[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin
WordPress Trac
noreply at wordpress.org
Tue Dec 31 17:09:21 UTC 2019
#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
Reporter: apedog | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration, rest-api, privacy
-------------------------+------------------------------------------------
Comment (by TimothyBlynJacobs):
> User and author data can be accessed publicly even if not available
through a front-end page.
This is true, but only authors of posts that are shown in the Rest API are
included. Additionally, only their display name, URL, and bio are
displayed.
> Old installations that added private data (eg. phone numbers) as meta
now have that meta publicly (and easily) exposed through REST queries.
This is incorrect. Metadata is never exposed publicly unless it is
specifically exposed by the developer using `register_meta()` and
explicitly setting `show_in_rest` to `true`.
> Non-technical users of WordPress might not even know their data is
exposed through REST.
No more data is exposed than you'd be able to see in a default WordPress
theme or over RSS.
> Technically-savvy users might not have the resources to allocate to
limiting public/non-authenticated access to the REST API.
This can be done by installing one of a number of plugins:
https://wordpress.org/plugins/search/disable+rest+api/ Many security
plugins also include settings to limit REST API access.
> There may be GDPR concerns involved.
Could you share an example of what these concerns would be? Only public
data is exposed by default.
> WordPress basically ships in with an installed scraper for public use,
that the admin has no control over.
Only data that is also exposed in the theme and RSS.
See also: #39806, #38446
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list