What Are WP REST API Attacks And How To Protect Your Site

What is the WordPress REST API ?

REST stands for Representational State Transfer. It is a stateless client-server protocol that is mostly used over the HTTP protocol. REST is a standard protocol that is mostly used over the web and is not something specific to WordPress. Therefore the WordPress REST API makes your WordPress website available as a web service. This means that other websites, mobile applications, desktop/server software, and other components can programmatically retrieve data from your WordPress website easily and automatically, without the need to access the website from a browser.

What information can be Retrieved from the WordPress API?

By default, everyone can anonymously query the WordPress API running on your WordPress website to retrieve information that is already publicly available, such as posts, pages, media files, etc.

How the WordPress REST API Works

To retrieve information from a website, the hackers will send a particular HTTP GET request that is easily comprehended by REST API. Let us understand with the help of an example, in the image below an HTTP GET query is being sent to a test website running on the test server.

  • Simple Example - Here we will find out the USERS inside your WordPress site without any access to the site by using REST API Injection Attack.


    Here we can see that the attack injection - http://localhost/test_site/wp-json/wp/v2/users

    This has returned us with all the USERS registered with this site and this can further lead to Brute force and dictionary attacks.

How to protect your site :

To prevent these attacks without disabling the REST API you can use our simple plugin which takes no time to set up and will prevent these attacks with no pain.

SETTING UP - Google Authenticator

  • Step 1 -Search for miniorange two factor in the search box and install the plugin called “Google Authenticator Wordpress Two Factor Authentication” in the plugins section under your WordPress dashboard.



    Install the plugin and activate it.

  • Step 2 -Now enter the plugin and you should be promoted to choose a model. Activate all the features ( 2FA+ Security.)



    Now go to the plugin dashboard and enable all the features.

  • Step 3 -Now go to the Content and Spam section under the Login and Spam column.

  • Step 4 -As you see we have a checkbox for WP REST API restriction. Go ahead and enable it and save your settings.



    Voila, you are all set. Now if someone tries to access the REST API for usernames he will be restricted.

So in a few simple four-step process, you could make your site safer and hack-proof. Make sure to visit the rest of the guides and find out more capabilities of our plugin.

Happy Defending.