When using filters on the frontend, they are not applied. I found this in debugging:
{“code”:“rest_login_required”,“message”:“REST API restricted to authenticated users.”,“data”:{“status”:401}}
If you use filters from a logged-in user, then they work.
Hi,
Thanks so much for your report!
Could you have installed a plugin that blocks access to the WP REST API for non-authenticated users?
Best regards,
timmse
The plugin Disable WP REST API is installed on the site
I always disable …/wp-json/ on the frontend from a security point of view. Many automated parsers and crackers use basic paths for the rest api. This leads to an increased load on the server and increases the likelihood of hacking.
As I understand it, ideally, access via the rest api should be made through unique tokens. If there is no current, then there is no access.
The same applies to xmlrpc. I always turn it off completely.
Hi @parktechno,
The behavior you’re observing—non-logged-in users being unable to use filters that require REST API access—is exactly what’s expected when you disable /wp-json for non-authenticated users. This plugin specifically blocks REST API access to non-authenticated users, which is consistent with the security measures you’ve implemented.
This is not a bug, but rather a direct result of the security measures you’ve implemented to restrict API access. If you need these frontend features to be accessible to all users, you may need to reconsider the REST API access restrictions.
I’m a bit lost as to what’s the issue here exactly?
The problem is that it is better to completely close access to the REST API on the frontend. I use plugins for this task for a reason. It is enough to look at and analyze the traffic that comes to the site to understand that it is better to deactivate such access points.
Is it essential to use the REST API for filters to work? Maybe you should consider alternative ways of working?
This is the first time I’ve seen filters that work through the REST API. It may be fast and convenient from a technical point of view, but from a security point of view, this is not the best way to work in my opinion.
Any interaction with your website that requires updating or retrieving data from the database dynamically will necessitate some form of communication with the server. This is typically done via the REST API in WordPress, which provides a secure and efficient method for these interactions. Traditionally, WordPress also employed AJAX for similar purposes, involving direct calls to PHP scripts via admin-ajax.php. While AJAX is still used and is effective, especially for simpler scenarios, it’s important to note that it’s not inherently more secure than the REST API. In fact, both require proper security measures to be safe.
We secure these communications through nonce verification, which ensures that requests to the server are coming from legitimate sources and helps prevent CSRF (Cross-Site Request Forgery) attacks.
Could you please specify the exact security concerns you have with using the REST API, or suggest an alternative method you believe would be more secure for retrieving data dynamically for non-logged-in users?
Here is an incomplete list of blocking “bad” requests on the site. It’s all there together, and parsers, and hacking attempts using different WordPress system URLs, including /wp-json/.
I agree with you. I also see 2 options for working with filters: REST API and AJAX.
It may make sense to make 2 ways of working for filters and the user will choose which one suits him best. It is clear that this complicates the development, but nevertheless it is worth considering this option.
Also, when working with filters via the REST API, it may be worth developing a partial blocking scenario /wp-json/ - allow for filters and prohibit for everything else. The Disable WP REST API plugin completely disables the REST API, but there are alternative plugins in which you can flexibly configure which entry points can be allowed and which can be denied.
If you’re looking to selectively allow REST API access specifically for the filter functionality, the endpoint you need is /wp-json/bricks/v1/query_result. This will enable the filters while giving you the flexibility to restrict other endpoints as needed.
