Home › Forums › BulletProof Security Pro › WP REST API Block JSON Requests to the users & comments Routes
This topic contains 4 replies, has 2 voices, and was last updated by AITpro Admin 1 year, 4 months ago.
-
AuthorPosts
-
If you would like to block the WP REST API JSON Requests to the /users and /comments Routes do the steps below to add this htaccess code to BPS Custom Code. Blocking the WP REST API JSON Requests to the /users and /comments Routes prevents your author name/username and User ID from being publicly displayed (see the Examples below). Logically if you have a very secure password then it does not matter if your username is displayed publicly.
Note: BPS Pro JTC Anti-Spam|Anti-Hacker blocks 100% of automated Brute Force Attacks. So even if your username is publicly displayed/known and used by a bot, the bot/attack will still be blocked.
1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.# WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES # Block/Forbid Requests to: /wp-json/wp/v2/users and wp-json/wp/v2/comments # WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC] RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments) [NC] RewriteRule ^(.*)$ - [F]
Example: The WP REST API /users Route exposes the author/username and User ID pubicly. See example JSON Response below.
http://www.example.com/wp-json/wp/v2/users
[{"id":1,"name":"Gumby","url":"","description":"","link":"http:\/\/demo2.local\/author\/gumby\/","slug":"gumby","avatar_urls":{"24":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=24&d=mm&r=g","48":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=48&d=mm&r=g","96":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users"}]}}]
Example: The WP REST API /comments Route exposes the author/username and User ID publicly. See example JSON Response below.
http://www.example.com/wp-json/wp/v2/comments
[{"id":2,"post":27,"parent":0,"author":1,"author_name":"Gumby","author_url":"","date":"2016-12-26T14:41:17","date_gmt":"2016-12-26T22:41:17","content":{"rendered":"<p>testing<\/p>\n"},"link":"http:\/\/demo2.local\/idle-session-logout-test\/#comment-2","status":"approved","type":"comment","_links":{"self":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/comments\/2"}],"collection":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/comments"}],"author":[{"embeddable":true,"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users\/1"}]
Other WP REST API Routes (URI’s)
Note: None of these other WP REST API Routes expose the author/username or User ID publicly, but if you want to block these other WP REST API Routes you would add each Route name that you want to block to the WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES htaccess code. See the WP REST API BLOCK JSON REQUESTS TO ALL ROUTES example htaccess code below.http://www.example.com/wp-json/wp/v2/posts http://www.example.com/wp-json/wp/v2/pages http://www.example.com/wp-json/wp/v2/media http://www.example.com/wp-json/wp/v2/types http://www.example.com/wp-json/wp/v2/statuses http://www.example.com/wp-json/wp/v2/taxonomies http://www.example.com/wp-json/wp/v2/categories http://www.example.com/wp-json/wp/v2/tags http://www.example.com/wp-json/wp/v2/settings
# WP REST API BLOCK JSON REQUESTS TO ALL ROUTES # Block/Forbid Requests to all WP REST API Routes: users, comments, posts, etc. # WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC] RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments|posts|pages|media|types|statuses|taxonomies|categories|tags|settings) [NC] RewriteRule ^(.*)$ - [F]
Hi,
In case of existing Speed Boost Cache Code, should this code be written before or after it?
And, if the comments to my website are totally disabled, would this line below be all right?RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users) [NC]
Thanks in advance.
You should probably add the code before your Speed Boost Cache code, but I don’t think the order of the code really matters for this particular code. If you have comments disabled and no old comments exist anywhere then yep you use the code you posted. If you want to check your site use this URI:
http://www.example.com/wp-json/wp/v2/comments
to see anything is displayed publicly.It only shows: [ ] so I will try this other line.
That’s fine. If you are only seeing [] in the JSON Response then that means there is not any comments data that will be displayed publicly.
-
AuthorPosts
You must be logged in to reply to this topic.