Trafficinspector

Replacement of question elsewhere concerning your advice to restrict access to REST API.

1) How to get to know which plugins use REST API? I checked e.g. the contact form and that worked because the REST API works for the administrator. So I need to check from the outside. For me, small blogger with 22 plugins operational and not that much knowledge on the inner workings, this becomes a nuisance and a lot of time and work. Can’t this check be done automatically eg by suggesting or something? At least that part of research then is done.

2) Why should I permit or not permit /oembed/? Is it a threat?

3) In general, how should I know what is safe and what not. Apparently the default is to permit nothing. Why is it not possible to default all plugins to access (and eg also ‘oembed’?) Apparently that is unsafe? How can we, as non-insiders know what is safe without proper advice?