Opened 14 months ago
Last modified 14 months ago
#59620 new enhancement
Remove a query to /wp-json/wp/v2/users from the editor where there isn't a real need
Reported by: | oglekler | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Editor | Keywords: | |
Focuses: | rest-api | Cc: |
Description
I've unset /wp/v2/users
and /wp/v2/users/(?P<id>[\d]+)
endpoints to remove access to the users list and make it harder for bots that are trying the login form (This one is custom as well, so they are actually not doing it, but this is not the point), and I've got an 404 error in the Editor in admin, but everything is working, and apart from the annoying red circle with number 1 inside in the Dev Tools, I didn't get any side effects. So, if this is not necessary, why do we have this request to the back in the first place? I am proposing to remove it by default and do it only when necessary.
I want to emphasize that everything is working, and apart from this annoying error, everything is fine and several months went by without any complaints from editors.
Change History (3)
#1
@
14 months ago
- Summary changed from Remove a query to /wp-json/wp/v2/users from the editor where there is a real need to Remove a query to /wp-json/wp/v2/users from the editor where there isn't a real need
#3
@
14 months ago
How often you are changing post author? In case in question we don't need it at all, editors are not the authors, and we have separate custom post type with authors which have no access to the site. So, why we need to do this useless requests? I want to shut them down completely. I believe that the request should be done only when editor is trying to change author and started to type something. This is a rare case. From the sustainability point of view, this request is a useless waste of energy, especially if these queries to the database are returning some bulky lists of users that most likely have nothing to do with the post content.
IIRC it‘s used for the author dropdown, to speed up the initial queries.
Regardless of this suggestion here, I‘d recommend just disabling public access to those routes if you‘re concerned about bots, rather than unsetting the routes. Changing permission is the right way to do this.