這個外掛並未在最新的 3 個 WordPress 主要版本上進行測試。開發者可能不再對這個外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。

REST XML-RPC Data Checker

外掛說明

JSON REST API and XML-RPC API are powerful ways to remotely interact with WordPress.

If you don’t have external applications that need to communicate with your WordPress instance using JSON REST API or XML-RPC API you should disable access to them for external requests.

In the standard WordPress installation JSON REST API and XML-RPC API are enabled by default.
In particular the REST API is turned on also for unlogged users. This means that your WordPress instance is potentially leaking data, for example anyone could be able to:

  • copy easily your published contents natively with the REST API (and not with a web crawler);
  • get the list of all users (with their ID, nickname and name);
  • retrieve other information that you didn’t want to be public (such as an unlisted published page or a saved media not yet used).

Even if you could do the stuff by writing your own code using native filters, this plugin aims to help you to control JSON REST API and XML-RPC API accesses from the administration panel or programmatically by a simple API filter.

Basic Features

  • Disable REST API interface for unlogged users.
  • Disable JSONP support on REST API.
  • Add Basic Authentication to REST API.
  • Remove REST <link> tags, REST Link HTTP header and REST Really Simple Discovery (RSD) informations.
  • Setup trusted users, IP/Networks and endpoints for unlogged users REST requests.
  • Change REST endpoint prefix.
  • Disable XML-RPC API interface.
  • Remove <link> to the Really Simple Discovery (RDS) informations.
  • Remove X-Pingback HTTP header.
  • Setup trusted users, IP/Networks and methods for XML-RPC requests.
  • Show user’s access informations in users list administration screen.

Usage

Once the plugin is installed you can control settings in the following ways:

  • Using the Settings->REST XML-RPC Data Checker administration screen.
  • Programmatically, by using rest_xmlrpc_data_checker_settings filter (see below).

API

Hooks

rest_xmlrpc_data_checker_settings

Filters plugin settings values.

apply_filters( 'rest_xmlrpc_data_checker_settings', array $settings )

rest_xmlrpc_data_checker_admin_settings

Filter allowing to display or not the plugin settings page in the administration.

apply_filters( 'rest_xmlrpc_data_checker_admin_settings', boolean $display )

rest_xmlrpc_data_checker_rest_error

Filter JSON REST authentication error after plugin checks.

apply_filters( 'rest_xmlrpc_data_checker_rest_error', WP_Error|boolean $result )

xmlrpc_before_insert_post

Filter XML-RPC post data to be inserted via XML-RPC before to insert post into database.

apply_filters( 'xmlrpc_before_insert_post', array|IXR_Error $content_struct, WP_User $user )

螢幕擷圖

  • The JSON REST settings section.
  • The XML-RPC settings section.
  • The Options settings section.
  • Enable XML-RPC and REST interfaces on user profile/user edit pages (available only for users with edit_users capability).
  • User list administration screen.

安裝方式

This section describes how to install the plugin and get it working.

  1. Upload the plugin files to the /wp-content/plugins/rest-xmlrpc-data-checker directory, or install the plugin through the WordPress Plugins screen directly.
  2. Activate the plugin through the Plugins screen in WordPress.

常見問題集

Does it work with Gutenberg?

Yes

Does it work on Multisite?

Yes

How do I make REST requests using Basic Authentication?

In the REST tab of plugin settings page you have to:

  • check Disable REST API interface for unlogged users option
  • select Use Basic Authentication in the Authentication section
  • select users whom you want to grant REST access
  • save changes

This way, in HTTP REST external requests, users have to add Authorization HTTP header.

In order to generate the Authorization HTTP header to use with Basic Authentication you simply have to base64 encode the username and password separated by a colon.

Here is an example in PHP:

$header = 'Authorization: Basic ' . base64_encode( 'my-user:my-password' );

Here you can see several examples in a variety of language.

Note that the Basic Authentication requires sending your username and password with every request, and should only be used over SSL-secured connections or for local development and testing.
Without SSL you are strongly encouraged to to turn off Basic Authentication in production environments.

使用者評論

2022 年 11 月 25 日
A very useful plugin that works well. The plugin helped close access to the JSON REST API for unregistered users, and also nullified attacks on XML-RPC!
2021 年 2 月 24 日
Having more options that I expected (i.e. enable/disable on user level). Thanks for nice plugin.
閱讀全部 3 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈REST XML-RPC Data Checker〉的開發相關工作。

參與者

將〈REST XML-RPC Data Checker〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣?

任何人均可瀏覽程式碼、查看 SVN 存放庫,或透過 RSS 訂閱開發記錄

變更記錄

For REST XML-RPC Data Checker changelog, please see the Releases page on GitHub.