Would they had privy to the APIs before your plugin or am I explicitly opening the doors now with that line of code?
Developers would have public access to the API before adding Force Login.
By adding the remove_filter()
code above, you’re removing Force Login’s added security to block the WordPress API from being publicly accessible.
However, the add_filter()
code above sets the REST API authentication to always be true
or accessible; this might open access to otherwise authentication required endpoints.
how sensitive of data can they see?
You’ll have to read through the developer docs about the WordPress REST API to understand how it allows access to your site data.
“The REST API is a developer-oriented feature of WordPress. It provides data access to the content of your site, and implements the same authentication restrictions — content that is public on your site is generally publicly accessible via the REST API, while private content, password-protected content, internal users, custom post types, and metadata is only available with authentication or if you specifically set it to be so. If you are not a developer, the most important thing to understand about the API is that it enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.”
https://developer.www.ads-software.com/rest-api/
is there a way to just isolate the WP Social API?
Yes, probably–?but you will need to figure out how to identify that plugin is calling the API to then authenticate / allow it to access the API through the same rest_authentication_errors
hook.