On Dec. 9, after the release of WordPress 4.7, we published a post with some initial precautionary concerns we had about the REST API, including a feature release to allow you to easily disable it in iThemes Security, after being alerted to potential issues.
Disabling the REST API was a temporary solution we felt necessarily while we did a full investigation of it. It was not an ideal or a permanent solution, as current, yet little used WordPress features rely on it, but more and more WordPress features will utilize it in the future.
Before I go on about the details of our review and next steps, we also want to acknowledge the countless hours of discussion and consideration around security issues that had been done by the REST API team prior to release. There was never any doubt about that, or their commitment to security on our team.
I want to personally share my (and our) support for the REST API in WordPress, and, perhaps, more importantly, our trust in and appreciation of the amazing team of people who have worked tirelessly for the last several years to get this REST API project into WordPress core.
We’re also incredibly grateful to the thousands of people who have made and continue to make WordPress core better and better with each release and year. The REST API opens up incredible opportunities for the use and expansion of WordPress and I’m very excited to see what comes next with it.
Having said that, our initial post and recommendation was not intended, in any way, to reflect an opinion on the project. Our charge is to do the best for you, our users and customers, which means not just offering ways to protect you and your online work but seeking to educating you on security.
In this instance, as many of our decisions, we fell on the side of caution.
Since the feature is not yet in wide-spread use, we believed that offering users the ability to temporarily disable the feature while we did a more thorough review was the safest option.
Now, let me share an update on our audit and next steps for iThemes Security:
1. We found no security concerns with the REST API.
Thus, the option to disable the REST API will be removed in the next version of iThemes Security which is tentatively planned for release next week. It was always meant as a temporary measure to ensure that we had enough time to fully audit the REST API from a security and privacy perspective.
While the REST API itself has strong security, some development plugins do exist that can weaken authentication security. But these are recommended only for use by developers as they test their software. However, we’re making changes in iThemes Security to ensure that sites are still well protected when running such plugins.
Since the REST API is an important feature for the future of WordPress and we found no security issues, we want iThemes Security to offer the maximum privacy benefit (which I’ll detail next) without reducing the functionality of the REST API.
2. We do have some privacy concerns related to the REST API.
Part of our role and charge is to educate and share as best we can how to protect you and your online work and data.
One concern we do have is around privacy, something we’ve discussed thoroughly internally. Although privacy is different than security, the two are related and intertwined. Security exists to protect private things.
And in the realm of privacy, you may not want certain data shared publicly, or not have the ability to restrict access to that data.
For instance, the REST API currently allows public access to all media library content. This includes media library entries that are not connected to a post or page.
For sites that may use media as part of a membership system, for file downloads, or for high-quality images and have ads on the page or require a special method to access the content, the ability to bypass the post/page entirely and easily get a full listing of all media, complete with the link to download the file, can create significant issues for such sites.
Additionally, it gives public access to all users that have published a post.
- This information includes potential usernames, author biography, Gravatar links for the user.
- Gravatar links could be used to easily link users on different sites or to confirm the email address of each user (either through guessing or by using a list of known email addresses).
- The definition of “published a post” is vague and could include users that only publish content that isn’t thought of as a post, such as a user that only created products in iThemes Exchange or WooCommerce.
While much of this information is publicly available, users can modify their theme and their site to not offer this information.
However, since it can be very difficult for everyone that runs a WordPress site to know what is and what is not public with regards to the REST API, we felt that offering an option to restrict access to all of the information while still allowing the REST API to function was the best option for us and our users.
So in the next release of iThemes Security, we’ll be removing the option to disable the REST API and instead offer a single, recommended option that restricts access to potentially private data to either require a user or a user with specific privileges.
In the meantime, for our users and customers, we still recommend temporarily disabling the REST API until the next release of iThemes Security is out with the new REST API Privacy option.
As always, if you have questions, you can post them in the comments, or in our iThemes Help Desk.