WordPress 4.7 and the REST API

WordPress 4.7 was release a few days ago, and the REST API is now incorporated into the WordPress core.

The WordPress REST API allows programmatic access to your website’s data.  Think of it as RSS for the 21st century.  Most of the major email marketing applications can access your blog and retrieve blog posts via RSS and then publish them as an email newsletter. REST will allow this and much more.

The REST API however is much more powerful in that it allows for the creation, modification, and deletion of posts and pages, creation of comments, etc. These website/blog altering functions require authentication.

As someone who has been in the security space since the early 1990’s, my first thoughts are about the potential security risks.  We don’t enable ports on our servers unless we have a specific reason to do so.  Likewise, I believe we should be able to keep the REST API disabled unless we have a specific need for it.  Just as the XML-RPC interface in WordPress has provided attackers with new ways to attack our websites, I expect that some enterprising hacker will figure out a way to use the REST API as an attack tool.

There is a plugin Disable REST API that gets us part way there. It will disable all access vis REST unless the caller (user) is authenticated.

If your website is behind a firewall you can blacklist this url to completely block access:

/wp-json/wp/v2/

Just because you are paranoid doesn’t mean they are not out to get you.