WordPress Security Alert:

One of the new features of the recent WordPress 4.7 update is the REST API which is being hailed as the NEXT BIG THING for the WordPress platform.
Of course that remains to be seen.

So what exactly is this REST (JSON)

API and what does it do?
In short, it is a connector between WordPress and other software applications which is characterized by universality and high compatibility.

Universality and high Compatibility. That is the takeaway.
The WordPress REST API is revolutionary because it enables WP to communicate with other web properties no matter what programming language they’re written in. This is a Big Deal.

That’s the Good News.

Here’s the bad news.
Parts of this new API on your site are potentially available to anyone on the internet.
This means that the new WordPress REST API allows anonymous access to some features of your WordPress website.
What?
One of the functions that it provides is that anyone can list the users on a WordPress website without registering or having an account.
This is not a good thing. 
It allows anyone to list all users that have published a post and view the Userid, Username, Gravatar Hash and Website URL.

Really Not Good!

The awesome folks from the WordFence Security plugin were the first to bring this to our attention.

You can read the post here:

https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/

So why is this a security alert and why is having your username publicly visible not a good thing?

Your username is 50% of your login info.
If a hacker or bot has your username, they only need to run password cracking scripts to try to guess the password.
Knowing your username gets them 50% of the way to breaking into your website.
That is the reason for this security alert.

Security Tip: Never display your username publicly.

Another way your username can be viewed publicly is simply due to lack of user knowledge.
Every WordPress user has a username and a nickname.

Users must have a username, but don’t necessarily need a nickname. Your nickname is what is displayed on every blog post and author bio.
If no nickname is chosen, WordPress defaults to the username and inserts that into the nickname field.
If you haven’t changed your nickname, your username is automatically inserted and therefore displayed.
Again, not good.

We always recommend using a different name for your nickname (the publicly displayed name) than your username.

If you want to see if your usernames are publicly available using the REST API,
just enter your site url in the field below.

Enter URL:

If your usernames are not displayed, then congratulate yourself or your web developer.

You have good security practices/features in place.

If you can see your usernames, then as quickly as you can, install the WordFence Security plugin.
Then go to your admin user area and add a different nickname to your user.

Another option is a recent update to iThemes Security which now has the ability to turn off the REST API functionality in WordPress.
You can read about it here: Restrict WordPress REST API with iThemes Security.

We always recommend updating WordPress, Themes, and Plugins.
Many updates are plugs for security holes.
In the case of WordPress 4.7 we still recommend updating
but make a few changes and you will be covered.

Staying on top of security news and potential threats is what we do.
That is our job.
We also keep your website up to date so you don’t need to be concerned with this stuff.
You can focus on growing your business instead.

For plans and pricing go here:

Website Maintenance Pricing

 

Author: Mark Rudder

I enjoy helping business owners and entrepreneurs achieve their goals and boost their profits with WordPress. Your website is your place to showcase your products and share your expertise with the world. WordPress makes it easy.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail