WP-Json Exploit: Is Your WordPress Blog Vulnerable?

| November 2, 2017 | 6 Comments

WP-Json InviteThe more I fumfer around with my blogs the more I learn about things I wish I didn’t need to learn. This time I learned about WordPress’ wp-json exploit. The wp-json security hole has been around since WordPress version 4.7.0 (circa February, 2017).  Actually, I’m surprised the programmers hadn’t fixed it in the subsequent updates (currently we’re at version 4.8.3).

Apparently WP-json is a function used legitimately in WordPress that enables WordPress to do what it does. Not being a coder, I can’t tell you what it does, but it’s a necessary function.  For the more technically inclined, check out SecPod’s article WordPress ‘REST API Endpoint’ Zero-Day Content Injection Vulnerability for a better explanation.

Although WP-json is a necessary function for WordPress, it also serves  as an entry way for hackers to gain access to blogs.

WP-json Exploit – Is Your Site at Risk?

To find out if you’re at risk, go to your domain and append the domain name with /wp-json. For example: www.yourdomain.com/wp-json.

If your wp-json page displays a lot of text, then your site is vulnerable. The amount of text displayed on the page varies depending on the blog’s activity. Below is an image of the wp-json page for one of my WordPress blogs.

wp json exploit

(I blurred the text to protect the innocent)

I don’t know how hackers use the information, but I sure don’t want to make it easier for them to gain access. There are enough other things to worry about without sending them an entry invitation through the wp-json exploit.

Closing the WP-Json Hole

The solution to this problem is easy. All you need to do is install and activate the Disable Rest API plugin. It takes just seconds (OK, maybe a minute or two). After it’s installed the /wp-json page will display the following text:

Fixed WP-json Exploit

The plugin closes the wp-json hole so hackers can’t exploit it. Unfortunately, they’ll probably look for other ways to ruin a blogger’s day.

Tags: , ,

Category: Blog, Plugins, WordPress

About the Author ()

Felicia A. Williams is a freelance writer and blogger. She spends the majority of her time with her family and writing. If she’s not writing or commenting on NJFM, she’s either outside smelling the roses or writing articles for one of her other sites.

Comments (6)

Trackback URL | Comments RSS Feed

  1. Loretta says:

    Thank you so much for the information, Felicia. I intend to check my site immediately. Please keep informing us about these important issues.

  2. Vidya Sury says:

    Ewwwwh! Thanks for the info, Felicia. Just last week, I happened to read one of my recent posts and found a couple of strange paragraphs in it with links I am unlikely to put into my posts! Perhaps this was the gateway! Ugh.

    Fumfer is a new word for me. 🙂 But I am so glad you did that. Hugs!

  3. Ignatius says:

    This is a good reminder for everyone who uses WordPress. It’s so easy to set up a basic WP site that people forget that there is a lot of complex programming underneath that simple interface–with malicious hackers working to exploit every vulnerability. WordPress is definitely not something you can set and forget.

    • Felicia says:

      Agreed! Actually, this exploit made me long for the days when I used to create hand coded HTML sites. As a matter of fact, I’m planning to toy with one of my smaller blogs. The blog gets seasonal traffic but no comments. I’m thinking of boning up on my HTML and learning the new tricks since I last dabbled to create a static site. The geek in me salivates at the thought! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *