Support

Admin Tools for WordPress

#34265 Is there a way within Admin Tools to prevent wp-json from displaying usernames?

Posted in ‘Admin Tools for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by kamahq on Monday, 28 December 2020 01:17 CST

Saturday, 26 December 2020 01:34 CST

kamahq

Wordpress version 5.6

Hi there, 

while reading my logs, i discovered the following:

"GET //wp-json/wp/v2/users/ HTTP/1.1" 200 2402

As you can see, it returned a 200 Status Code response.

I used the above on my website to try and see what happens, and sure enough, the usernames were displayed.

I tried to report this on Hackerone, but Wordpress does not consider hiding usernames as part of security/authentication....or something along those lines. figures.

I however, do. 

As such, I'd like to know if there is a way to stop this from happening with Admin Tools? I'd like to keep the usernames hidden.

Thank you

Saturday, 26 December 2020 01:43 CST

kamahq

ok like 5 minutes after submitting the support request, I found the following code which works, added to your theme (or child theme's) functions.php file:

 

function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P[\d]+)'] );
    }
    return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');

Hopefully this helps someone. Please do let me know if there is a better idea than this though. Thank you





Edited by kamahq on 2020-12-26 01:43 CST

Monday, 28 December 2020 01:14 CST

nicholas

This is indeed one of the criticisms against the current implementation of WordPress' JSON API, that the unauthenticated access to its users endpoints divulges the usernames. This is something that core contributors have complained about. Of course WordPress leadership, as you said, does not consider this an issue. To be fair, this is not a security issue per se but it can be used for recon against an organisation on the reasonable assumption that people reuse usernames in multiple services, including email, meaning that an attacker has a simple way to enumerate plausible phishing targets.

We haven't added a mitigation for that in Admin Tools on purpose. It makes it impossible to use WP-CLI remotely which is something that many of our clients need to do. We also feel that the API has far more issues, one of which is that it used to only and still accepts username/password authentication which makes it a prime target for brute forcing site passwords. The only mitigation is to not use WordPress, really. When the API starts with architectural flaws like that there's not much you can reasonably do to mitigate their effects.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 28 December 2020 01:17 CST

kamahq

I'm switching back to Joomla!! :D

Thank you Nicholas, excellent as always :)