Did you know that WP has an API built into it, and that API is fairly open? I know I didn’t, and I thought that there were some odd calls happening to my site to: /wp-json. I’m now so thankful there was some logging to see these odd calls.
It appears that WP allows calls to its API from any external source (a little scary in my opinion, and rife for abuse by bad actors). So upon investigation, I found that you can modify a file in your currently active theme in order to (at least) disable the API to non-authenticated users.
To do so you’ll just need to edit the functions.php file and update it to include the following block of code.
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
}
return $result;
});This is just a helpful start as well. Disabling the API all together doesn’t seem to be the best solution, as there may be plugins that have dependencies on the API. Another potential option is to just allow connections from localhost. This is useful as it will prevent visitors from attempting to utilize the API BUT I’m not sure if there are other ramifications from going this route.
Hope this helps!