Change REST API Path with WP Ghost

API Security
Table of Contents

WordPress’s REST API is a powerful tool used for various admin actions, but it’s crucial to protect it from potential threats. With the WP Ghost plugin, you can update your website’s security on the REST API path by changing the path and allowing only whitelisted IP addresses to access it.

What is REST API in WordPress?

The REST API (Representational State Transfer Application Programming Interface) is a set of rules and protocols that allows different software applications to communicate and exchange data with a WordPress website.

It provides a way for developers to access and interact with the content and features of a WordPress site programmatically.

A simplified explanation of what the REST API in WordPress is:

Imagine your WordPress website is like a library with lots of books. The REST API is like a librarian who helps you find and access those books.

Books (Data): In your library (WordPress site), you have books (data) like posts, pages, comments, and more.

Librarian (REST API): The REST API is the librarian. It allows other programs or websites to ask for specific books (data) or even change them. It’s like asking the librarian to find you a particular book from the shelves.

Requests (Questions): Other programs or websites send requests (questions) to the librarian (REST API). For example, they might ask, “Give me the list of all the books about cats.”

Responses (Answers): The REST API responds with the requested information. It’s like the librarian finding the books about cats and giving you a list of their titles.

The REST API allows different computer programs or websites to talk to your WordPress site and get information or perform actions, like showing your blog posts on a mobile app or updating a page from another website. It makes your WordPress site more flexible and accessible to other digital tools.

Why is it essential to secure the REST API?

Securing the REST API in WordPress is important for several reasons:

  • Data protection: The REST API can expose sensitive data, including user information, posts, and more. Securing it prevents unauthorized access to this data, protecting the privacy of your users and the integrity of your content.
  • Preventing unauthorized actions: Without proper security measures, attackers could perform malicious actions via the API, such as creating, editing, or deleting content. Securing it ensures that only authorized users or applications can perform these actions.
  • Defending against Brute Force Attacks: If the REST API is not secured correctly, it can be vulnerable to brute force attacks, where attackers repeatedly try to guess passwords or access tokens. This can put your site at risk of unauthorized access.
  • Avoiding DDoS Attacks: Unsecured APIs can be exploited to launch Distributed Denial of Service (DDoS) attacks, overwhelming your server with requests and causing downtime. Proper security measures help reduce this risk.

Relationship between REST API and WP JSON

The REST API and WP JSON are closely related in WordPress, as WP JSON serves as the access point for the REST API’s functionality. The WordPress REST API is a modern mechanism that allows developers to interact programmatically with WordPress content and perform actions using HTTP requests. It provides endpoints, or specific URLs, to retrieve, create, update, or delete content such as posts, pages, and users.

WP JSON refers to the format and base route used by the REST API. It is essentially the namespace for the API’s endpoints. The default base route for accessing the REST API is /wp-json/, which is appended to the site URL. For example, visiting https://domain.com/wp-json/ provides the root of the REST API, listing the available namespaces and endpoints for interacting with the WordPress site.

In essence, WP JSON is the structured access path for the WordPress REST API, providing a standardized way to interact with WordPress sites and exchange data efficiently.

How to Secure WP JSON Path with WP Ghost

Activate Safe Mode or Ghost Mode

Begin by activating Safe Mode or Ghost Mode to open the path customization process.

  1. Access your WordPress dashboard after installing and activating the WP Ghost plugin.
  2. Go to WP Ghost > Change Paths > Level of Security.
  3. Select Safe Mode or Ghost Mode. Safe Mode provides basic protection, while Ghost Mode offers more advanced security features.
Activate Safe Mode or Ghost Mode

Change The wp-json Path

After activating Safe Mode or Ghost Mode, you can change the wp-json path.

  1. Go to WP Ghost > Change Paths > API Security.
  2. Next to the Custom wp-json Path field, you’ll see the predefined custom name.
  3. You can either enter a different name like “api-call” or keep the predefined custom name.
  4. Click the Save button to apply the changes.
Change the WP-JSON Path

Note: WP Ghost does not physically change the paths on your server. It uses rewrite rules to prevent any functionality errors

In the WP Ghost plugin, when you customize the JSON path, you are customizing the REST API path as well. This means that when you change the JSON path, it also affects how the REST API path is accessed and modified.

Update REST API Path (Important!)

WordPress might take some time to fully update the API path with your custom one. To ensure that WordPress recognizes the change, go to Settings > Permalinks.

Click on the “Save Settings” button. This action will prompt WordPress to recognize and implement the new API path.

Update REST API Path (Important!)

If you want to add more security, you can hide the REST API URL link from your website’s header in the frontend. This action will not affect the website’s SEO but will secure the custom wp-json path from hacker bots.

  1. Go to WP Ghost > Change Paths > API Security.
  2. Switch on the Hide REST API URL Link option to hide the wp-json path from website header in frontend.
  3. Click the Save button to apply the changes.
Hide REST API URL Link

Disable REST API Access

For even more security, you can disable access to the REST API. This will restrict site visitors and hacker bots from accessing it, but it won’t affect logged-in users. This helps prevent errors that might occur in the admin area.

The difference between Hide REST API URL Link and Disable REST API URL Link is that the first option hides the link but still allows access to the REST API. In contrast, the second option hides the link and prevents unauthorized users from accessing it.

  1. Go to WP Ghost > Change Paths > API Security.
  2. Switch on the Disable REST API access option to block access to the wp-json path for non-logged-in users.
  3. Click the Save button to apply the changes.
Disable REST API Access
Show 404 error on wp json path

Note! If you use any third-party applications or services that connect to your website (such as analytics, marketing tools, or external apps), you’ll need to whitelist their IP addresses to ensure seamless functionality. To do this:

  1. Go to WP Ghost > Firewall > Whitelist.
  2. Add the third-party IP addresses to the whitelist.
  3. Click Save button to apply the changes.

This step ensures that trusted services can still access the necessary API paths while blocking unauthorized access.

Disable rest_route Parameter Access

You can disable access to the API rest_route parameter in a website’s front end to restrict visitors and hacker bots from accessing the REST API by rest_route param. However, this will not affect logged-in users.

  1. Go to WP Ghost > Change Paths > API Security.
  2. Switch on the Disable REST API access option to block access to the wp-json path for non-logged-in users.
  3. Click the Save button to apply the changes.
Disable rest_route Parameter Access

By disabling REST API access, hiding the rest_route parameter, and whitelisting trusted IPs, you add multiple layers of security to your website without affecting logged-in users or authorized services.

Disable XML-RPC Access

Disabling XML-RPC access effectively prevents direct access to the xmlrpc.php file, making it inaccessible to potential attackers.

  1. Go to WP Ghost > Change Paths > API Security.
  2. Switch on the option Disable XML-RPC access to disable the access to the xmlrpc.php path.
  3. Click the Save button to apply the changes.
Disable XML-RPC Access
404 error on xml rpc path

Read more about this feature here: Disable XML-RPC Access Using WP Ghost

Disable RSD Endpoint from XML-RPC

To enhance your website’s security and reduce visibility to theme detectors, disable the RSD (Really Simple Discovery) support for XML-RPC and remove the RSD tag from your website’s header. This helps prevent hackers and automated tools from detecting your site’s configuration and potential vulnerabilities.

This feature removes the RSD META link and rsd_link header from source code.

  1. Go to WP Ghost > Change Paths > API Security.
  2. Switch on the option Disable RSD Endpoint from XML-RPC to disable the RSD (Really Simple Discovery) support for XML-RPC.
  3. Click the Save button to apply the changes.
Disable RSD Endpoint from XML-RPC

Run a Security Check

After saving your changes, it’s essential to run a security check to verify that the path is hidden and secured.

  1. Go to WP Ghost > Security Check.
  2. Click the Start Scan button to initiate the security check.
  3. The plugin will verify that the paths has been successfully changed and hidden.
  4. If the paths are secured, the security task will be marked as complete.
Run a Security Check

Conclusion

Securing the WordPress REST API is essential for proactively protecting your website from potential threats such as unauthorized access, brute force attacks, and data breaches.

By using the powerful features of the WP Ghost plugin, you can prevent hacks on REST API by customizing its path, restricting access, and implementing additional protective measures.

With WP Ghost, securing your site becomes streamlined. It ensures that your API remains functional for authorized users while protecting it from malicious activities. Review your settings regularly, update whitelisted IPs for third-party integrations, and perform security checks to maintain optimal protection.

Troubleshooting

REST API Not Working After Custom Path Change

If you get any errors when accessing the custom wp-json path of your website, follow these steps:

Clear all cache

If you have a cache plugin or use server caching, clear all the cache, as the change of paths has significantly changed the website’s structure.

Run a Frontend Test

Go to WP Ghost > Change Paths, click the Frontend Test button, and follow the server configuration instructions, if any.

Frontend test fail
Update permalink settings

Go to your WordPress dashboard, navigate to Settings > Permalinks, and click Save Changes to refresh the permalinks. This action can sometimes help resolve issues related to URL structures.

Save settings permalink
Relogin to admin

If you change the core paths of your WordPress website, you need to log out and log in to your website to access the new paths properly.

Revert changes

Some hosting servers allow JSON posting only through the default REST API Path to increase website security. In this case, we encourage you to revert to the original wp-json path and determine if the path change is the cause of the issue.

Connection Issues With Third-Party Apps

If you’re encountering connection issues with third-party applications while using the WP Ghost plugin, it could be due to changes in REST API paths, restrictions on headers, or modifications to custom AJAX paths. Follow these steps to diagnose and resolve the issue:

Check Security Headers Restrictions

If the problem seems related to security headers, adjust your settings to ensure they aren’t blocking legitimate requests:

  1. Go to WP Ghost > Firewall > Header Security.
  2. Switch off the Add Security Headers for XSS and Code Injection Attacks option.
    Read more: Header Security
Verify REST API Path Settings

If the issue involves the REST API, ensure the custom path is correctly configured:

  1. Go to WP Ghost > Change Paths > API Security.
  2. Add a simple custom path like “api” instead of more complex names.
  3. Switch off Disable REST API access unless absolutely necessary.
Inspect Custom AJAX Path Settings

In rare cases, the problem may be related to the custom Ajax path.

  1. Go to WP Ghost > Change Paths > Ajax Security.
  2. Revert Ajax to default path such as admin-ajax.php.
  3. Switch off the option Hide wp-admin from Ajax path.
Whitelist Third-Party IPs and Paths

If you know the IP address or specific path used by the third-party app, whitelist it to allow seamless access:

  1. Go to WP Ghost > Firewall > Whitelist.
  2. Add the required IP addresses or paths and save the changes.
Steps to Implement and Test
  1. Make the necessary adjustments according to the suspected issue.
  2. Clear your website cache to ensure changes are applied.
  3. Test the third-party app to verify if the connection issue is resolved.

Following these steps, you can identify and address the root cause of connection issues, ensuring compatibility between third-party applications and the WP Ghost plugin.

Tagged: