REST API / Media

Hi @stilldreaming , this has already been discussed here: https://www.ads-software.com/support/topic/why-is-the-rest-api-enabled-by-default/

Short answer:

WordPress uses the REST API itself, so it needs to be enabled for things like the new editor. Plugins can modify the user listing issue.

Makes sense?

Hi @developress, thanks for your answer. Apparently I did not search enough and missed the link you provided.

I read the complete thread and it did not make any sense at all. It does not go into the fact that all kinds of info that were previously behind the login are now exposed to the world. Someone even called it an edge case, which is a eufemism…

I don’t care if it is a security or privacy concern, or any other concern. A login is not there for fun.

It feels like the database is now in the open, including things that are not meant to be open. I can think of a lot of data types that you don’t want to be public.

But I get the sense that I am too late & this is a discussion that is over. It’s sort of a “take it or leave it” thing now.

Maybe I should rephrase my question to: is there any part of WordPress that doesn’t work anymore when I disable the REST API for logged-in users?

Sorry, its not personal. I just feel that WP dropped the ball big time.

I understand your concerns and I probably agree with you. I do not work for WordPress, I am just a contributor trying to help so I do not take it personally.

You can disable the REST API with a plugin: https://www.ads-software.com/plugins/disable-wp-rest-api/

You will not be able to user the new editor and probably many plugins that use the API.

Hi @developress,

Thanks. I’ll look into it some more as I am inclined to disable the REST API completely for logged-in users. If it doesn’t mess with functions I need, that is. And otherwise I will have to look at ways to have a more fine-grained approach.

Others are invited to respond. What do I miss when the REST API is disabled for logged-in users?

Whether we like it or not WP is leaning on the API more and more. Even if something works now without it, it could fail at some point in the future. Disabling the API is not a viable long term strategy for WP to remain usable.

If there are specific media items which you need to suppress from the API, you could use the ‘rest_prepare_attachment’ filter to unset such data when it occurs in the response. Removing an item like attachment ID 123 for example, can be done this way. Removing all media not used in posts would not be viable criteria for removal because it’s not easily determined by code logic.

Hi @bcworkz,

Thanks for your contribution. You write “Disabling the API is not a viable long term strategy for WP to remain usable.”. That might very well be the case. Even if disabling the REST API for non logged-in users is an OK option now, that might some day crash sites. I understand that. It’s a pity, but well…

If I understand correctly the message from core developers is that:
. WP needs the REST API,
. that opens sensitive data from your db to the public
. if that’s the case (and that is almost always so) fix it yourself.

Thanks for your contribution. I’ll see if I can use this (and one in another thread) to tighten security around the database from my sites, without shutting the REST API down completely. Apparently it is used by the block editor (don’t get why that is, but that’s a new discussion).

• This reply was modified 4 years, 10 months ago by stilldreaming.