Issue Wordpress Dataleak (UserNames and IDs)

LTUser · Jun 11, 2020

Excuse me, I do not find the right place to warn about it and it is not really a security leak.
Therefore delete the info or move it to the right place if necessary.

Test this:
https://(www.)yourdomain.tld/wp-json/wp/v2/users/

Do you get a page with UserNames and IDs

add this near Rewritebase / in your .htaccess

Code:

RewriteCond %{REQUEST_URI} (wp-json|author)
RewriteRule ^(.*)$ https://www.yourdomain.tld [F,L]

The data leak also exists if the WordPress Toolkit and the
security check classify everything as "Safe".

Kaspar · Jun 12, 2020

It's not considered a security issue by the WP developers. See topic: Why is the REST API enabled by default? | WordPress.org

I like the idea of having this be part of the WordPress Toolkit security check though.

G J Piper · Jun 12, 2020

I use this plugin to turn off most (or all) of the WordPress REST API:

Disable REST API

Disable the use of the REST API on your website to site users. Now with User Role support!

wordpress.org

LTUser · Jun 13, 2020

I probably had too much trust in WP.
I didn't think that these barn doors were "worldreadable".

In the meantime, WP is being pushed by goggle at the expense of forums, so you have to pay more attention to your data now, especially in WP.

Issue Wordpress Dataleak (UserNames and IDs)

LTUser

Regular Pleskian

Kaspar

API expert

G J Piper

Regular Pleskian

Disable REST API

LTUser

Regular Pleskian

Similar threads