Topic: WP REST API Block JSON Requests to the users & comments Routes

WP REST API Block JSON Requests to the users & comments Routes

Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WP REST API

This topic contains 4 replies, has 2 voices, and was last updated by AITpro Admin 1 year, 4 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)

Author

Posts
December 26, 2016 at 5:50 pm #31952
AITpro Admin
Keymaster
If you would like to block the WP REST API JSON Requests to the /users and /comments Routes do the steps below to add this htaccess code to BPS Custom Code. Blocking the WP REST API JSON Requests to the /users and /comments Routes prevents your author name/username and User ID from being publicly displayed (see the Examples below). Logically if you have a very secure password then it does not matter if your username is displayed publicly.

Note: BPS Pro JTC Anti-Spam|Anti-Hacker blocks 100% of automated Brute Force Attacks. So even if your username is publicly displayed/known and used by a bot, the bot/attack will still be blocked.

1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
```
# WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES
# Block/Forbid Requests to: /wp-json/wp/v2/users and wp-json/wp/v2/comments
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments) [NC]
RewriteRule ^(.*)$ - [F]
```
Example: The WP REST API /users Route exposes the author/username and User ID pubicly. See example JSON Response below.
http://www.example.com/wp-json/wp/v2/users
```
[{"id":1,"name":"Gumby","url":"","description":"","link":"http:\/\/demo2.local\/author\/gumby\/","slug":"gumby","avatar_urls":{"24":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=24&d=mm&r=g","48":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=48&d=mm&r=g","96":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users"}]}}]
```
Example: The WP REST API /comments Route exposes the author/username and User ID publicly. See example JSON Response below.
http://www.example.com/wp-json/wp/v2/comments
```
[{"id":2,"post":27,"parent":0,"author":1,"author_name":"Gumby","author_url":"","date":"2016-12-26T14:41:17","date_gmt":"2016-12-26T22:41:17","content":{"rendered":"<p>testing<\/p>\n"},"link":"http:\/\/demo2.local\/idle-session-logout-test\/#comment-2","status":"approved","type":"comment","_links":{"self":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/comments\/2"}],"collection":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/comments"}],"author":[{"embeddable":true,"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users\/1"}]
```
Other WP REST API Routes (URI’s)
Note: None of these other WP REST API Routes expose the author/username or User ID publicly, but if you want to block these other WP REST API Routes you would add each Route name that you want to block to the WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES htaccess code. See the WP REST API BLOCK JSON REQUESTS TO ALL ROUTES example htaccess code below.
```
http://www.example.com/wp-json/wp/v2/posts
http://www.example.com/wp-json/wp/v2/pages
http://www.example.com/wp-json/wp/v2/media
http://www.example.com/wp-json/wp/v2/types
http://www.example.com/wp-json/wp/v2/statuses
http://www.example.com/wp-json/wp/v2/taxonomies
http://www.example.com/wp-json/wp/v2/categories
http://www.example.com/wp-json/wp/v2/tags
http://www.example.com/wp-json/wp/v2/settings
```
```
# WP REST API BLOCK JSON REQUESTS TO ALL ROUTES
# Block/Forbid Requests to all WP REST API Routes: users, comments, posts, etc.
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments|posts|pages|media|types|statuses|taxonomies|categories|tags|settings) [NC]
RewriteRule ^(.*)$ - [F]
```
December 27, 2016 at 3:10 pm #31961
Jose
Participant
Hi,

In case of existing Speed Boost Cache Code, should this code be written before or after it?
And, if the comments to my website are totally disabled, would this line below be all right?
```
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users) [NC]
```
Thanks in advance.
December 27, 2016 at 3:25 pm #31962
AITpro Admin
Keymaster

You should probably add the code before your Speed Boost Cache code, but I don’t think the order of the code really matters for this particular code. If you have comments disabled and no old comments exist anywhere then yep you use the code you posted. If you want to check your site use this URI: http://www.example.com/wp-json/wp/v2/comments to see anything is displayed publicly.
December 27, 2016 at 3:31 pm #31963
Jose
Participant

It only shows: [ ] so I will try this other line.
December 27, 2016 at 3:37 pm #31964
AITpro Admin
Keymaster

That’s fine. If you are only seeing [] in the JSON Response then that means there is not any comments data that will be displayed publicly.
Author

Posts

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

BulletProof Security Forum

WP REST API Block JSON Requests to the users & comments Routes

Search Forums

Topic Tags