[WordPress] 外掛分享: Turn Off REST API

首頁外掛目錄 › Turn Off REST API
100+
安裝啟用
尚無評分
20 天前
最後更新
問題解決
WordPress 4.7+ PHP 7.4+ v1.1.1 上架:2017-03-22

內容簡介

在你的網站上禁用 JSON REST API 功能,防止匿名使用者和未經授權的請求使用 REST API 從你的網站獲取信息。

自 WordPress 4.0 發布以來,很多黑客一直在利用 REST API 的漏洞進行攻擊。通過安裝這個外掛,你將有效地防止和禁用未經授權的使用者使用 REST API,保護你的網站信息不被訪問。如果有人嘗試訪問你網站上的 REST API,該外掛會對未經授權的使用者在 API 端點返回一個身份驗證錯誤。

雖然 WordPress REST API 漏洞仍在持續,但是這個外掛可以有效地防止和禁用未經授權的使用者使用 REST API 從你的網站獲取信息,該外掛對未登錄你的網站的任何使用者都會返回身份驗證錯誤,並禁用所有端點。

翻譯

英文 (en_US)

外掛標籤

開發者團隊

⬇ 下載最新版 (v1.1.1) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「Turn Off REST API」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

Turn Off REST API is a lightweight WordPress security plugin that disables the WordPress REST API for visitors who are not logged in. Anonymous requests to your /wp-json endpoints receive an authentication error instead of your site data, while logged in users, your theme, and your plugins keep working normally.
By default WordPress exposes a large amount of information through the REST API, including your list of user accounts and usernames, published content, and details about your site. For most sites that open, unauthenticated access is unnecessary and only widens the attack surface for user enumeration and content scraping. Turn Off REST API closes the WordPress REST API to the public in one click, then gives you a clear settings screen to reopen only the specific REST API routes you actually need.
Why turn off the WordPress REST API?

Stop anonymous user enumeration through /wp-json/wp/v2/users.
Reduce your attack surface against REST API based exploits and bots.
Keep your content and site data from being scraped through the public API.
Stay in control with a per route allow list instead of an all or nothing switch.

What it does

Returns an authentication error for unauthenticated REST API requests.
Optionally removes the REST API discovery links and headers from your page source.
Lets you build an allow list of routes that should stay public (for example a contact form or a specific integration).
Adds a Site Health check so the restriction is clearly explained and never mistaken for a fault.
Keeps the admin area, the block editor, and logged in functionality fully working.

Built for control, not breakage
Some security plugins disable the REST API completely and break the block editor or third party integrations in the process. Turn Off REST API only blocks unauthenticated access, and the per route allow list means you can whitelist exactly the endpoints a service needs without opening the whole API back up.
Developer friendly
The access decision runs through the tora_grant_rest_api filter, so developers can extend or override the logic for custom roles, application passwords, or trusted requests.

延伸相關外掛

文章
Filter
Apply Filters
Mastodon