≡ Top Menu ≡Category Menu
You are here: Home » WP-Json Exploit: Is Your WordPress Blog Vulnerable?

WP-Json Exploit: Is Your WordPress Blog Vulnerable?

WP-Json InviteThe more I fumfer around with my blogs the more I learn about things I wish I didn’t need to learn. This time I learned about WordPress’ wp-json exploit. The wp-json security hole has been around since WordPress version 4.7.0 (circa February, 2017).  Actually, I’m surprised the programmers hadn’t fixed it in the subsequent updates (currently we’re at version 4.8.3).

Apparently WP-json is a function used legitimately in WordPress that enables WordPress to do what it does. Not being a coder, I can’t tell you what it does, but it’s a necessary function.  For the more technically inclined, check out SecPod’s article WordPress ‘REST API Endpoint’ Zero-Day Content Injection Vulnerability for a better explanation.

Although WP-json is a necessary function for WordPress, it also serves  as an entry way for hackers to gain access to blogs.

WP-json Exploit – Is Your Site at Risk?

To find out if you’re at risk, go to your domain and append the domain name with /wp-json. For example: www.yourdomain.com/wp-json.

If your wp-json page displays a lot of text, then your site is vulnerable. The amount of text displayed on the page varies depending on the blog’s activity. Below is an image of the wp-json page for one of my WordPress blogs.

wp json exploit

(I blurred the text to protect the innocent)

I don’t know how hackers use the information, but I sure don’t want to make it easier for them to gain access. There are enough other things to worry about without sending them an entry invitation through the wp-json exploit.

Closing the WP-Json Hole

The solution to this problem is easy. All you need to do is install and activate the Disable Rest API plugin. It takes just seconds (OK, maybe a minute or two). After it’s installed the /wp-json page will display the following text:

Fixed WP-json Exploit

The plugin closes the wp-json hole so hackers can’t exploit it. Unfortunately, they’ll probably look for other ways to ruin a blogger’s day.

{ 7 comments… add one }
  • Ignatius November 2, 2017, 8:34 pm

    This is a good reminder for everyone who uses WordPress. It’s so easy to set up a basic WP site that people forget that there is a lot of complex programming underneath that simple interface–with malicious hackers working to exploit every vulnerability. WordPress is definitely not something you can set and forget.

    • Felicia November 3, 2017, 11:15 am

      Agreed! Actually, this exploit made me long for the days when I used to create hand coded HTML sites. As a matter of fact, I’m planning to toy with one of my smaller blogs. The blog gets seasonal traffic but no comments. I’m thinking of boning up on my HTML and learning the new tricks since I last dabbled to create a static site. The geek in me salivates at the thought! 🙂

  • Vidya Sury November 3, 2017, 7:56 am

    Ewwwwh! Thanks for the info, Felicia. Just last week, I happened to read one of my recent posts and found a couple of strange paragraphs in it with links I am unlikely to put into my posts! Perhaps this was the gateway! Ugh.

    Fumfer is a new word for me. 🙂 But I am so glad you did that. Hugs!

    • Felicia November 3, 2017, 11:17 am

      Oh no! Hopefully wp-json was the culprit and you’ve closed that door.

      And yes, that’s me…Felicia the fumferer! 🙂

  • Loretta November 3, 2017, 1:24 pm

    Thank you so much for the information, Felicia. I intend to check my site immediately. Please keep informing us about these important issues.

  • Casey G August 30, 2018, 9:21 am

    wp-json is used for the REST api. It’s a way to use the front-end js framework, or to access content from external sites. Just because it is activated does not mean your site is vulnerable. However, I do recommend blocking access to the user requests as they can find out info about your site’s users. Also, if you’re not actively using it for development, you may as well restrict it to logged in users as you recommend. Just because it is active though does not put you at risk. In fact, the same info can be accessed through rss feeds using xml.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.