WordPress.org

Make WordPress Core

Opened 8 months ago

Last modified 8 months ago

#52384 new feature request

WordPress API - Add Limit / Block API Access Features

Reported by: Darko A7 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:

Description

Hi,

WordPress API is powerful tool, but many users don't actually need or want it. While we can disable it using 3rd party plugins, I believe that basic features to limit access to API via specific/custom tokens, custom users, logged-in (authenticated) users, IP address(es) or CIDR ranges and so on -- should be provided in-core. Yes, yes I know we can achieve it via plugins, but they are not always best way to do it, and sometimes they have bugs, do not pass other internal plugins that actually use API (e.g. CF7) which may create problems, and so on.

What do you think?
Thanks

Change History (1)

#1 @tezalsec
8 months ago

I agree.

Core could allow for configuration to whitelist variable elements in the API endpoints:

  • endpoint url,
  • optional url token parameter,
  • query url parameters (also to limit requestable amount of data) and
  • IP address.

Individually, or combined.

Something like this really should be in core. Like managing ports on a server. Only open what is needed (under controlled conditions), and keep the rest closed. Just allowing it all open with WP-json is bad for security, privacy and resources.

It would be a nice way to allow for safe communication between self-managed servers, or business to business data exchange.

Note: See TracTickets for help on using tickets.