The more I fumfer around with my blogs the more I learn about things I wish I didn’t need to learn. This time I learned about WordPress’ wp-json exploit. The wp-json security hole has been around since WordPress version 4.7.0 (circa February, 2017). Actually, I’m surprised the programmers hadn’t fixed it in the subsequent updates (currently we’re at version 4.8.3).
Apparently WP-json is a function used legitimately in WordPress that enables WordPress to do what it does. Not being a coder, I can’t tell you what it does, but it’s a necessary function. For the more technically inclined, check out SecPod’s article WordPress ‘REST API Endpoint’ Zero-Day Content Injection Vulnerability for a better explanation.
Although WP-json is a necessary function for WordPress, it also serves as an entry way for hackers to gain access to blogs.
WP-json Exploit – Is Your Site at Risk?
To find out if you’re at risk, go to your domain and append the domain name with /wp-json. For example: www.yourdomain.com/wp-json.
If your wp-json page displays a lot of text, then your site is vulnerable. The amount of text displayed on the page varies depending on the blog’s activity. Below is an image of the wp-json page for one of my WordPress blogs.
(I blurred the text to protect the innocent)
I don’t know how hackers use the information, but I sure don’t want to make it easier for them to gain access. There are enough other things to worry about without sending them an entry invitation through the wp-json exploit.
Closing the WP-Json Hole
The solution to this problem is easy. All you need to do is install and activate the Disable Rest API plugin. It takes just seconds (OK, maybe a minute or two). After it’s installed the /wp-json page will display the following text:
The plugin closes the wp-json hole so hackers can’t exploit it. Unfortunately, they’ll probably look for other ways to ruin a blogger’s day.