安全禁用 WP REST API [英] Safely disable WP REST API
问题描述
我正在考虑提高我的 Wordpress 网站的安全性,并且在这样做的过程中遇到了默认启用的 WP REST API(如果我没记错的话,从 WP 4.4 开始).
I am considering to improve security of my Wordpress website, and in doing so have come across WP REST API being enabled by default (since WP 4.4 if I'm not mistaken).
禁用它的安全方法是什么?
这里的安全"是指它不会引起意外的副作用,例如不会破坏任何其他 WP 核心功能.
By "safe" here I mean that it does not cause unexpected side-effects, e.g. does not break any other WP core functionality.
一种可能的方法是使用 .htaccess 重写规则,但令人惊讶的是,我没有找到任何关于这样做的官方"说明.
One possible approach would be to use .htaccess rewrite rules, but surprisingly I haven't found any 'official' instructions on doing so.
非常感谢任何帮助或建议:)
Any help or recommendation is greatly appreciated :)
更新:第 3 方插件不是我正在寻找的解决方案.尽管我知道有很多它们可以解决任务,但它们包含许多会降低网站速度的额外功能.我希望有一个解决此问题的单行解决方案,而无需额外插件的开销.
Update: 3rd-party plugins is not the solution I am looking for. Although I'm aware there are plenty of them that solve the task, they include many extra features that slow down the website. I would hope there is a one-line solution to this problem without the overhead of an extra plugin.
更新 2:以下是 Wordpress 的官方意见:https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api
Update 2: Here is the official opinion of Wordpress: https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api
据此,Wordpress 团队希望未来的 WP 功能依赖于新的 REST API.这意味着没有保证安全的方法来禁用 REST API.
According to this, the Wordpress team wants future WP functionality to depend on the new REST API. This means there is no guaranteed safe way to disable the REST API.
希望有足够多的安全专家来处理 WP 安全问题.
Let's just hope there are enough security experts taking care of WP security.
更新 3:
WordPress API 手册中提供了一种解决方法 - 您可以 要求对所有请求进行身份验证
A workaround is presented in WordPress API Handbook - you can Require Authentication for All Requests
这可确保禁止匿名访问您网站的 REST API,只有经过身份验证的请求才能工作.
This makes sure that anonymous access to your website's REST API is disabled, only authenticated requests will work.
推荐答案
从作者原始问题我选择了来自 wordpress 官方推荐的选项 2(https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api).所以只需放入你的functions.php,让只有登录的用户使用其余的api:
From the author original question I've chosen option 2 that came from wordpress official recommendations(https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api). So just put in your functions.php to let only logged in users use the rest api:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
}
return $result;
});
这篇关于安全禁用 WP REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
