Is REST API needed for Yoast to function

  • Resolved Jon

    (@jonhopstra)


    4 years, 4 months ago

    Dear support, I have seen REST API been turned on since version 14.x I think. I do not mind it but I have had so many discussions about the security of this feature that I might not do that again.

    See this:
    https://secure.wphackedhelp.com/blog/wordpress-rest-api-vulnerability-content-injection/

    August, this Year. This means anyone can now edit these posts that do not update the WP version. I saw a lot of users still not updating to 5.5 for the reason that they do not like Gutenberg and think this is the only solution.

    (I think Gutenberg is great even though I prefer HTML but that is just me. Yes, I do think once front-page editing in Gutenberg is done right it will be great, the negative reviews is because it was launched the wrong way marketing wise… but anyhow…)

    And now can all the security admins for WP say that exposing usernames or ID is not an issue and that Passwords are enough, I have to respectively disagree.

    I build my own WP installer and it has a field for [User] of the site named -> Author and a new field for Login. Why?

    Because I do not want to expose my authors in the URL even if Yoast SEO redirects them to the Homepage when archives are turned off.

    It still can be found in the author URL. And I have seen some even add their email as login on a new site that is because beginners cannot find any good info on what to do when installing. (e.g. not to use emails as usernames)

    So in my own opinion there should be a new field named: [Login name] and a new field named [Author] just as my own WordPress builder does for me and I do not have to edit MySQL display user.

    I know they will not change it because I have read so many times they think that user ID is not a security issue. I can find many blogs about it that It ‘could’ be a issue and someone could write a script and hammer any WP site author URL’s until a DoS has happend.

    But I do agree that the password should always be secure, I just do not agree that Login should be the same name as Author.

    (4 lines of code was all I needed to make these simple changes)

    For the rest I LOVE WP and keep working and building my own apps for it… But I have 1 thing to ask Yoast.

    My question:

    What is the need for REST API for 90% of WP users.

    Yes, for me to program it is a great idea but what happens to Yoast SEO plugin when wp-json has been removed from head?

    Does this then still work and receive JSON calls?

    And is Yoast SEMrush or any integration in the future using this REST API inside Yoast?

    I Love the Integration I think also the plugin is still the best out there and I do not say this because I am Dutch. I just think Yoast SEO is great but I like more Help or info why REST API endpoint is needed.

    And if we remove these tags from <head> like wp generator or live-writer support or short links or emo support etc. It just makes my code more small that’s all.

    But if these tags are gone from head and Yoast SEO still has REST API on will that still work or should the json and other WP tags be back in head to have effect?

    I just checked hxxps://yoast.com/wp-json and yes he has it active. If he has it active it must be safe right? I mean Yoast knows a lot about WP and also I think about security. But again, I think for old sites it does expose a security issue so I think is best to turn it off for me now.

    But yeah. What is the use of REST API in Yoast as the latest version seems to give errors in Health check when some things are not on or in the head by default.

    And if there is no other use then for developers or maybe MainWP or any remote service, is it okay to turn it off or will this have effect on WP in general.

    Does WP really need REST API in head for Gutenberg as well?

    Looking forward to your advice.

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Michael Ti?a

    (@mikes41720)

    Hi @jonhopstra

    In Yoast SEO 14.0, we introduced a REST API endpoint that’ll give you all the metadata you need for a specific URL. This will make it very easy for headless WordPress sites to use Yoast SEO for all their SEO meta output.

    There are two ways of using this: through its inclusion in the normal WP REST API responses and through our own endpoint.

    You can review our REST API documentation here — https://developer.yoast.com/customization/apis/rest-api/

    You can easily disable this API by going to SEO > General > Features and disabling the feature toggle.

    The Yoast SEO plugin should still continue to work even with the REST API disabled, however, other procedures still rely on it within WordPress core, so you may want to review this accordingly.

    Thread Starter Jon

    (@jonhopstra)

    @mikes41720 Thank you for your excellent and helpful reply!

    And sorry for my rant about the security but If you say we should not really worry and this data is already available on the public site (except maybe user-id’s) than ok all is good.

    As I am studying how CLI works and what benefits it might have for me as PHP programmer, I think I will stay with the API developed by Yoast and leave wp-json and other protocols removed from <head>

    (Also I was working on a test site to debug why older versions of Firefox cannot load the Yoast optimizations (my other post) and for that I needed to study CLI to better create a help/issue topic on Github, but it will take some time as this is new to me)

    Thanks again and also thanks for making this great plugin, the best!

    Regards.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Is REST API needed for Yoast to function’ is closed to new replies.