New WordPress REST API Susceptible to Username Harvesting
WPSanity WordPress Users Are Protected
Last week WordPress 4.7 was released, on December 6th. It includes a REST API that will be used by many of your favorite WordPress plugins, desktop applications, mobile apps and even the WordPress core in future updates. All sites that upgrade to WordPress 4.7 will have the API enabled by default.
This API is very powerful and allows WordPress morph from being a basic web based content-management system (CMS) into being an actual application framework. This means that developers can write applications to run anywhere and talk to your WordPress website. In future you’ll be able to publish content and manage your site from your desktop, tablet, phone, the cloud, and plugin developers will be able to create new extensions that improve your WordPress experience.
As Spiderman teaches us, with great power comes great responsibility. Portions of this new API are available to anyone on the net. They don’t need to sign into your particular WordPress site to be able to use the API. They can just connect and use it. Seems obvious that we can expect hackers to find ways to exploit this.
WPSanity already includes protection that makes it more challenging for bots to discover your administrator username and password. WPSanity enabled this feature to extend this protection to the new WordPress 4.7 REST API.
I you don’t already subscribe to WPSanity services or if you have questions, give us a call (916) 661-8422