Make WordPress Core

Opened 8 months ago

Last modified 8 months ago

#59620 new enhancement

Remove a query to /wp-json/wp/v2/users from the editor where there isn't a real need

Reported by: oglekler's profile oglekler Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Editor Keywords:
Focuses: rest-api Cc:


I've unset /wp/v2/users and /wp/v2/users/(?P<id>[\d]+) endpoints to remove access to the users list and make it harder for bots that are trying the login form (This one is custom as well, so they are actually not doing it, but this is not the point), and I've got an 404 error in the Editor in admin, but everything is working, and apart from the annoying red circle with number 1 inside in the Dev Tools, I didn't get any side effects. So, if this is not necessary, why do we have this request to the back in the first place? I am proposing to remove it by default and do it only when necessary.

I want to emphasize that everything is working, and apart from this annoying error, everything is fine and several months went by without any complaints from editors.

Change History (3)

#1 @oglekler
8 months ago

  • Summary changed from Remove a query to /wp-json/wp/v2/users from the editor where there is a real need to Remove a query to /wp-json/wp/v2/users from the editor where there isn't a real need

#2 @swissspidy
8 months ago

IIRC it‘s used for the author dropdown, to speed up the initial queries.

Regardless of this suggestion here, I‘d recommend just disabling public access to those routes if you‘re concerned about bots, rather than unsetting the routes. Changing permission is the right way to do this.

#3 @oglekler
8 months ago

How often you are changing post author? In case in question we don't need it at all, editors are not the authors, and we have separate custom post type with authors which have no access to the site. So, why we need to do this useless requests? I want to shut them down completely. I believe that the request should be done only when editor is trying to change author and started to type something. This is a rare case. From the sustainability point of view, this request is a useless waste of energy, especially if these queries to the database are returning some bulky lists of users that most likely have nothing to do with the post content.

Note: See TracTickets for help on using tickets.