The WordPress REST API presents a fantastic opportunity for numerous custom integrations and solutions. However, there is one significant consideration: much of its functionality is readily accessible without authorization by default.
This means that any internet user can effortlessly access your entire media library or registered users. Achieving this only requires a single command. Below, we’ll provide a few examples using Microsoft Terminal.
Invoke-RestMethod -Method GET -ContentType "application/json" -Uri "https://wordpress.org/wp-json/wp/v2/users"
The above command returns a list of users, making it simpler for potential attackers to attempt unauthorized access to your website.
Another example: let’s retrieve the media library, which is not as private as you might think. Media files in the library are easily accessible.
Invoke-RestMethod -Method GET -ContentType "application/json" -Uri "https://wordpress.org/wp-json/wp/v2/media"
Many similar endpoints exist, most of which are publicly available. For a comprehensive understanding, the REST API Handbook provides detailed explanations.
The solution: require all API requests to be authorized
I have developed a script that you can incorporate into your website’s codebase to enforce user authentication and the presence of adequate capabilities (such as “edit_posts” in this example). Please feel free to utilize it on your website.