WordPress REST API Security: Protect Your Site's Data
Learn how to secure the WordPress REST API from information disclosure. Control who can access API endpoints and what data is exposed.
The WordPress REST API powers modern WordPress functionality but can expose sensitive information if not properly secured. Learn how to protect your API endpoints while maintaining functionality.
What the REST API Exposes
By Default
The REST API reveals:
- User information: Usernames, IDs, display names
- Post data: Including private/draft content (authenticated)
- Site structure: Taxonomies, post types
- Plugin data: Some plugins add endpoints
User Enumeration Risk
Visit /wp-json/wp/v2/users to see all user data including usernames—even on locked-down sites.
Security Concerns
Username Discovery
Attackers use REST API for reconnaissance:
- Discover admin usernames
- Build target lists for brute force
- Identify high-value accounts
Data Leakage
Improperly secured endpoints may leak:
- Private post content
- User email addresses
- Custom field data
Authentication Bypass
Some plugins add vulnerable API endpoints allowing:
- Unauthenticated data access
- Privilege escalation
- Remote code execution
Securing the REST API
Option 1: Restrict to Authenticated Users
Only logged-in users can access API:
add_filter('rest_authentication_errors', function($result) {
if (!is_user_logged_in()) {
return new WP_Error('rest_not_logged_in', 'Unauthorized', ['status' => 401]);
}
return $result;
});Option 2: Disable User Endpoints Only
Block /users endpoint while keeping other functionality:
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
if (isset($endpoints['/wp/v2/users/(?P[d]+)'])) {
unset($endpoints['/wp/v2/users/(?P[d]+)']);
}
return $endpoints;
}); Option 3: WP Folder Shield (Recommended)
Flexible REST API protection:
- Disable user endpoints
- Require authentication
- Whitelist specific endpoints
- E-commerce compatible (auto-whitelists WooCommerce)
E-Commerce Compatibility
Many e-commerce plugins require REST API. WP Folder Shield auto-whitelists:
- WooCommerce (/wc/v1-v3, /wc-blocks)
- Easy Digital Downloads
- Dokan
- WCFM
- Payment gateway endpoints
Testing REST API Security
Check User Endpoint
Visit: yoursite.com/wp-json/wp/v2/users
Should return error or empty if secured.
Check Authentication
Try accessing endpoints while logged out. Secure APIs return 401.
Best Practices
- Block user endpoints at minimum
- Require auth for sensitive endpoints
- Review plugin-added endpoints
- Monitor API access in logs
- Keep plugins updated for API patches
Get WP Folder Shield for intelligent REST API protection that secures data while maintaining e-commerce compatibility.
Written by Amanda Foster
WP Folder Shield Team
