[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin

Tue Dec 31 16:23:33 UTC 2019

#49110: Add ability to lock/restrict public REST API access from WP Admin
-----------------------------------------------+---------------------------
 Reporter:  apedog                             |      Owner:  (none)
     Type:  enhancement                        |     Status:  new
 Priority:  normal                             |  Milestone:  Awaiting
                                               |  Review
Component:  REST API                           |    Version:
 Severity:  normal                             |   Keywords:
  Focuses:  administration, rest-api, privacy  |
-----------------------------------------------+---------------------------
 Following a lively discussion in #core-restapi slack channel:

 == Preface
 REST API has been added to WordPress to allow it to be used as a fully
 fledged CMS. It is also used internally by the new Gutenberg blocks. And
 used by many plugins. And is considered immensely useful by many
 developers.
 </platitudes>

 REST API does however have some risks involved, that should be addressed
 in Core.
 REST API is enabled by default on 100% of installations. Even those that
 don't need it - ie. front-facing HTML-only sites. This exposes ''a lot''
 more data publicly then is exposed by regular template pages, and is a
 privacy concern.

  - User and author data can be accessed publicly even if not available
 through a front-end page.
 - Old installations that added private data (eg. phone numbers) as meta
 now have that meta publicly (and easily) exposed through REST queries.

 - Non-technical users of WordPress might not even know their data is
 exposed through REST.

 - Technically-savvy users might not have the resources to allocate to
 limiting public/non-authenticated access to the REST API.

 - There may be GDPR concerns involved.

 - WordPress basically ships in with an installed scraper for public use,
 that the admin has no control over.

 == Proposal
 Add an option to WP Admin to disable/limit public REST API access.
 An easily accessible enable/disable lock-down-public-access REST API
 option should be available to any WordPress administrator. Either in
 {{{Settings-General}}}, {{{Settings-Privacy}}}, {{{Site Health}}}, or
 through a dedicated {{{Settings-REST}}} page (will open a separate ticket
 for a REST control page)

 - Ideally, REST API should have been an opt-in on WordPress install or
 update, but that ship has sailed. It is also extensively used by new
 "Gutenberg" blocks. So a full disable is probably not the way to go.

 - An opt-in/opt-out lock-public-access-to-REST option should be available
 on fresh WordPress installs as well as on the Admin page. Front-facing
 HTML-only websites should have a one-click {{{restrict public access}}}
 option on install.

 - Plugins that use REST API should detect locked-down/public-access
 setting. So there are back-compat concerns here also.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49110>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform