Make WordPress Core

Opened 7 months ago

Closed 7 months ago

#60704 closed enhancement (invalid)

Lack of Rate Limiting

Reported by: rakeshchavan's profile rakeshchavan Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

URL: http://demodomain.com/wp-admin/user-new.php
Implement a limit on how often a client can call the API within a defined timeframe.
Notify the client when the limit is exceeded by providing the limit number and the time at which the limit will be reset.
Add proper server-side validation for query string and request body parameters, specifically, the one that controls the number of records to be returned in the response.
Define and enforce the maximum size of data on all incoming parameters and payloads such as the maximum length for strings and maximum number of elements in arrays.

Change History (1)

#1 @swissspidy
7 months ago

  • Component changed from General to Security
  • Focuses accessibility administration rest-api performance coding-standards removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Type changed from defect (bug) to enhancement
  • Version 6.4.3 deleted

Hi there and welcome to WordPress Trac

Unfortunately your request is not really specific or actionable, as you just pasted the description of [https://owasp.org/API-Security/editions/2019/en/0xa4-lack-of-resources-and-rate-limiting/ OWASP API Security Top 10
API4:2019] without checking if and how it applies to WordPress.

The example page you shared is a restricted page for administrators to add new users, not really an API that needs rate limiting.

Note: See TracTickets for help on using tickets.