WP REST API is wide open; how do we narrow leaks.
By default /wp-json/wp/v2/users leaks usernames and /posts is unauthenticated. You can restrict without disabling the API entirely.
Try this first
- 1Disable the users endpoint for non-auth: add a filter on rest_endpoints that exposes /users only to logged-in users.
- 2Plugins like WPS Hide Login and Disable WP REST API toggle this. Less work than writing code yourself.
- 3Audit which plugins use the REST API (Yoast, WP Block Editor, form builders). Don't kill it; close only what's needlessly open.
- 4Application Passwords: standard since 5.6. Fine for controlled API access. Rotate them, use them for specific integrations.
- 5Rate-limit /wp-json via Cloudflare WAF or a security plugin. Bots scan REST routinely.
- 6Log unusual REST traffic. WP Activity Log or Wordfence log API access; a spike means external probing.
When to bring us in
Building a real REST-API-driven app on WP? Custom auth (JWT, OAuth) and endpoint permissioning are needed. An experienced WP dev prevents leaks in the name of flexibility.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.