I have been using WordPress for this blog for several years and always thought my setup was reasonably secure. Turns out that there is something called the WordPress REST API which allows to get quite a lot information about the installation without any security at all. E.g. https://blog.dummzeuch.de/wp-json/wp/v2/users used to show a list of all my registered users (all three of them: me, myself and I). But that’s only by coincidence because I have disabled comments. There are similar lists for all articles, all pages and – most worrying – all media contents. So, if I had ever used the upload feature of my blog to share a file with somebody else, it would have been possible for anybody who knew about this REST API to find the file name and access that file.
I read about this security or at least privacy hole in the current issue of the German c’t magazine (I am subscribed to the dead tree edition). And today I plugged it. For this particular problem, there is a simple fix: Install the Disable WP REST API plugin. It changes the API to only work when a user is logged in. Others get the error:
{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}
In case you are worried: The WordPress Android App still works even if that plugin is installed.
And since I am always curious I tried some other blogs and found quite a few for which this API was open.
I also changed the WordPress login page to require basic authentication as described here (in German). Yes, that means two logins are required now, but that’s not much of an inconvenience since I am the only user.
If you want to discuss this article, go to the related post in the international DelphiPraxis forum.