Word Press Latest Hacking Notice about Json Rest API

Hi.

I'm getting emails and see on blogs that there is a problem with the Json Rest API in WP.

Here is what WPBeginner.com says to do to disable Json Rest API:

Basically they say most people don't need the Json Rest API on their website so they should just go ahead and disable it. And they recommend a plug-in just for that.

"Disabling JSON REST API in WordPress

First thing you need to do is install and activate the Disable REST API plugin. For more details, see our step by step guide on how to install a WordPress plugin.

The plugin works out of the box and there are no settings for you to configure."

http://www.wpbeginner.com/wp-tutorials/how-to-disable-json-rest-api-in-wordpress/

There was a answer in wpmudev.org about how to do this manually here:
https://premium.wpmudev.org/forums/topic/disable-wp-json-for-all-sites-in-multisite

So....now here are my questions:

1) Is this something I should do?

2) Since my coding skills are not great, should I use this plug-in?

3) Since we shouldn't load our sites heavy with plug-ins, can I disable the plug-in after it does it's thing? Or do you have to have the plug-in permanently activated for the coding to stay in website codes?

4) If I've already got wpmudev.org plug-ins on my sites and most of my clients' sites, do the various defender plug-ins already fix this?

I guess that's enough questions on this subject. I am looking forward to your responses as you've always got so many good ideas.

Please remember, not all of us (especially me) are whizzes at coding and other "stuff" so please make answers simple.

Maggie

  • James Morris

    Hello Maggie,

    I hope you are well today.

    Whenever you disable any core WordPress functionality, you're delving into some pretty advanced waters. In order to get you the best answer possible for these questions, I'm going to ping our SLS Team (code experts) so they can offer you their valuable feedback on this issue. Please note that, since our SLS Team deals with more advanced topics, their reply may take a little more time.

    Best regards,

    James Morris

  • Mahlamusa

    Hello Maggie,

    I hope you are doing great today and thank you for contacting us. I am really sorry about the late reply with regards to this, things have been hectic on our side lately. I have reviewed your questions and have done some research after reading the posts you linked to and I would like to answer your questions.

    1) Is this something I should do?

    If you are not using the rest API and you don't want people connecting to your website via the API to get information then you should do this. Doing or not doing it relies on whether you have a use for the API or not. If you are not using the API then its better to disable it to avoid to eliminate any threats that may exploit the API.

    Simple answer: You should disable it if you don't use it

    2) Since my coding skills are not great, should I use this plug-in?

    I went through the code of the plugin and what you can do manually as suggested is what the plugin does in its code. If you do it manually then you will be essentially re-writing part of the plugin, but if you do it with the plugin you will be saving time and headache. The plugin also takes it one step further to allow authenticated users to use the API, this is useful if you want to use to use the API at some point but only allowing authenticated users.

    Simple answer: Use the plugin as it is intended for those who can't do it manually or are not comfortable playing with code.

    3) Since we shouldn't load our sites heavy with plug-ins, can I disable the plug-in after it does it's thing? Or do you have to have the plug-in permanently activated for the coding to stay in website codes?

    Unfortunately, you will have to leave the plugin active for as long as you want to disable the API. This is because the plugin does not write or save anything anywhere, but it "listens" for a call to the API and return an answer saying the API is disabled or checks if the user accessing the API is authenticated and allow or disallow as appropriate. The plugin must stay active in order to achieve this. The same thing applies if you do it the manual way, that code must stay in the mu-plugin that you will have to create in order for the code to do its thing.

    Simple answer: Yes, the plugin must stay active for the API to stay disabled.

    4) If I've already got wpmudev.org plug-ins on my sites and most of my clients' sites, do the various defender plug-ins already fix this?

    Read more about Defender to see what it can do out of the box. I promise it will protect your site against all sorts of hacks and will recommend actionable steps to protect your site. Best thing is you can use Defender to protect all websites on your multi site at once.

    Please note that, even though I have done some research and went through the code of the suggested plugin, these answers are not to be taken as the only solutions to your needs but they should serve as a guide to help you make the decision to protect your site and your network users. You should also get another third party opinion.

    I hope all this helps, please enjoy the rest of your day.

    Cheers,
    Mahlamusa