Hiding WordPress REST API v2 endpoints from public viewing

Is this meant to be used on sites in production?

Yes. Many sites have been already using it.

Is there a security risk to allowing endpoints to be viewed by anyone, such as /wp-json/wp/v2/users/ which shows all users registered to the site?

No. Server responses have nothing to do with security, nothing you can do against a blank screen or read only response.

However, If your sites allow weak passwords, there’re some problems. But it’s your site’s policy, REST API knows nothing about that.

Is it possible to allow only authorized users to access an endpoint?

Yes. You can do it by using permission callback.

For example:

if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
    return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you cannot view this resource with edit context.' ), array( 'status' => rest_authorization_required_code() ) );
}

How do others usually set up this data to be accessed by external applications without exposing too much information?

This question is hard to answer because we don’t know what/when is too much information. But we can strictly follow API references and security cheatsheets to avoid unwanted situation.

Related Posts:

  1. Should a 502 HTTP status code be used if a proxy receives no response at all?
  2. What is the difference between a URI, a URL and a URN?
  3. HTTP Status 504
  4. Do I need Content-Type: application/octet-stream for file download?
  5. Problem HTTP error 403 in Python 3 Web Scraping
  6. Problem HTTP error 403 in Python 3 Web Scraping
  7. Is 418 “I’m a teapot” really an HTTP response code?
  8. How to define the basic HTTP authentication using cURL correctly?
  9. “Cannot GET /” with Connect on Node.js
  10. What’s the difference between using application/csv vs text/csv? [duplicate]
  11. What are all the possible values for HTTP “Content-Type” header?
  12. What is the difference between PUT, POST and PATCH?
  13. What’s the difference between “Request Payload” vs “Form Data” as seen in Chrome dev tools Network tab
  14. ndroid 8: Cleartext HTTP traffic not permitted
  15. Setting Curl’s Timeout in PHP
  16. How are parameters sent in an HTTP POST request?
  17. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  18. wget: unable to resolve host address `http’
  19. Are HTTP headers case-sensitive?
  20. When looking at the differences between X-Auth-Token vs Authorization headers, which is preferred?
  21. WordPress HTTP parameter pollution
  22. How do I cache (core) API requests?
  23. wp rest api v2 return json_no_route
  24. Retrieving pages with multiple tags using REST API
  25. WP-REST API not returning all its endpoints, 404 on documented endpoints
  26. How to loop through JSON data in wordpress WP REST API
  27. Does WordPress only support HTTP 1.1?
  28. WP REST API V2 – Modifying responses
  29. wordpress custom endpoint multiple params
  30. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  31. Create post with REST API in php with file_get_contents
  32. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  33. The resource was preloaded using link preload but not used within a few seconds
  34. WordPress API returns empty page when page is less than X-WP-TotalPages
  35. Extending wp JavaScript base class to make a post request to a custom REST endpoint
  36. WP Rest API max limit include parameter?
  37. How to filter users on custom meta fields in WP JSON v2?
  38. Passing Meta array in wp-rest api
  39. How to make a WP REST API query with meta_query in WP4.7?
  40. using wp_remote_get to retrieve own url on local host
  41. How to retrieve custom meta term of category taxonomy from WP Rest API?
  42. Gutenberg Custom Block Getting All Posts
  43. Inserting custom post meta value using WP-REST API
  44. Get all tags not just first 10 with wp api 2.0
  45. How to add WP API and JS featured image attachment
  46. WP REST API V2 – Add user data to response
  47. wordpress api using rest_route for other pages
  48. Is there an equivalent to WP_Error object I can return in the case of a successful REST request?
  49. is it possible to filter a rest api endpoint by using a registered rest field?
  50. WordPress API for search
  51. Update a post based on results from GET request to another server
  52. Add Data to Response of WP-JSON Root
  53. WP API post__not_in is not working
  54. Change port of wordpress
  55. rest_no_route on custom API endpoint wordpress
  56. How to edit feature image with XML RPC?
  57. How to get value of custom http header?
  58. How to create WordPress custom end point with multiple parameters?
  59. How to see posts in taxonomy endpoint
  60. Strange behavior: random HTTP error 500 fixed by visiting Permalinks settings page (htaccess issue with language code)
  61. Uploading a media item with the wp-json API to a specific path
  62. WordPress REST Api get posts by ID
  63. How to add a rest field to post tags?
  64. How to use Python to create a Post in WordPress?
  65. update_callback is not working in register_rest_field
  66. WP REST API and Access-Control-Allow-Origin
  67. How to make an API call to a custom post type but filtering by meta value?
  68. Cant create or update meta fields using WordPress REST API
  69. Flatten Responses returned via WP REST API via WP_Error for obfuscation
  70. WordPress REST API – get custom taxonomy category posts
  71. Allow REST API Endpoint to specific user and hide from public
  72. Check if user can in javascript
  73. register/login api
  74. Get “HTTP/1.1 406 Not Acceptable” when accesing my website with Delphi Indy Control
  75. How do i post data to url with fields?
  76. 403 error rest_’cookie_invalid_nonce’ on API Request
  77. Remove unwanted fields from WP API response
  78. How to add a post’s view count into the WordPress API response
  79. WordPress API “code”:”rest_no_route” with Custom Route
  80. Adding Amchart Interface to WordPress API
  81. Deleting media using the WordPress Rest API
  82. Require advice handling a URL redirect from a Third Party. URL Params need to populate and then forward to payment
  83. Consume legacy rest api dependent upon WP API plugin
  84. How to properly set a value to meta fields of a custom post type in WP-API/node-wpapi REST API?
  85. WordPress HTTP 500 Error “page isn’t working”
  86. Should I edit a user meta field with PUT, PATCH, or POST and WP::Editable
  87. Best Way to detect unique posts in wp rest api
  88. WP-API + JS Backbone client – how to update post meta
  89. Is it safe to use PUT and DELETE requests
  90. API request forbidden when requesting from same domain
  91. For what is the “.well-known”-folder?
  92. Human readable format for http headers with tcpdump
  93. How to make wireshark filter POST-requests only?
  94. External api call using wordpress
  95. Custom post type REST api 404: Updating failed. No route was found matching the URL and request method
  96. Adding Microsoft Teams Incoming Webhook to WordPress, Problem with Rest Route?
  97. Woocommerce API for calling products by Category ID
  98. wordpress rest api authentication failed
  99. How to submit a button automatically after every scheduled hours?
  100. How can I enforce user to use Application password to generate JWT token? [closed]

Leave a Comment