Information is still accessible from outside

Home Support Forums My Private Site Information is still accessible from outside

This topic contains 3 replies, has 2 voices, and was last updated by  David Gewirtz 1 year, 8 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #6475

    fimdomeio
    Participant

    I was just trying out this plugin and it gives a false sense that your contents are safe from the outside world. Truth is all the sites contents are still available via the wordpress REST API.

    There should be at least a visible warning about this.

    How to replicate:
    curl ‘http://example.com/wp-json/wp/v2/posts’

    #6493

    David Gewirtz
    Developer

    That’s discussed here:

    Seamless Donations Troubleshooting Guide

    Look for “How do I hide donors, donations, and funds from Google?”.

    –David

    #6499

    fimdomeio
    Participant

    Sorry but the link does not answer my question.
    So what you’re saying is that using this plugin pages are still indexed by google unless I use robots.txt?
    So this means that this plugin does not really disable page access because if a web crawler can get to it, everyone can.

    In any case what I was refering to was the newly introduced REST API. One can disable it with something similiar to:

    function RestAuth() {
    header(‘Content-Type: application/json’);
    http_response_code(403); // unauthorized
    echo “{data: {}, status: 403}”;
    exit();
    }

    add_filter(‘rest_api_init’, ‘RestAuth’, 1, 1);

    I then expanded this to allow for JWT authorization but it’s beyond the scope of the problem.

    I hope it helps

    #6500

    David Gewirtz
    Developer

    My apologies. I thought you were asking about a different plugin. My Private Site has not been updated to have any REST-awareness. But the big takeaway isn’t that. The big takeaway is that you should NOT use My Private Site for mission-critical security. It’s a free plugin, not a security system. If you have mission-critical security, you need to, at the very least, look into something like Restrict Content Pro or a membership plugin, or move your site to a managed service with a security technologist who can support your needs.

    –David

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.