Restrict plug-in use of REST API

Hi, sorry for the delay I’ve been on vacation.

Short answer: If you have a legitimate need of the REST API, I would not recommend you use this plugin.

Long answer: Even if I wanted to, “legitimate use” of the API is a tough thing to pin down. The REST API can be called by the server, or (quite often/most often) as an external call by unauthenticated site visitors’ browsers via AJAX. Since it’s impossible to predict how a theme or plugin may want to make use of the REST API, I cannot reliably say whether a simple attempt to talk to the API is “legitimate” or not. This plugin is meant to turn the REST API on or off at the global level, but leaves it enabled in the admin area since /wp-admin has been roadmapped for API functionality. If you would like to lock down *only* the Users endpoint, or only allow access to some endpoints and not others, I would recommend searching for another plugin that would give you the granular level of access that you may require. While I know they are out there, I unfortunately have not tested any of them myself so I can’t give a personal recommendation which one(s) to look for.

I hope that answers your question!

Thanks for the detailed reply.

May I suggest the ability to whitelist certain endpoints? For example, Contact Form 7 has recently switched to the WP REST API and broke itself in the process (as of v4.8) for many users who have no idea why it broke and have this plugin installed.

https://www.ads-software.com/support/topic/contact-form-7-4-8-using-rest-api/
https://www.ads-software.com/support/topic/contact-form-7-version-4-8-sending-does-not-work/
https://www.ads-software.com/support/topic/contact-form-7-rest-api/

The endpoint it uses is: wp-json/contact-form-7/v1/contact-forms/<NUM>/feedback. If we could whitelist it for public use, and the rest would remain blocked off, that’d be great.

Thanks for the heads up, @archon810. I suppose this was inevitable at some point, I’ll see what I can come up with to make it easier for admins – and potentially other plugin authors – to work with this plugin for when situations like this arise.

Awesome, thank you @dmchale!

Thanks for the quick response, @dmchale.

Can the whitelisting manually be fixed?

My client came across the same issue. We can remove DRA’s filter according to current rest route.

Free beer for you: Disable REST API Jailbreak

I’ve submitted it to wp.org for review. If you want to try it now, make sure you check how to define REST route whitelist in README.txt

cheers for that work, @tangrufus

I’ll clarify / backpedal slightly on my initial reply to this thread, though. In the plugin’s current state, I do not recommend people use this plugin if they have need of API endpoints. But per my second comment above, I do acknowledge something needs to be done inside the plugin. I started work on it this week but unfortunately Real Life is a bear right now so I don’t have anything to push out yet. Part of what’s left to do is ensuring that the regex matching on the endpoints works, since I’m trying to support those dynamically (your implementation appears to support only hardcoded paths but an admin would have to individually list ALL numeric iterations at a single endpoint, if I understand the instructions in your readme file)

I’m aiming for a Tuesday/Wednesday release to github (fingers crossed), so that people who wish can help test it before I do an official release to the repository. Adding whitelisting tools for the admins is a big update for this plugin and I want to have a few people spot-check things in their environments before I push the update to the 20k+ people who currently have this installed

Just added regex matching. https://github.com/TypistTech/disable-rest-api-jailbreak/pull/5

Are you still using https://github.com/dmchale/disable-json-api ?

For those who can’t wait: https://www.ads-software.com/plugins/jailbreak-disable-json-api/

Apologies for the delay, but I hope it’s worth it for those who have been hoping for this release. I have added a settings page to the plugin, which allows you to whitelist routes that are registered with the REST API.

If anyone would like to help TEST the 1.4 release before I push an official copy to the repository, I’ve posted it to github. It has passed my own testing, but since I can’t possibly anticipate every use-case of the API nor which plugins already add namespaces to the API I cannot test every example myself either.

https://github.com/dmchale/disable-json-api

Cheers again for the borrowed code you may recognize in there @tangrufus ??

Using v1.4 TEST, there are no problems with CF7 and WP 4.8.1, thanks. We’re not using the REST API for anything other than CF7 though…

Thanks for the continued efforts on this plugin @dmchale and @tangrufus. I also appreciate the thoughtful and informative responses to support questions.

Appreciate the feedback and kind words, @wu-wei . I think we’re juuuuust about ready to push this release!

@fbf3 @archon810 @bsteinlo @psychosopher @tangrufus @wu-wei

Version 1.4 is now in the plugin repository. Cheers everyone, and thanks for your patience. If you have any troubles (though I don’t anticipate any – by default, the plugin will continue to keep 100% of the API locked down without needing to do anything with the new settings page), please create a new support ticket.

https://www.ads-software.com/plugins/disable-json-api/