The WordPress REST API is a feature rolled out in WordPress 4.4 and greatly expanded in WordPress 4.7. The REST API provides developers with new ways to manage WordPress.
By default, the REST API can be used to access information that you might believe is private on your site, including:
- Published posts of all post types, including those that don’t seem like posts, such as products or member programs.
- User details that may include users that do not have any published posts or pages.
- Media library entries which may expose links to download media that is not publicly linked anywhere. This could include links to download member-only content, backups created by some plugins, or any other kind of file added to the media library. (Note that BackupBuddy backups are not stored in the media library and are not accessible via the REST API.)
Restrict WordPress REST API Access
The iThemes Security plugin offers a setting to Restrict Access to most REST API data.
With this setting, most requests will require a logged in user or a user with specific privileges, blocking public requests to potentially-private data. We recommend enabling the Restricted Access setting.
- To activate the setting, navigate to the WordPress Tweaks section on the Security > Settings page of your WordPress dashboard. Click the “Configure Settings” button.
2. Scroll to the REST API section. Select the “Restricted Access” setting.
3. Click “Save Settings” to save your new settings.
Default WordPress REST API Access
iThemes Security also includes a Default Access setting to leave REST API data as default. By enabling this setting, information from your site including published posts, user details, and media library entries is available for public access.
For more information on the WordPress REST API, check out the WordPress REST API docs.