For security, should I disable the rest API?

  • From a security point of view, is it advisable to disable the rest API if I’m not using it for anything? I’ve noticed that it’s enabled by default, but at this time I don’t plan on using it for anything.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hello and thanks for the question. Nothing is exposed publicly through the rest API that is not already available from wordpress through other methods, so it should never pose a security risk to have it enabled out of the box. Additionally future WordPress core UI features will depend on the API being enabled and active, so disabling it is not recommended. I hope this helps clarify and alleviate concerns!

    (To clarify, the UI features would depend on the core REST API endpoints, not Woo’s; but presuming that Woo endpoints follow the same rigor as the core endpoints do, which I believe to be the case, I believe the argument still applies in this instance.)

    Plugin Support RK a11n

    (@riaanknoetze)

    REST API’s require authentication to do anything major; If the authentication details somehow leaked (either through unauthorised entry to your WP admin area OR a compromised DB), then having the REST API could be dangerous – particularly if it’s read/write access.

    If you’re confident security isn’t an issue for you, feel free to leave it enabled.

    Thread Starter LiamMcArthur

    (@liammcarthur)

    Thank you for the quick responses. I’ll leave it enabled for now. I just figured if there was ever a vulnerability in the API that wasn’t patched I’d be unnecessary vulnerable.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘For security, should I disable the rest API?’ is closed to new replies.

Tags