Jay Sims

WordPress Security on a Budget: The Hidden Dangers of JSON API Exposure

The WordPress REST API is an indispensable tool that facilitates seamless integration between external applications and a WordPress site. However, when improperly configured or left unprotected, this feature introduces significant security vulnerabilities. This article marks the beginning of our series on securing WordPress on a budget, providing a comprehensive analysis of the risks associated with JSON API exposure, illustrative examples of potential attacks, and an in-depth discussion of mitigation techniques that can be implemented at no cost.

The Security Implications of JSON API Exposure

By default, WordPress exposes its REST API through the /wp-json/wp/v2/ endpoint, allowing both authenticated and unauthenticated users to retrieve information. This feature is enabled by default to support seamless integration with third-party applications, mobile apps, and automation tools, enhancing WordPress’s extensibility. However, it inadvertently provides adversaries with intelligence that can be leveraged for reconnaissance and exploitation.

The exposure of the WordPress REST API presents several security risks, as it can reveal critical site data to unauthorized users. Attackers can leverage publicly accessible endpoints to enumerate usernames, gather metadata about installed plugins and themes, and extract content-related information. This exposure expands the attack surface, making sites more vulnerable to brute-force attacks, automated exploitation, and data scraping. The following sections will explore these risks in greater detail and outline effective strategies to mitigate them.

1. User Enumeration and Credential-Based Attacks

Attackers can extract a list of registered users, including administrative accounts, using the following endpoint:

https://example.com/wp-json/wp/v2/users

This data is particularly valuable for brute-force login attempts and credential stuffing attacks, as it provides a direct mapping of valid usernames.

2. Content Scraping and Data Exfiltration

Unauthorized API access facilitates large-scale content scraping, exposing unpublished drafts, metadata, and sensitive information that may be inadvertently included within publicly accessible endpoints.

3. Plugin and Theme Fingerprinting

Malicious actors can query specific API routes to determine installed plugins and themes, enabling targeted exploitation of known vulnerabilities.

4. Attack Surface Expansion

The exposure of the REST API effectively broadens an attacker’s scope by offering structured access to critical site information, which can be weaponized for automated exploitation.

Demonstrating the Impact of JSON API Exposure

Unprotected Endpoint Response

A WordPress instance with an unrestricted REST API may return the following JSON response upon querying the users’ endpoint:

[
  {
    "id": 1,
    "name": "admin",
    "slug": "admin",
    "url": "https://example.com",
    "description": "Site Administrator"
  },
  {
    "id": 2,
    "name": "editor",
    "slug": "editor",
    "url": "https://example.com",
    "description": "Content Editor"
  }
]
JSON

This response not only confirms the existence of administrative accounts but also exposes the slug values associated with each user. The slug is a unique identifier used by WordPress to generate author archive pages and can often be used interchangeably with usernames for login attempts. Attackers frequently exploit this exposure for user enumeration, increasing the likelihood of credential-based attacks such as brute force or credential stuffing. By obtaining the slug, an adversary can bypass the need for guessing usernames and instead focus directly on cracking passwords, significantly reducing the complexity of an attack.

Secured Endpoint Response

By implementing appropriate security controls, the same request results in:

{
  "code": "rest_forbidden",
  "message": "Sorry, you are not allowed to access this resource.",
  "data": {
    "status": 403
  }
}
JSON

This response effectively restricts unauthorized queries.

Mitigating JSON API Security Risks

1. Restricting API Access to Authenticated Users

Implementation via Plugin

  1. Navigate to your WordPress dashboard and go to Plugins > Add New.
  2. In the search bar, type Disable REST API and locate the plugin by Dave McHale.
  3. Click Install Now, then click Activate once the installation completes.
  4. By default, this plugin blocks unauthenticated access to the REST API without requiring additional configuration. You can specify restrictions for authenticated profiles through the plugin as well.
  5. To verify functionality, visit https://yourwebsite.com/wp-json/wp/v2/users in an incognito browser window. If configured correctly, it should return an error message instead of exposing user data.

Implementation via functions.php

To restrict API access to logged-in users without a plugin, navigate to your WordPress site’s Theme Editor by going to Tools > Theme File Editor in the WordPress dashboard. In the right-hand panel, locate and open the functions.php file of your active theme. Then, add the following code snippet at the bottom of the file:

function restrict_rest_api_access( $access ) {
    if (!is_user_logged_in()) {
        return new WP_Error( 'rest_forbidden', 'Unauthorized access is prohibited.', array( 'status' => 403 ) );
    }
    return $access;
}
add_filter( 'rest_authentication_errors', 'restrict_rest_api_access' );
PHP

2. Blocking Specific API Endpoints

If the REST API is required for functionality but certain endpoints must be restricted, .htaccess rules provide an effective solution if you do not want to use the plugin mentioned above. To modify your .htaccess file, follow these steps:

  1. Log in to your web hosting account and access the cPanel or File Manager.
  2. Navigate to the public_html directory (or the root directory of your WordPress installation).
  3. Locate the .htaccess file. If you do not see it, ensure that hidden files are enabled in your File Manager settings.
  4. Download a backup of the file before making any changes.
  5. Open the .htaccess file using a text editor.
  6. Add the necessary rules to restrict access to specific REST API endpoints.
  7. Save the file and upload it back to the server if necessary.
  8. Test your website to ensure that the changes are applied correctly without affecting normal functionality.

Blocking the User Enumeration Endpoint

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [NC]
RewriteRule .* - [F]
</IfModule>
Bash

4. Disabling JSON API if Unnecessary

For WordPress instances that do not utilize the REST API, complete deactivation is recommended. Follow the steps above to find where to locate your functions.php and .htaccess files where applicable. 

Using functions.php

add_filter( 'json_enabled', '__return_false' );
add_filter( 'json_jsonp_enabled', '__return_false' );
PHP

Blocking API Requests via .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/ [NC]
RewriteRule .* - [F]
</IfModule>
Bash

Conclusion

The WordPress REST API, while integral for modern web development, introduces exploitable security vulnerabilities if inadequately secured. By implementing stringent access controls—such as restricting unauthenticated requests, blocking sensitive endpoints, and leveraging security plugins—administrators can fortify their sites against reconnaissance, brute-force attacks, and unauthorized data access. These preventative measures, all of which can be implemented at no cost, significantly enhance the security posture of a WordPress site.

Want help implementing this in your environment? Contact us now for a free consultation. 

Share with Friends:

Leave a Reply

Your email address will not be published. Required fields are marked *