The WordPress REST API was introduced in WordPress 4.7 and has become the backbone of modern WordPress development. But its default configuration exposes user data that attackers can exploit.
The user enumeration problem
Visit https://yoursite.com/wp-json/wp/v2/users on a typical WordPress site and you'll see a JSON response listing all user accounts, including their display names, slugs, and IDs. This makes targeted brute-force attacks trivial — the attacker already has the username.
WPStats checks this endpoint and flags exposed users as a high-severity security finding.
Method 1: Restrict the users endpoint (recommended)
Add to your theme's functions.php or a custom plugin:
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
}
return $endpoints;
});
Method 2: Require authentication for user listing
If you need the users endpoint for your application (e.g., a custom front-end), require authentication:
add_filter('rest_user_query', function($args, $request) {
if (!current_user_can('list_users')) {
$args['login__in'] = [0]; // Return no users
}
return $args;
}, 10, 2);
Method 3: Disable the REST API for non-logged-in users
If you don't use the REST API for public-facing features, disable it entirely for unauthenticated requests:
add_filter('rest_authentication_errors', function($result) {
if (!empty($result)) return $result;
if (!is_user_logged_in()) {
return new WP_Error('rest_not_logged_in', 'REST API requires authentication.', ['status' => 401]);
}
return $result;
});
Warning: Disabling the REST API for unauthenticated users will break the Gutenberg editor, contact forms that use the API, and other plugins. Test carefully.
Method 4: Use a security plugin
Wordfence, iThemes Security, and All In One WP Security all have settings to disable user enumeration via the REST API. This is the safest option for non-developers.
Also block author archive enumeration
Users can also be enumerated via /?author=1 which redirects to /author/username/. Block this with:
if (!is_admin() && preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) {
wp_redirect(home_url('/'), 301);
exit;
}
Check if your users are exposed
WPStats checks your REST API user endpoint and security configuration instantly.
Scan your REST API