[wp-trac] [WordPress Trac] #62960: Delete wp-json

WordPress Trac noreply at wordpress.org
Thu Feb 13 21:20:38 UTC 2025 

#62960: Delete wp-json
--------------------------+-----------------------------
 Reporter:  pistoletoff   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  6.7.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Hello, when will the wp-json folders be removed from public access? Their
 existence creates various problems.
 "To be fair, this folder does not contain logins and passwords in plain
 text, so it cannot be considered overly malicious. However, these entries
 themselves are still quite unpleasant. Information about the plugins used
 could be found in the html page, but it would hardly contain all of them.
 Here they are listed by name and in order. Disclosing the login of the
 author of the entry also creates an advantage for intruders, especially
 since not all site authors indicate it publicly on the entry pages.
 Regarding the entry with site users, this creates opportunities for
 parsing. Parsing content is one thing - it can be implemented anyway. But
 here we have the opportunity to massively parse site users without any
 restrictions. This information can be useful not so much for hacking
 accounts as for deanonymizing users - parsing the nicknames of site users
 can make it possible to compare them with the target user and obtain
 information about which sites he uses. In addition, it is necessary to
 point out the problems in the field of SEO. Some sites provided evidence
 that Yandex indexes these folders from different sites in search. I
 haven't checked it myself, but in the Yandex Webmaster panel it gives them
 code 200 and visits them quite often. It seems that it didn't get to
 indexing, but just in case, an indication was put in Robots.txt to avoid
 this."
 (excerpt from my article WP-JSON как проблема сайтов на WordPress
 [https://pistoletoff.ru/%D1%81%D1%82%D0%B0%D1%82%D1%8C%D0%B8/wp-
 json-%D0%BA%D0%B0%D0%BA-%D0%BF%D1%80%D0%BE%D0%B1%D0%BB%D0%B5%D0%BC%D0%B0-%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2-%D0%BD%D0%B0-wordpress/])

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62960>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list