Does your website use WordPress?
If the answer to that question is yes, read on. There is something very important that you need to do now, right now.
If not, put your feet up and relax (at least until the next security scare comes along)
TLDR? Click here to jump to what you need to do. and then come back and read the rest of the post.
Full disclosure, this website uses Joomla as its content management system, so this particular problem does not apply, no doubt there are others though…
The story
Recently I have been developing a membership app for a local networking group that I am a part of. Currently there is a profile/info page for each member on the website, but it was recognised that an app would be a great way to promote both the group and the members within it.
Currently, the admins, update the website very infrequently, so member profiles can be quite out of date. Also most members do not have a direct contact link on the website. A separate email reminder is sent to members for new events and meetings.
The app was intended to overcome these things.
- being able to contact/call a member at the touch of a button
- meeting and event notifications
- members being able to update their own profiles
- etc
As one of the objectives of this work was to reduce the amount of administration involved in maintaining, a requirement was to share the information that appeared on the web pages. As you might guess from the theme of this article, the site is built on WordPress.
I started to look into ways of getting the info out, the easiest way is with some sort of API.
Fortunately, WordPress does have an API which allows you to have access to pretty much every part of the system, Users, Pages, Posts etc.
The Problem: It is enabled by default!
Try this:
– Make sure you are not logged into your WordPress account using a new Browser in Incognito mode,
– Enter the following in the address bar : yourwebsite.co.uk/wp-json/wp/v2/pages
(Replace yourwebsite.co.uk with your website)
What will be displayed in your browser is a list of all of the pages in your site with the data for each page neatly structured for easy copying.
Change pages to users and a neat list of users information will be displayed, fortunately no passwords, but full name and user name does appear.
The history
It seems that since December 2015 with Version 4.4, WordPress introduced a plugin which provided this access to your website. However, you needed to install and activate it for it to work, which most people didn’t do.
In December 2016, Version 4.7 was release which incorporated the plugin into core WordPress, so now it was automatically available when you upgraded your site (you do keep your website up to date… ). Unfortunately, the developers decided to that the API should be enabled by default.
What to do
Fortunately there is a very easy solution. A developer called Dave McHale has developer a plugin called Disable REST API which is ver simple to use. It takes only a couple of minutes to install and it will disable all unauthorised access to the API.
If you don’t know how to do this talk to your webmaster or hosting company.
The size of the problem
At the time of writing, there are currently 437 millon active websites of which approx. 30% use WordPress, thats approx. 131 million websites. The installation stats for the plugin show 40,000+ active installations, which means that only 0.03% of websites have taken any active steps to protect themselves.
It’s clear that more people need to be made aware of this potential problem, so please go ahead and share with your friends.
