Reply to post: Sigh

WordPress fixed god-mode zero day without disclosing the problem

Tim Brown 1


I just had a look at the details of the bug. It was found in the new REST API that Wordpress enabled by default for the first time in 4.7.0

When I read the patchnotes for 4.7.0 I sighed inwardly at having a new API which I had no interest in using currently, enabled by default and I looked for a way to turn it off. It seemed that there was no easy way to disable it and the documentation I found cautioned against doing so anyway as the API is apparently used by unspecified core routines

Here's a quote from someone on StackOverflow:

"The REST API is not really a security issue, but I suppose some could surface in the future. It's much more important to look at Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex

As of WordPress 4.7, the filter provided in core for disabling the REST API (via functions.php) was removed because the API is in core now. There is no official option to disable the API as some core functionality depends on it. So if you disable the API, you may see breakage because by default the API core and is available for use by themes and plugins and other sites."

(I bet the author of that reply feels pretty stupid about that first sentence now!)

The whole thing is just an accident waiting to happen. I shall look again at ways to turn off this unwanted API.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021