[wp-trac] [WordPress Trac] #49110: Add ability to lock/restrict public REST API access from WP Admin
WordPress Trac
noreply at wordpress.org
Tue Dec 31 21:05:27 UTC 2019
#49110: Add ability to lock/restrict public REST API access from WP Admin
-------------------------+------------------------------------------------
Reporter: apedog | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration, rest-api, privacy
-------------------------+------------------------------------------------
Comment (by apedog):
> What are the risks? A small front-facing HTML only site is the site that
would be least impacted by the REST API. Since it is only exposing data
that would already be public.
- A small front-facing HTML only site can hide ALL information that is
database-related. ID's, slugs, post_type, author etc. It can even hide the
fact that it ''is'' a WordPress installation.
- This can be done by low-level devs (with only basic knowledge of PHP and
HTML) editing the theme templates and using only the browser inspector and
view-source for review.
> We don't have an option in core to disable author archives. Even if the
theme doesn't have custom author archive templates, you can still see the
default templates, no?
- A theme can ''easily'' disable author archives. Just add an
{{{authors.php}}} file that doesn't print the info (or one that HTML
redirects {{{http-equiv}}}).
- Rewrite rules can be superseded (requires ''some'' knowledge of
WordPress).
> The author ID and slug are already exposed publicly.
- References to author ID and slug can be removed from all theme
templates.
- Rewrite rules can be superseded (requires ''some'' knowledge of
WordPress).
> So if a theme is intentionally completing disabling author archives and
templates, I'd expect them to disable it in the REST API as well.
- This would require an understanding/knowledge of REST that might not
exist. We cannot assume.
- A lot can be achieved just by hacking at the WordPress template
hierarchy with no knowledge of WordPress or of writing plugins.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49110#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list