WP 4.7 REST API still accessible while in maintenance mode
-
Hi John, thanks for the great plugin!
I recently updated to WordPress 4.7, and I was hoping that a site in maintenance mode wouldn’t have its content publicly accessible via the new REST API.
To replicate this, update to 4.7, then put your site into maintenance mode, then visit a URL such as:
https://example.com/wp-json/
or
https://example.com/wp-json/wp/v2/pagesIf a site is in maintenance mode, then I think that unauthenticated REST API requests shouldn’t be allowed. Otherwise post/page/comment content is all publicly accessible via the API even though the site is in maintenance mode or coming soon mode.
Thanks very much,
James
-
Hi again John,
I’ve just had a quick look at this.
The REST API is loaded during the
parse_requesthook (reference), but your plugin uses thetemplate_redirecthook.So if you were to change line 27 (and possibly 25) to use
parse_requestinstead oftemplate_redirect, then the REST API isn’t accessible when coming soon or maintenance mode is active.The only other question would be whether or not your plugin needs to return some kind of JSON response (rather than a HTML response) if the requested URL is a REST API request.
James
- The topic ‘WP 4.7 REST API still accessible while in maintenance mode’ is closed to new replies.
