禁用WP REST API

描述

这个插件做了一件事:为没有登录WordPress的访问者禁用WP REST API。 无需配置。

此插件仅使用22行短代码(小于2KB)。 所以它是超轻量级、快速且高效

Features

  • 禁用访问者的REST / JSON(未登录)
  • 在HTTP响应中为所有用户禁用REST头
  • 已禁用所有用户的HTML头中的RESET链接
  • 100%即插即用,一劳永逸的解决方案

防止滥用您网站的REST / JSON API的快速及简单的方法

它是如何工作的? 这取决于您使用的WordPress版本..

WordPress v4.7及更高版本

对于WordPress 4.7及更高版本,此插件完全禁用WP REST API ,除非用户登录到WordPress。

  • 对于登录用户,WP REST API正常工作
  • 对于已注销的用户,将禁用WP REST API

如果注销的访问者发出JSON / REST请求会发生什么? 他们只会收到一条简单的信息:

“rest_login_required:REST API仅限于经过身份验证的用户。”

This message may customized via the filter hook, disable_wp_rest_api_error. Check out this post for an example of how to do it.

较早版本的WordPress

对于低于4.7的WordPress版本,此插件只是为所有用户禁用所有REST API功能。

有关详细信息,请参阅常见问题解答部分。

Privacy

This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way. If anything it improves user privacy, as it protects potentially sensitive information from being displayed/accessed via REST API.

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

Links, tweets and likes also appreciated. Thank you! 🙂

安装

如何安装

  1. 将插件上传到您的博客并激活
  2. 完成! 无需进一步配置。

More info on installing WP plugins

测试中

要测试插件是否正常工作,请注销WordPress,然后在浏览器中请求https://example.com/wp-json/。 有关更多信息,请参阅常见问题解答

喜欢这个插件吗?

如果您喜欢《禁用WP REST API》,请花点时间 给予5星评级。 它有助于保持发展和支持的强大。 谢谢!

常见问题

What is the default access-denied message?

When the user is logged in to WordPress, the normal REST API data will be displayed. When the user is not logged in, this is the default message:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

为什么有人想要禁用REST API?

从技术上讲,此插件仅为未登录WordPress的访问者禁用REST API。 考虑到这一点,以下是为什么有人想要为非登录用户禁用REST API的一些很好的理由:

  • 非登录用户可能不需要REST API
  • 禁用REST API可节省服务器资源
  • 禁用REST API可以最大限度地减少潜在的攻击媒介
  • 禁用REST API可防止内容抓取和抄袭

我确定那边有其他有效理由,但你懂的:)

已经有另一个“禁用REST”插件?

是的,实际上还有另外两个“禁用REST”插件:

这些插件中的第一个非常棒,并且提供了比简单地禁用REST所需的更多特性和功能。 第二个插件由于缺乏使用而关闭。 我编写了我的disable-REST插件,因为我想要一些超轻量级,快速且有效的东西。 如果您正在寻找更多选项和功能,请查看这两个列出的备选方案中的第一个。

如何测试REST已禁用?

测试很简单:

  1. 注销WordPress
  2. 使用浏览器,请求https://example.com/wp-json/

如果看到以下消息,则REST是禁用状态:

“rest_login_required:REST API仅限于经过身份验证的用户。”

然后,如果您重新登录并对https://example.com/wp-json/发出新请求,您将看到REST正常工作。

它是否禁用了其他插件添加的REST功能?

是的,如果REST端点是使用WP REST API注册的。

Does this work with Gutenberg/Block Editor?

Yes. It works the same regardless of which editor (Classic or Block) you are using.

How to customize the error message?

By default the plugin displays a message for unauthenticated users: “REST API restricted to authenticated users.” To customize that message to whatever you want, add the following code via functions.php or simple custom plugin:

function disable_wp_rest_api_error_custom($message) {

    return 'Customize your message here.'; // change this to whatever you want

}
add_filter('disable_wp_rest_api_error', 'disable_wp_rest_api_error_custom');

How to allow access for Contact Form 7?

As explained in this thread, the plugin Contact Form 7 requires REST API access in order for the contact form to work. To allow for this, you can install our free plugin to allow REST access for CF7. Learn more and download at Perishable Press. When used together with the Disable REST API plugin, the CF7 addon will enable sending emails to work again.

Got a question?

Send any questions or feedback via my contact form

评价

2021年11月16日
Beautiful plugin. Before accessing /wp-json on my site leaked tonnes of information. After activation there was just a "REST API restricted to authenticated users" message, wonderful! As yet, I don't know if API authentication requests are permitted. At the present time I don't need such, but for potential APP access in future I would. I'll cross that bridge when I come to it. Great Plugin, thanks!
2021年10月8日
Thanks for making this plugin Jeff! I always appreciate your work and have literally been Googling "wordpess problem Jeff Starr" as of late to find what I need. You always come through! P.S. to anyone else who doesn't have these yet, check out Jeff's 7G Firewall, BBQ, and Blackhole for bots. He also has an amazing htaccess tricks book which is over 9000x worth it. Happy blogging!
2021年9月4日
Just install and activate, this plugin will do the rest for you.
2021年7月9日
Blocking potential entry points and attack vectors is key to maintaining a healthy website. This small but efficient tool does what it says without fuss or impacting your sites' functions. Nothing to lose by installing it and a potential attack point blocked 🙂
阅读所有27条评价

贡献者及开发者

“禁用WP REST API” 是开源软件。 以下人员对此插件做出了贡献。

贡献者

将“禁用WP REST API”翻译成您的语言。

对开发感兴趣吗?

您可以浏览代码,查看SVN仓库,或通过RSS订阅开发日志

更新日志

如果您喜欢《禁用WP REST API》,请花点时间 给予5星评级。 它有助于保持发展和支持的强大。 谢谢!

2.4

  • Tests on WordPress 6.0

2.3

  • Improves documentation
  • Updates some links to external resources
  • Changes minimum required WP version to 4.6
  • Tests on WordPress 5.9

2.2

  • Tests on WordPress 5.8

2.1

  • Adds support for CF7 (Thanks to @darko-a7) (more info)
  • Adds filter hook disable_wp_rest_api_post_var
  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.7

2.0

  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.6

1.9

  • Refines readme/documentation
  • Tests on WordPress 5.5

1.8

  • Tests on WordPress 5.4

1.7

  • Tests on WordPress 5.3

1.6

  • 更新一些指向https的链接
  • 在WordPress 5.3(alpha)上测试

1.5

1.4

  • 在WordPress 5.1和5.2(alpha)上测试

1.3

  • 在WordPress 5.1上测试

1.2

  • 添加主页链接到插件屏幕
  • 更新默认翻译模板
  • 在WordPress 5.0上测试

1.1

  • 更新GDPR模糊和捐赠链接
  • 添加“速率插件”链接到插件屏幕
  • 添加WordPress插件目录的图标
  • 生成默认翻译模板
  • 对WP版本4.9和5.0(alpha)的进一步测试

1.0

  • 初始发行