Disable almost all of the REST API

Since WP 4.7, the REST API is enabled by default and the content endpoints are not protected. This behaviour can be considered as a security issue and needs to be fixed. Most of plugins disable the REST API in full BUT we should be attentive to some details. It's important to know that some features of the WP Core like "Post embeds" or plugins (Yoast SEO amongst others) use the REST API. If you turn off the REST API, you will break them without knowing it. Thistle takes another way which is softer. It disabled all routes of the REST API for non logged users except the `/oembed/1.0/embed/` one. With this behaviour, you can embed your posts on other WordPress sites and use all your plugins which use the REST API without any problem ;) https://wptavern.com/wordpress-rest-api-vulnerability-exploits-continue
7studio · Mar 17, 2017 · 8c04edb · 8c04edb
1 parent cc1d2ac
commit 8c04edb
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/functions.php b/functions.php
@@ -252,6 +252,21 @@ function thistle_clean_http_headers() {
 }
 add_action( 'init', 'thistle_clean_http_headers' );
 
+if ( ! function_exists( 'thistle_disable_rest_api' ) ) {
+    /**
+     * Disables all routes of the REST API for non logged users except
+     * the `/oembed/1.0/embed` one.
+     */
+    function thistle_disable_rest_api( $response, $server, $request ) {
+        if ( $request->get_route() != '/oembed/1.0/embed' && ! is_user_logged_in() ) {
+            return new WP_Error( 'rest_no_route', __( 'No route was found matching the URL and request method' ), array( 'status' => 404 ) );
+        }
+
+        return $response;
+    }
+}
+add_filter( 'rest_pre_dispatch', 'thistle_disable_rest_api', 10, 3 );
+
 if ( ! function_exists( 'thistle_disable_emoji' ) ) {
 	/**
 	 * Disables the emoji's feature which is enabled by default since WordPress 4.2.