wordpress 安全禁用 WP REST API
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/41191655/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Safely disable WP REST API
提问by Eric Gopak
I am considering to improve security of my Wordpress website, and in doing so have come across WP REST API being enabled by default (since WP 4.4 if I'm not mistaken).
我正在考虑提高我的 Wordpress 网站的安全性,并且在这样做时遇到了默认启用的 WP REST API(如果我没记错的话,从 WP 4.4 开始)。
What is a safe way to disable it?
禁用它的安全方法是什么?
By "safe" here I mean that it does not cause unexpected side-effects, e.g. does not break any other WP core functionality.
这里的“安全”是指它不会导致意外的副作用,例如不会破坏任何其他 WP 核心功能。
One possible approach would be to use .htaccessrewrite rules, but surprisingly I haven't found any 'official' instructions on doing so.
一种可能的方法是使用.htaccess重写规则,但令人惊讶的是,我没有找到任何关于这样做的“官方”说明。
Any help or recommendation is greatly appreciated :)
非常感谢任何帮助或建议:)
Update:3rd-party plugins is not the solution I am looking for. Although I'm aware there are plenty of them that solve the task, they include many extra features that slow down the website. I would hope there is a one-line solution to this problem without the overhead of an extra plugin.
更新:第 3 方插件不是我正在寻找的解决方案。尽管我知道有很多它们可以解决任务,但它们包含许多会降低网站速度的额外功能。我希望有一个解决此问题的单行解决方案,而无需额外插件的开销。
Update 2:Here is the official opinion of Wordpress: https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api
更新 2:以下是 Wordpress 的官方意见:https: //developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-接口
According to this, the Wordpress team wants future WP functionality to depend on the new REST API. This means there is no guaranteed safeway to disable the REST API.
据此,Wordpress 团队希望未来的 WP 功能依赖于新的 REST API。这意味着没有保证安全的方法来禁用 REST API。
Let's just hope there are enough security experts taking care of WP security.
我们只是希望有足够的安全专家来处理 WP 安全。
Update 3:
更新 3:
A workaround is presented in WordPress API Handbook - you can Require Authentication for All Reque?sts
WordPress API 手册中提供了一种解决方法 - 您可以要求对所有请求进行身份验证?
This makes sure that anonymous access to your website's REST API is disabled, only authenticated requests will work.
这可确保禁用对您网站的 REST API 的匿名访问,只有经过身份验证的请求才能工作。
采纳答案by Dzmitry Hubin
From the author original question I've chosen option 2 that came from wordpress official recommendations(https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api). So just put in your functions.php to let only logged in users use the rest api:
从作者的原始问题中,我选择了来自 wordpress 官方建议的选项 2(https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i -disable-the-rest-api)。所以只需放入你的functions.php,让只有登录的用户使用其余的api:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
}
return $result;
});
回答by Lucas Bustamante
You can disable it for requests other than localhost:
您可以为 localhost 以外的请求禁用它:
function restrict_rest_api_to_localhost() {
$whitelist = [ '127.0.0.1', "::1" ];
if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){
die( 'REST API is disabled.' );
}
}
add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );
回答by Kuzeko
Disabling REST API was not a bad idea, after all. It actually opened a huge hole in all websites!
毕竟,禁用 REST API 并不是一个坏主意。它实际上在所有网站上打开了一个巨大的漏洞!
In wordpress 4.4 there was a way
在 wordpress 4.4 中有一种方法
Here, I've found a possible solution with .htaccessbut should be carefully tested in combination with whatever else is in your .htaccessfile (e.g., pretty-url rules added by wordpress itself):
在这里,我找到了一个可能的解决方案,.htaccess但应该结合.htaccess文件中的任何其他内容进行仔细测试(例如,wordpress 本身添加的漂亮 url 规则):
# WP REST API BLOCK JSON REQUESTS
# Block/Forbid Requests to: /wp-json/wp/
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]
RewriteRule ^(.*)$ - [F]
A very drastic method, is also to have a 404.htmlwebpage in your root and then add this line:
一个非常激烈的方法,也是404.html在你的根目录中有一个网页,然后添加这一行:
# WP REST API BLOCK JSON REQUESTS
# Redirect to a 404.html (you may want to add a 404 header!)
RewriteRule ^wp-json.*$ 404.html
Note that, unless you use a static page, i.e., not involved with wordpressfunctions, if you want to return a 404error with an appropriate error page, this is a complete separate topic, with a lot of issues when Wordpress is involved
注意,除非你使用静态页面,即不涉及wordpress函数,如果你想返回一个404带有适当错误页面的错误,这是一个完全独立的主题,涉及到Wordpress时会出现很多问题
回答by Benno
With the plugin "Disable REST API" you can select which APIs you want to enable, e.g. the contact form 7 API. See the plugin's settings (yoursite.com/wp-admin/options-general.php?page=disable_rest_api_settings)
使用插件“禁用 REST API”,您可以选择要启用的 API,例如联系表 7 API。查看插件的设置 (yoursite.com/wp-admin/options-general.php?page=disable_rest_api_settings)
