Secure user REST API

Do you want to stop the public reading your user REST API in WordPress?

Have you ever found yourself with a security exploit documented from a cyber security company?

When it comes to secure audits its better to be paranoid. We have found a common request from our WordPress care plan customers is to fix the ” Disclosure of Users Information via WordPress API” exploit in WordPress.

This plugin fixes that issue.

Secure REST API for Users in WordPress Plugin
MRK WP REST Permissions Plugin

User REST Permissions Plugin for WordPress

Our plugin forces your WordPress website to require authentication before revealing data in the user API.

Minimal Settings
Minimal Settings.
Very easy to use.
Website Security
Secure your users.
Authenticate WP Rest API.

The code breakdown

View what how our REST API plugin fixes this known Authentication issue.

How does it work?

Our code makes sure that the user API in WordPress requires an Authenticated user.

Without this hackers may use this API to look at content publishers and get a list of users. This is then used to run brute force hacking attempts on your WordPress website.

When you install our plugin, this security risk is solved.

Easy to use and saves loads of time!

Many server admins will try multiple methods to fix this issue.

We also tried most of them but they all feel short or ultimately caused additional problems in the WordPress Admin.

Our code is the best approach because it ensures the block editor and other WordPress features are not impacted by the limiting of the user API.

Frequently Asked Questions

Is this plugin free to use?

Yes, the Plugin is entirely free to use. We believe in providing a straightforward solution without any hidden costs.

Simply download the plugin from our GitHub repository, follow the installation steps as your would for any wordpress plugin. On activation your WordPress user endpoints will require authentication.

What WordPress exploit does this fix?

In WordPress 4.7 the WordPress REST API was introduced. This API revealed a whole list of users to the API. It does not reveal emails or other data, but it does show usernames. The exploit is known as “CVE-2017-5487

The official fix is to only show users in this API that are Authors.

Although this is an official fix, some penetration testers will say that any used data revealed without authentication is a risk. This plugin will allow that perceived weakness to be resolved by forcing the User API to be authenticated.

Can I use this code in my own plugin?

The code is released as GPL. You can use it with attribution.

Are there any alternatives to using this plugin?

As far as I know the only alternative is a pro plugin license for WordFence. A well known security plugin. If you are unsure of how best to secure your WordPress website, the use of WordFence would be a good start to harden your

Can I just turn off the end point for all users even when logged in?

No. The WordPress admin interface and block editor require the API to be readable or return a 401.
The user / author selection box inside the Block Editor will disappear when a 401 is returned.
If a 404 is returned it creates errors in the block editor.

What does the end point return when it is called?

The rest API for users will return a 401 response – Unauthorised when called directly.
If you do not have permission inside the WordPress Admin it will return a 403.
It does this automatically because it makes use of the API for the WordPress error object.