WP REST API Exploit – why was the filter disabled?

At the time of this post, the WP REST API exploit is pandemic, with over 1.5 million WP posts defaced. A high-profile California government website – that I am somewhat responsible for – was hit yesterday, causing a great deal of consternation in my office. When news of the exploit first appeared, my personal sites like this one had already updated to WP 4.7.2, and I had long ago disabled the REST API, so I had no worries on that front.

WP REST API exploit is pandemic

But it turns out WP 4.7 enhanced the REST API, officially merged it into the WP core, and … removed the filter which was used to disable it! For all of us who had made a conscious, thoughtful decision to disable REST API, it was no longer disabled. The good people at WordPress decided they are so much smarter than me, the REST API – which turned out to be highly exploitable – would be forced down my throat and to hell with my decision to disable it. At the time 4.7 was released, I saw announcements trumpeting the enhanced REST API, but nothing on the diabolical removal of the filter (turns out I didn’t read down far enough in the linked article). My personal sites were updated to WP 4.7.2, and were safe, but an untold number of WP users, who thought they were safe as they had disabled REST API, had their sites hit due to this inexplicable episode of arrogance by the usually excellent WordPress core team.

Don’t get me wrong, I love WP, and I owe a tremendous amount of gratitude to the good people who work so hard to develop it and provide this amazing software for free. It’s just … what in the world were they thinking? What possible advantage could there be in removing the filter before the security of the enhanced REST API had been tested in production operation? If you absolutely must remove the filter, why not wait a while till the new REST API was proven and stable? The introduction of a huge vulnerability while simultaneously removing the protection from it has caused incalculable inconvenience and untold hours of work.

Inexplicable. And fruitless. I can still disable the precious REST API – it just takes a little more help from Google and a slightly larger snippet of code.

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.