Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#37062 closed defect (bug) (invalid)


Reported by: n-for-all's profile n-for-all Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.5
Component: REST API Keywords:
Focuses: Cc:


Why is the API activated by default in v4.4? an extra hole for hacking or what? and no option for deactivating?, it should be deactivated by default, i am not sure why wordpress dev's always decide what the user wants instead of giving him a choice...

look at xmlrpc i have never used and never plan to use it, and have created more than 400 blogs in wordpress and none for the clients asked for it, so it is useless activation...

if your app depends on the xmlrpc or json, it can show a message to activate the xmlrpc or json with a link.

Right now the system start to become very slow, very buggy and the database very big for a small amount of posts because of the revisions, a site with 5 pages end up with 30 pages in the database, you should split the chunks to make sure you save only the modified part of the post, do you think a system slow as this can be good for apps developing to activate the wp-json be default?

Is it also worth activating the API because 5% of the blogs might use it?

We are overloading the system now with security plugins to protect it and instead of finding a solution, you add another problem for us to deal with "Securing the JSON API"

Change History (2)

#1 @swissspidy
8 years ago

  • Component changed from General to REST API
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hey there

Only the REST API infrastructure has been integrated into core with 4.4, nothing else. No endpoints for posts, pages or the like.

The only endpoint available is for oEmbed, which only allows GET requests and thus isn't "an extra hole for hacking":

XML-RPC and the REST API infrastructure are on by default because the average user has no idea how to enable those or doesn't even know what they are.

If you want to deactivate the infrastructure nonetheless, there are plenty of filters and even a plugin to do so.

#2 @rmccue
8 years ago

Also, on the topic of the REST API endpoints: our policy is to only expose data that is already available publicly. If you're concerned about the security or privacy implications in any case, definitely install the plugin.

However, it's possible that in the future, the core REST API will be used in the admin, similar to the current usage of admin-ajax. If that does happen, we'll try our best to ensure the admin experience isn't significantly degraded if you have the API disabled, as we know some people will want to make that choice.

Note: See TracTickets for help on using tickets.