UPDATE: We’ve shared new information about the REST API and iThemes Security here.
***
The WordPress REST API is a feature rolled out in WordPress 4.4 and greatly expanded in WordPress 4.7. This latest update to WordPress introduces two primary concerns for iThemes Security users, so we’ve added a way to disable the WordPress REST API using the iThemes Security plugin.
- First, the REST API authentication can bypass authentication improvements such as two-factor authentication and reCAPTCHA.
- Second, it provides access to some data without requiring any authentication.
Of these two concerns, the first is by far the most important. New features to protect against these concerns while still allowing the REST API to function as designed are in active development. The plan is to release these updated features by Thursday, December 15th.
A temporary solution to these concerns was released in iThemes Security 5.9.0 and iThemes Security 3.3.0. The temporary solution is a feature to disable the WordPress REST API.
This is not an ideal solution as this will disable embedding of posts and quick editing and Quick Draft features; however, this is meant as a temporary stop-gap while we finish up a more robust set of features for iThemes Security.
If you have questions, you can always hit the iThemes Help Desk.
How to Disable the WordPress REST API
You can easily disable the WordPress REST API using the iThemes Security plugin in just a few clicks.
- 1. Download and install the iThemes Security plugin. You can grab the free version of iThemes Security here. Make sure you’re running iThemes Security 5.9 or iThemes Security Pro 3.3+.
- 2. From the WordPress dashboard, visit the iThemes Security Settings page.
- 3. Scroll to the WordPress Tweaks section. Click “Configure Settings.”
- 4. In WordPress Tweaks, scroll to the REST API section. Here you’ll find the option to Disable REST API in the drop-down menu.
The follow settings control how the REST API feature operates. Here’s a brief explanation of the REST API Settings available:
Disable REST API – The REST API is disabled on the site. This is the recommended setting for now as it ensures that the REST API cannot bypass any authentication improvements.
Require Admin Privileges – The REST API can only be used by logged in users with admin-level privileges. This allows privileged users to test and develop with the REST API without allowing anonymous access to the data.
Enable REST API – The REST API is fully enabled and will function as normal. Use this setting only if the site makes use of the REST API.
- 5. Click the “Save Settings” button.
Success! Now you’ve disabled the REST API on your WordPress site.
Disabling XML-RPC
The iThemes Security plugin also provides a way to disable XML-RPC and activate XML-RPC Brute Force Protection. WordPress’ XML-RPC feature allows external services to access and modify content on the site. (Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks.)
If your WordPress site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as disabling XML-RPC prevents attackers from using the feature to attack the site. You’ll find this feature located right about the Disable REST API feature in the WordPress Tweaks section of the iThemes Security plugin.
Secure Your WordPress Site with iThemes Security Now
Using a WordPress security plugin such as iThemes Security Pro is a great way to add an extra layer of protection to your WordPress site. Get WordPress two-factor authentication, WordPress malware scan and more with iThemes Security Pro.
Get iThemes Security Pro
Founder of iThemes.com
Hey Cory,
I generally agree that you should disable anything you don’t need on a server.
In this case, however, you need to be aware that one of the consumers of the WP REST API is the site’s admin backend. Some components already use the WP REST API as of 4.7 (Quick Draft, Press This), and more will follow. That’s the reason why the switch to easily disable the API has been removed: https://core.trac.wordpress.org/ticket/38446
So, although there are still options to make the WP REST API unusable for external requests, disabling it entirely is not amongst them, as it will just break site functionality (more and more with each coming update).
Cheers,
Alain
Hi Alain. I’m the main dev being iThemes Security. I went through and updated the post to better reflect the current situation. This feature is a temporary solution that prevents side-stepping important authentication improvements, giving us enough time to create a better solution.
I have three primary goals with the features I’m working on right now:
Hello iThemes team,
It is great to see that you hold your user’s security as a top priority. I think this article is important and informative. However, I do have a suggestion on what should be the recommended option for your customers. Instead of “Disable REST API” being the recommended option. I would encourage you to change the recommended option to “Require Admin Privileges”, with some sort of brute force protection in place.
More and more features of WordPress will be using the WP REST API and simply disabling it, will leave a lot of iThemes customers out on the improvements made to their WordPress site. The WP REST API enables more seamless user experiences that I believe iThemes customers will want to partake in. It is not only plugins that will use the API but WordPress core is slated to rely on it more heavily.
I think it is important to offer the option to completely disable the REST API, but it should come with a warning of the consequences, not a recommendation for users, as it could potentially break certain functionality of their site.
The API was designed with security as a major priority and by default it only exposes information that is already publicly available through a WordPress site.
iThemes does great work, and I look forward to seeing how iThemes handles security regarding the new WP REST API.
Hi Edwin. Much of my reply above to Alain applies here as well.
I strongly considered making the Require Admin Privileges setting the recommended setting; however, that would still open up those accounts to having two-factor, reCAPTCHA, and other authentication protections bypassed. So, I decided that the disable setting was the only one I could recommend using for now.