Have easywp install a plugin to block REST access

[emmatyping]

We've been getting emails about this from campus, and in the long run it will be easier to ask everyone to have it installed.

I propose we install https://wordpress.org/plugins/disable-wp-rest-api/ or https://wordpress.org/plugins/rest-api-toolbox/

after setting up the wordpress install.

We should document this happens on ocfweb and probably say something about it when easywp is being run.

[axmmisaka]

If we add plugin-installation to easywp, we would have to do configuration for them as well (see below), because otherwise wordpress is not fully installed (they have to access their site to finish installation procedures like setting up an admin account). It'd be weird if we default an admin username/password for them, but otherwise it would be hardwp.

Basically, after the current easywp, we need to do wp core install --admin_user=kagamiharan --admin_password=shima_rin_prpr [email protected] --skip-email --title="YuruCamp!" and wp language core activate zh_CN if needed.
Then, we can wp plugin install disable-json-api --activate. I prefer this plugin as this gives people a chance to change settings and it is very widely used (70000+ installations iirc), but this time the issue is, as I asked, do we only disable unauthenticated REST API access? If no, we would have to write to SQL and change plugin settings - not a hard job, but require some work. Settings are in wp_options, with a column that has option name disable_rest_api_options.
Finally, this does not prevent users from installing random plugins uses their own REST APIs (like, without using wp core REST API API), not sure if campus security unit wants to permit that - if not, the plugin is not satisfactory.