[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin

WordPress Trac noreply at wordpress.org
Tue Dec 31 17:09:21 UTC 2019 

#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
 Reporter:  apedog       |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  REST API     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration, rest-api, privacy
-------------------------+------------------------------------------------

Comment (by TimothyBlynJacobs):

 > User and author data can be accessed publicly even if not available
 through a front-end page.

 This is true, but only authors of posts that are shown in the Rest API are
 included. Additionally, only their display name, URL, and bio are
 displayed.

 > Old installations that added private data (eg. phone numbers) as meta
 now have that meta publicly (and easily) exposed through REST queries.

 This is incorrect. Metadata is never exposed publicly unless it is
 specifically exposed by the developer using `register_meta()` and
 explicitly setting `show_in_rest` to `true`.

 > Non-technical users of WordPress might not even know their data is
 exposed through REST.

 No more data is exposed than you'd be able to see in a default WordPress
 theme or over RSS.

 > Technically-savvy users might not have the resources to allocate to
 limiting public/non-authenticated access to the REST API.

 This can be done by installing one of a number of plugins:
 https://wordpress.org/plugins/search/disable+rest+api/ Many security
 plugins also include settings to limit REST API access.

 > There may be GDPR concerns involved.

 Could you share an example of what these concerns would be? Only public
 data is exposed by default.

 > WordPress basically ships in with an installed scraper for public use,
 that the admin has no control over.

 Only data that is also exposed in the theme and RSS.

 See also: #39806, #38446

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list