REST API Access

Hi @enchiridion, thanks for reaching out to us aboout this.

According to WordPress themselves:

The REST API is a developer-oriented feature of WordPress. It provides data access to the content of your site, and implements the same authentication restrictions — content that is public on your site is generally publicly accessible via the REST API, while private content, password-protected content, internal users, custom post types, and metadata is only available with authentication or if you specifically set it to be so. If you are not a developer, the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.

Our security researchers are always hunting for exploits in WordPress and available plugins in order to keep the millions of Wordfence websites safe. Whilst they have found REST vulnerabilities in specific plugins for developers to patch in the past, the API itself is extremely safe.

The information that is available via the WordPress REST API is already available to the public via other means, such as the website itself and RSS. The only difference between the front-end of the website, RSS and the REST API is the way the data is presented. As long as you keep your WordPress version up to date, along with your plugins and themes, you should not have any problems.

Ultimately, Wordfence Central requires access to the REST API for users who aren’t logged in, so that’s one of the first things I’ll check on a website when a customer has issues connecting.

If you decide to allow access, head over to Wordfence Central, go to the Connection Issues tab. Clear out any sites that might be in here.

Now head back to your site and log in as an admin. Navigate to Tools > Diagnostics > Other Tests > Clear all Wordfence Central connection data. Clear the connection data and then from the Wordfence Dashboard, click on “Connect this site” in the Wordfence Central widget.

https://www.wordfence.com/help/central/connect/#troubleshooting-connection-issues also has some troubleshooting steps you could follow.

Thanks,

Peter.

Thanks for the reply.

> The information that is available via the WordPress REST API is already available to the public via other means

While this might be true on a blog website using a stock theme that came with WP, it’s not true where WP is being used as a CMS on customized sites. Even your own plugin disagrees with the /users/ endpoint being freely available as it’s blocked by default for anonymous users. I have CPTs that are for internal uses or used as part of bigger blocks, and I have to enable the REST API for them for the block editor to function. I’d rather not leak info about any parts of the infrastructure I don’t have to.

As a test I’ve re-enabled the REST API and successfully connected it to WF Central. During the process I notice it exchanged some PKI keys. Does this mean it no longer needs anonymous REST access to function correctly?

> Ultimately, Wordfence Central requires access to the REST API for users who aren’t logged in

It can’t need access to everything. The details it shows in the Central Dashboard are only available to auth’d users.

Hi @enchiridion,

The key exchange doesn’t make it an “authenticated” connection as far as WordPress is concerned. Central needs to be able to see the root REST route such as wp-json/ for the initial connection, but the “disable REST” plugins usually let you choose which routes to enable so once connected you could just leave wp-json/wordfence/v1 (and everything underneath it) unblocked.

Thanks,

Peter.

Thanks, that was what I needed to know!