How to Stop Username Harvesting with the REST API in WordPress 4.7

How to Stop Username Harvesting with the REST API in WordPress

The REST API was rolled out in WordPress 4.4 but since the release of WordPress 4.7 this has been vastly expanded.

​So what will the REST API be used for?

The REST API is very powerful and allows WordPress to transform itself from being a simple content management platform to an application framework.

This will mean that future development of plugins could include the development of extensions to enhance the WordPress experience.
This should open up the possibilities of developers writing applications that operate anywhere and communicate with your WordPress site.

Wow, that’s awesome isn’t it, being able to publish content to your WordPress site from any device.
Well yes it is, however most users won’t find any use for this feature.

The latest WordPress 4.7 update has introduced 2 issues for all WordPress users:

1. The REST API can bypass authentication for 2-factor authentication and ReCaptcha

2. It can provide access to some data without any authentication whatsoever

The 1st issue is most important as this could potentially open your website to DDoS (Distributed Denial of Service) attacks.
It can be resource intensive, slow down your website and worse still, cause you a serious headache with your hosting company.

To see what I mean, visit a WordPress site with v.4.7 installed and enter the following URL:
domain.com/wp-json/wp/v2/users replacing domain.com with the actual site domain name.

This will display all the users of the WordPress site.

Using this information, a hacker can launch a brute force attack on your site to gain access.

So what can you do to prevent this?

There are a number of options from the easiest, which is to install a plugin to the more difficult, edit your theme’s functions.php.

Let’s start with the easiest.

1. Install the plugin Disable REST API

In your WordPress admin area, Click Plugins and then Click the Add New button.

​In the ‘Search plugins…’ field on the next screen type Disable REST API

​The 1st result should be Disable REST API by Dave McHale, see image below

Disable REST API Plugin

Click the Install Now button and wait for the button to change to Activate and then click Activate.

That’s it. There is nothing more to configure.

To test this, open a browser window and visit your site by typing the URL domain.com/wp-json/wp/v2/users replacing domain.com with your domain name and you should see

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}​

It’s worth mentioning here that on my sites this plugin didn’t have any effect but I have seen this working, it may work on your site.

If this solution does not work, then don’t panic just yet as there are other alternatives before you have to start editing your WordPress system files.

2. Install the WordFence plugin

The latest version of the free and paid versions of WordFence plugin v.6.2.8 already has the protection built in.

If you have the WordFence plugin already installed, make sure you update now.

To install the WordFence plugin, go to your WordPress admin area, Click Plugins and then Click the Add New button.

In the ‘Search plugins…’ field on the next screen type wordfence

The 1st result should be WordFence Security and looks like this

Wordfence Security Plugin

Click the Install button and then Activate.

By default WordFence has the protection activated but to test and make sure open a browser window and visit your site by typing the URL domain.com/wp-json/wp/v2/users replacing domain.com with your domain name and you should see

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}​

If the ​protection is not activated and the result of executing the URL displays usernames then you will need to switch the option on.

To do this navigate to the Wordfence menu item in the WordPress menu item on the left and select options.

Scroll down to the "Login Security Options" and look for the following option.

Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, and the WordPress REST API

This checkbox should be ticked. If it is not ticked, tick the box and scroll to the bottom on the options list and click save.

Type the URL domain.com/wp-json/wp/v2/users replacing domain.com with your domain name and now you should see

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}​

3. Another option is to install iThemes Security Plugin

iThemes Security Plugin provides the same protection and is available in both the free and paid versions.

To install the iThemes Security plugin, go to your WordPress admin area, Click Plugins and then Click the Add New button.

In the ‘Search plugins…’ field on the next screen type better wp security

The 1st result should be the image below.

iThemes Security

Click the Install button and then Activate.

If you have the free or the Pro version already installed, please update to the latest version now.

In the WordPress dashboard, go to the iThemes Security settings page.

Scroll down to the WordPress tweaks section and click configure settings.

iThemes Security Configuration

In WordPress tweaks scroll the the REST API section and you have 3 options from the drop down menu

1. Disable REST API (recommended)

2. Require Admin Privileges

3. Enable REST API

In the dropdown menu select the recommended option Disable REST API

Then click save settings.

iThemes Security REST API

To test, visit your site by typing the URL domain.com/wp-json/wp/v2/users replacing domain.com with your domain name and you should see

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}​

4. Adding the Disable REST API code to functions.php file

To disable the REST API on your WordPress site then you can simply add the following code in your theme’s functions.php file.

add_filter('json_enabled', '__return_false');
add_filter('json_jsonp_enabled', '__return_false');

That’s it. To test, visit your site by typing the URL domain.com/wp-json/wp/v2/users replacing domain.com with your domain name and you should see

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}​

Conclusion

The above solutions will provide you with the protection you need to stop anyone finding out the user information about your WordPress site that could be used against you.​

 
profile-pic
Martin Huntbach jammydigital.com

WP Saracen is my secret weapon

 

WP Saracen is my secret weapon. I started using them for odd jobs on my client's websites so I didn’t have to worry about spending my time fixing them. After a few purchases and seeing very quick and efficient results, I now choose to work exclusively with WP Saracen for all the WordPress support of my WordPress sites. I have tried using other services in the past but have always been let down and I can honestly say that these guys are the only service I can rely on 100%. I will continue to use and recommend WP Saracen for all future websites.


Spread the Love!
Check out some of our other posts
No related posts for this content

    WP Saracen

    My name is Chris and I have been hosting and running 100s of WordPress websites for clients for over 10 years.

    Everyday, my team ensure the smooth running of our awesome clients WordPress websites, making sure they are updated, secured and working super smooth.

    Let me and my team at WP Saracen provide you with the peace of mind with your WordPress site, so that you can rest easy and focus on what’s important… Running Your Business!

    Get Started Today

    css.php