[wp-trac] [WordPress Trac] #39806: Disable REST API by default, making it opt-in rather than always-on
WordPress Trac
noreply at wordpress.org
Sun May 7 05:20:49 UTC 2017
#39806: Disable REST API by default, making it opt-in rather than always-on
-------------------------+----------------------
Reporter: mor10 | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: REST API | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: close | Focuses:
-------------------------+----------------------
Changes (by joehoyle):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
@lukecavanagh you could do that, also a think a good idea that I haven't
seen implemented yet is to only allow access to the REST API using the
nonce, therefore you could (somewhat) lock down access to the API for
requests from the site, logged in, or out. However I should point out that
this isn't all that secure, due to the length that nonces live for.
Either way, I think all these things are plugin territory, and the default
for the REST API is _on_. The more WP functionality core functionality we
see moving to be build on the REST API, the more it will become not
possible to disable it. The REST API is not just an external facing layer
on WordPress, it is core functionality.
As per usual, if you don't want your site to be publicly accessible, there
are plugins and other means of doing that - but it's not a default /
feature of WordPress core to enable such a thing.
I know this ticket is somewhat controversial, so my closing of it may
ruffle some feathers. In the interest of keeping track clean, and wrapping
up the discussion here, I'm closing this as wontfix.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39806#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list