Posted in WordPress by
Anthony Hortin

With the release of WordPress 4.7 this week, comes the addition of the WP REST API endpoints for posts, comments, terms, users, meta, and settings. The foundation for the WP REST API has been in core since WP 4.4, and 4.7 sees Part 2 of the REST API Content Endpoints being added.

To quote Ryan McCue, the lead developer on the REST API team and also the original developer of the REST API proof-of-concept;

These endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, allowing new and innovative apps for interacting with your site. These endpoints support all of the following:

  • Content:
    • Posts: Read and write access to all post data, for all types of post-based data, including pages and media.
    • Comments: Read and write access to all comment data. This includes pingbacks and trackbacks.
    • Terms: Read and write access to all term data.
    • Users: Read and write access to all user data. This includes public access to some data for post authors.
    • Meta: Read and write access to metadata for posts, comments, terms, and users, on an opt-in basis from plugins.
  • Management:
    • Settings: Read and write access to settings, on an opt-in basis from plugins and core. This enables API management of key site content values that are technically stored in options, such as site title and byline.

The WP REST API is a fantastic new addition for WordPress and one which the REST API team have worked extremely hard over the past few years, getting into core. It’s going to provide the foundation for some innovative new ways in which to use WordPress over the coming years.

If you’re interested in working with the new API, make sure you check out the REST API Handbook and the REST API Reference over on WordPress.org. There’s also heaps of development resources over on the REST API Website.

For the Non-Developers

For all you non-developers out there, there’s some REST API functionality that I think you might be interested in knowing, in regards to how it’s affected your site (assuming you’ve updated to WordPress 4.7).

Using the new REST API endpoints, it’s now super easy to grab content from anyone’s WordPress site, which may or may not be a good thing. You can simply do something like this:

https://ma.tt/wp-json/wp/v2/posts/?per_page=100

(And yes, you could get some content previously by simply using the RSS Feed, but nowhere to this extent and certainly not as easily. Also, most feeds only show an excerpt, rather than all the content)

When you run a membership website, some site owners like to use their members email address as their username. I’d suggest that you might want to rethink this practice. In the following example, you can clearly see user details, including their Username (in the example link below, the ‘slug’ is the user’s Username). Obviously, if the Username is the users email address, there’s a good chance you’re exposing information that they probably want to keep private.

https://wptavern.com/wp-json/wp/v2/users

While I believe it only shows users who have posted content, it’s probably not data you want to make freely accessible, even if it is only a subset of your users

(If the above links aren’t formatted nicely, just add a JSON Formatter addon to your browser. I’m using JSONView in Firefox and JSON Viewer in Chrome.)

Prior to the REST API being merged into WordPress Core, it was possible to disable it using a filter (if you had the REST API installed using the feature plugin).  Now that it’s merged into 4.7, the core devs have decided that you shouldn’t be able to disable the REST API anymore so they’ve disabled the rest_enabled filter that used to be available.

While I can understand not all allowing it to be disabled in the Dashboard, especially since more features will make use of this functionality over time, I don’t necessarily agree that people shouldn’t be able to disable it on the front-end, if they so desire. As can be seen on that above Trac ticket, even Ryan disagreed with this decision.

To get around this limitation, use this Gist to disable it for non-logged in users (if you so desire).

The above code will stop any user that is not currently logged in, from viewing the WP REST API JSON Endpoints. If you have a membership site though, then even users who only have minimal access would still be able to view those endpoints. If that’s the case, then you could use something like the following instead. This will only allow access to the endpoints if the user is logged in and an Administrator.

Before you add the above code, just a word of warning: It obviously goes without saying, if you install a plugin that utilises the WP REST API and you add the code above, you will no doubt cause yourself some issues.

Have you had a chance to use the REST API yourself? Let me know below, I’d love to hear.

8 responses on “What you may not know about the WP REST API

  1. Michael Dorchain

    If the REST API is available publicly for query, doesn’t it make DDoS attacks easier on WP websites? API responses are normally uncached and untrottled, they seem to be a good prey. Perhaps the best way to disable it is directly in the htaccess.

    1. Anthony Hortin Post author

      Good question. You’re probably better off asking someone from the REST API Team if it makes DDoS attacks even easier. In one of the comments on that Trac ticket I linked above, Ryan did mention that “the REST API does introduce a new attack surface (the Flash XSS exploit for example)”.