor, we’re finally starting to see on a large scale what’s possible when WordPress uses the REST API to run alongside newer technologies.

The JSON structure of the API is easy for computers and humans to understand, making it easier to use through programmatic means. And the RESTful architectural style means a wide variety of applications can connect to it.

You can use the API to retrieve your site’s data so you can show it elsewhere in a different format. Or you can kick things up a notch and use the API to control your site remotely, by sending commands such as create, update and delete. Together these form the acronym CRUD and you can use them on the following:

  • Posts
  • Post Revisions
  • Categories
  • Tags
  • Pages
  • Comments
  • Taxonomies
  • Media
  • Users
  • Post Types
  • Post Statuses
  • Settings
Screenshot of Gutenberg Editor
Gutenberg uses the WordPress REST API to create and update posts

With so much power, you can see why the WordPress REST API is such a valuable acquisition for hackers. With access to your site’s API, they can pretty much control your whole site remotely.

These are the pitfalls where beginners are most likely to make a mistake and involuntarily open up exploits:

  1. Displaying sensitive information because they’re not aware that the REST API shows all data by default
  2. Using basic authentication on a live site and involuntarily exposing their login credentials
  3. Not utilizing an encrypted connection for authentication

We talk about hackers creating backdoors, but in these cases, it’s more like you as the admin left it unlocked.

Let’s go through each of these.

How To Build Custom Forminator Add-ons Using The Developer API

Displaying Sensitive Information by Mistake

Just as posts and pages are visible by default on a WordPress site, the WordPress REST API is also enabled by default. You can see the data for your posts, pages, categories, tags, media, etc.

To see your WordPress site’s JSON data, type your site url, followed by wp-json/wp/v2/posts in your browser. It’ll look like this https://tuts.wpmudev.host/wp-json/wp/v2/posts but with your URL instead of tuts.wpmudev.host. See all that data? Anyone can see it.

Screenshot of WP REST API JSON data
There are tools, such as Postman, that make this easier to read

If you’re using your WordPress posts to store sensitive information, then this data will be exposed with the API. This could happen even if you’re restricting content to certain users or hiding content behind a paywall, so it is important that you check to see what is visible.

You could inadvertently be exposing data that is in violation of a company privacy policy, HIPAA or GDPR.

As I briefly mentioned, some themes, plugins and even Gutenberg utilize the WordPress REST API, so you want to avoid plugins that disable it completely.

Ultimate Guide to the 60 Best Security Resources for WordPress

Using Basic Authentication on a Live Site

Authentication aims to answer the question is this person authentic? Are they who they say they are? It’s a way of confirming identity. Verifying usernames and passwords, two-factor authentication, you get the idea.

Not all requests to the WordPress REST API require authentication. Retrieving posts, for instance, does not. Deleting users, moderating comments, creating a new post do.

Screenshot of Postman error trying to delete post without authentication
Without proper authentication, you can’t delete posts

If you’re using the WordPress REST API, you can piggyback on the cookie authentication that comes with WordPress. If you’re using the WordPress REST API from an external client, such as a different WordPress site or a custom app, you’ll need to set up a different form of authentication.

You have several options, you can use OAuth, JSON web tokens or Basic Auth. Basic auth is the one I want to call your attention to because it’s not appropriate for every situation.

For basic authentication, your username and password are sent along with every request in the header, for everyone to see. If that sounds unwise, you’re totally right.

A Complete Guide to WordPress Password Security

You should never use basic authentication on a live site and risk exposing your admin login credentials. You should only use basic authentication in a protected environment, such as when you’re troubleshooting a local site.

Not Sending Requests Over Encryption

2018 was the year that Google started flagging all sites that don’t have an SSL certificate.

I’m just going to assume that you already have one, but if you don’t, what the heck are you waiting for?!? Nowadays you can get an SSL certificate for free through most managed hosts. WPMU DEV hosting offers free SSLs, even for multisite with a ton of domains. Try it out free.

Since the WordPress REST API acts as a bridge, you want to protect that connection from a man-in-the-middle attack. To do that, not only doesn’t your WordPress site have to have an SSL cert, but so does your external client (if you’re using one).

The Ultimate Guide to WordPress Security

Basically, you have to protect the connection from both ends so that all your communication is encrypted. 

Also, be sure that all of your authentication is sent via the HTTPS protocol, so that anyone listening in, will only see encrypted data. This is CRITICAL since the authentication process involves sending and receiving login credentials.

Third API Blind

As we’ve seen, the WordPress REST API is pretty fortified so long as you use it in the way it was designed.

Is WordPress Secure?

The WP REST API has been a part of WordPress core since version 4.4, and apart from the one instance, the WP REST API hasn’t had any other security issues. Knock on wood.

I’ve gotta say, that when the API was added to core, I thought we’d see a lot more cool things being built with the WordPress API. Did you?

I still feel that it is one of the most underutilized components of WordPress. And I hope that everyone who thinks that Gutenberg doesn’t meet their needs takes a shot at creating their own admin. A mobile-friendly front end editor would be amazing ;) Give the WP REST API another look.

Even if you’re not a developer, now that you know what not to do, I encourage you to take a look at the WP REST API handbook and start poking around. And if you break anything on your site, our 24/7 support is here to help. If you’re not a member, get started for free.

Over to you, do you have any tips for using the WordPress REST API?
Felicia Ceballos-Marroquin
Felicia Ceballos-Marroquin WPMU DEV rescued Felicia from cubicle hell and put her decade of WordPress expertise to good use, giving her the privilege of being a staff writer.