Add option to expose REST-API only to authenticated users, maybe limited to a certain capability.
Like I have already suggested with a REST API security key.
There is the OAUth official plugin for rest api that wasn't integrate because require a new version of php. So maybe when we will do that bump we can have that integration.
I have written an IndieAuth, which is an OAuth variant plugin for WordPress. Would you consider that? It is also not written with a higher version requirement.
I read a blog or comment somewhere about how disabling non-auth access to the REST API prevented a plugin from working properly which, in turn, led to a debugging nightmare for the site owner. Maybe Contact Form 7...can't recall for sure... but this might be a consideration.
Thanks John, this is a good example of the kind of thing we'd need to investigate & understand before doing this.
John is right, Contact Form 7 breaks if you disable the REST-API. It was a real headache to figure it out when I first encountered the problem. On the (WP) sites where REST-API is not neede I usually use "Disable REST API" plugin, which also provides a handy whitelisting feature to for example make CF7 work again.
Which API end point needs to be whitelist re-enabled for CF7? I am asking in case I run across this situation in the future. Thanks.
Brett, I haven't looked at the "Disable REST API" plugin's code and how it handles the whitelisting so I'm afraid I don't know that. The plugin's whitelisting feature is just a settings page with a list of every plugin using the REST-API. You can then just tick the checkboxes for the plugins that should be able to access the API.
If you are developing a site that is not using the REST API, is it better to disable rest api for security or performance?
Seems like WordPress 5.6 will introduce this option https://wptavern.com/wordpress-5-6-to-introduce-application-passwords-for-rest-api-authentication