Disabling Anonymous REST API Breaks Contact Form 7 4.8

  • Resolved linux4me2

    (@linux4me2)


    7 years, 8 months ago

    I discovered that the latest version of Contact Form 7, version 4.8, relies on the anonymous REST API to submit contact forms.

    I’m currently using the Shield plugin’s Lockdown setting to disable the anonymous REST API system to prevent easy user enumeration by bots. Other than that, I really don’t need to disable anonymous REST API.

    So, I have two choices:

    1. enable anonymous REST API so Contact Form 7 can be updated, and leave my WordPress installs open to easy user enumeration
    2. switch to a contact form that doesn’t require the anonymous REST API (which I really don’t want to do)

    I suspect that more plugins will be using the anonymous REST API in the future. What I’m wondering is if Shield could offer the option of only disabling anonymous REST API user enumeration rather than disabling the entire anonymous REST API?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Paul

    (@paultgoodchild)

    To be honest, it’s unlikely that we’ll start providing for that scenario. It’s a little too granular and it’s not a simple matter of providing the option. It’s also the minefield and education around it such that users fully understand the implications of it without tripping themselves up later on when another plugin does something similar again.

    In this case, your best bet is to just disable the Shield option. You could perhaps reach out to the author of the other plugin to question his use of the API and whether it can be further refined to be non-anonymous.

    Thread Starter linux4me2

    (@linux4me2)

    Thanks for the reply Paul. There are a number of posts in the CF 7 support forum requesting that anonymous REST not be used. I’ll see what he does.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Disabling Anonymous REST API Breaks Contact Form 7 4.8’ is closed to new replies.