WP Tavern › Forums › Create Topic
Morten Rand-Hendriksen This brings up a concern some of us have voiced for a while now: shipping the REST API as an always-on feature to every WordPress site on the web introduces a new vector for exploits to sites that may never use the feature at all. I have yet to see a compelling reason why the REST API is an always-on feature rather than opt-in based on use or admin choice. In my opinion, the API should be disabled by default and activated only when a theme or plugin dependent on the feature is activated or if the admin deliberately enables it to allow access from a 3rd party. I would love to see arguments that prove me wrong, but like I said I have yet to see any.
Morten Rand-Hendriksen
This brings up a concern some of us have voiced for a while now: shipping the REST API as an always-on feature to every WordPress site on the web introduces a new vector for exploits to sites that may never use the feature at all.
I have yet to see a compelling reason why the REST API is an always-on feature rather than opt-in based on use or admin choice. In my opinion, the API should be disabled by default and activated only when a theme or plugin dependent on the feature is activated or if the admin deliberately enables it to allow access from a 3rd party.
I would love to see arguments that prove me wrong, but like I said I have yet to see any.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content
