The Foundation of Safety

I’ve been working on a tool to automate posting messages on WordPress from a Git repository. The project has been a lot of fun partily because I’ve been trying out Go for the first time, but also because it covers several different technologies at the same time. To post to WordPress I’ve been using it’s REST API. However, there is a significant issue with the current REST interface for WordPress. The way WordPress is configured by default, the entire user list for a given site is available via a non-authenticated GET request.  If you are running a site on a recent version of WordPress (it is installed by default on versions 4.7 and above) you can see for yourself with a simple curl request:

curl -X GET https://www.mysite.com/wp-json/wp/v2/users

This is simply not acceptable for most installations.  The best fix is to add a filter to the REST API itself that blocks the /wp/v2/users endpoint for any verb.  To do that, go to Plugins → Editor.  Under Select plugin to edit choose WP REST API and hit the Select button.  Under Plugin Files click on plugin.php.  In the file that come up, add the following code just after the add_filter/add_action function calls (around line 134.)

[php]
add_filter( 'rest_endpoints', function( $endpoints ){
  if ( isset( $endpoints['/wp/v2/users'] ) ) {
    unset( $endpoints['/wp/v2/users'] );
  }
  if ( isset( $endpoints['/wp/v2/users/(?P[\d]+)'] ) ) {
    unset( $endpoints['/wp/v2/users/(?P[\d]+)'] );
  }
  return $endpoints;
});
[/php]

Now click Update File and you should get a 404 response if you try your curl request again.