This repository has been archived by the owner. It is now read-only.

Exposed usernames in users endpoint #2961

Closed
gerhardsletten opened this Issue Dec 10, 2016 · 4 comments

Comments

Projects
None yet
4 participants
@gerhardsletten
Copy link

gerhardsletten commented Dec 10, 2016

Now with the wp-json api merged into Wordpress 4.7 a lot of wordpress-sites will (mayby unaware) expose all registered usernames in their site. Knowing the username makes hackers a whole lot closer to breaking in if users reuse passwords across sites or use simple, common passwords.

Maybe the users endpoint should be protected by default?

@websupporter

This comment has been minimized.

Copy link
Member

websupporter commented Dec 11, 2016

Hi gerhardsletten,
all information exposed through the REST API is already exposed through the website. When you are not logged in or you do not have the right to list users in the backend, you will only see those users, who have published posts:
https://github.com/WP-API/WP-API/blob/develop/lib/endpoints/class-wp-rest-users-controller.php#L159

The user details of these users are already present on the page itself.

@rmccue

This comment has been minimized.

Copy link
Member

rmccue commented Jan 4, 2017

We're no longer handling support requests here, please ask on the support forums or file an issue on Trac instead.

Usernames are already exposed through themes, RSS feeds, etc, and we do not consider them a security issue. You can install a third-party plugin if you would like to limit access to this data.

@rmccue rmccue closed this Jan 4, 2017

@ehrig

This comment has been minimized.

Copy link

ehrig commented Jan 12, 2017

The following post contains two Gists, which prevent non-logged-in visitors/non-admins from accessing API endpoints: http://maddisondesigns.com/2016/12/what-you-may-not-know-about-the-wp-rest-api/

@gerhardsletten

This comment has been minimized.

Copy link

gerhardsletten commented Jan 13, 2017

I ended up disabling the rest-api with a plugin, and disabling the xml-rpc api, because the boots find the usernames via rest-api, and then they starts attaching the xml-rpc with multicall.

We had about 1000 failed login-attempts every day.

The regular login-url you can change with some of the security-plugins, but as long as you want to use Jetpack you would need to keep xml-rpc open.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.