Wordpress - Security Heads Up

[AussieDave]

Checking out my stats, raw logs etc., and found this strange URL:
hxxps://yourdomain.com/wp-json/wp/v2/users/

In layperson's terms, WP uses API's.
The above can basically be used to compromise your WP site.

I've since installed:
https://wordpress.org/plugins/disable-wp-rest-api/

This now gives anyone not logged, who attempts to run this script/code:
“rest_login_required: REST API restricted to authenticated users.”

If you have a WP site, I'd recommend installing this plugin post haste

 

[BetOnlineUK]

Thanks Dave, installed. Will get back to ya on the other thing sometime tomorrow once I have a proper read

 

[AussieDave]

The only instances of this probe, which also included a few brute force attempts on wp-login (totally useless, cause I have a dedi IP issued by ISP, and that's in a htaccess file in /wp-admin/ which denys all accept that IP).. Anyway, it all came from Digital Ocean; I really dislike cloud for that reason. Anyway, sent an abuse report...

However, no mention of the following until complaint was sent (via their site):
Thank you for your submission. A member of the Trust & Safety team will review the details as soon as possible. If appropriate, the information will be forwarded to the associated customer in its entirety.

Guess it's good I used a throw away email, and only first name with Initial.

 

[AussieDave]

On another topic, the other thing I'd recommend, is blocking out-dated browser. Anyone using an outdated browser (more than 3 versions - EG FF 67.0.4 is current, therefore anything less than version 64.0.0) is likely up to no good, least that's what I've found. If you don't feel safe doing that, then at least block really old browsers. You can do this via .htaccess

There's a great article here, complete with code:
https://www.pccybersecurity.com/ind...id-web-browser-versions-using-apache-htaccess