How to Secure Your WordPress REST API and Prevent User ID Exposure

arrow_1.png

The WordPress REST API is a powerful tool that allows developers to interact with a site’s content programmatically. However, it also introduces security concerns—one of the most common being the exposure of user IDs through the /wp-json/wp/v2/users endpoint. If left unprotected, this can make your site vulnerable to attacks like brute-force login attempts and user enumeration.

In this post, we’ll explain the issue and show you how to lock down your WordPress REST API to prevent unauthorized access to sensitive user information.


The Issue: Exposed User IDs

By default, WordPress exposes user information through its REST API. If you visit:

https://yoursite.com/wp-json/wp/v2/users

You might see a JSON response like this:

This exposes user IDs, usernames, and profile links, making it easier for attackers to target your site. To secure your WordPress site, follow these steps to disable or restrict access to the users’ endpoint.


Solution 1: Disable REST API User Endpoint via functions.php

A simple way to prevent exposure is by disabling the /users endpoint in the WordPress REST API. Add the following code to your theme’s functions.php file:

This removes the users endpoint from the REST API while leaving other endpoints functional.


Solution 2: Block Access via .htaccess (Apache Servers)

If your site is hosted on an Apache server, you can block access to the endpoint at the server level. Add the following to your .htaccess file:

This will return a 403 Forbidden error when someone tries to access the users’ endpoint.


Solution 3: Restrict Access to Logged-in Users

Another approach is to restrict access so that only logged-in users can access the REST API. Add this code to functions.php:

This will return a 404 error when an unauthorized user tries to access the endpoint.


Solution 4: Disable REST API Completely for Non-Logged-in Users

If your site doesn’t rely on the REST API for public access, you can block it entirely for non-logged-in users:

This ensures that only authenticated users can interact with the REST API.


Solution 5: Use a Security Plugin

If you’re not comfortable adding custom code, you can use a security plugin like:

  • Disable REST API
  • WP Hide & Security Enhancer

These plugins provide a user-friendly way to control API access and block sensitive endpoints.


Leaving the REST API users’ endpoint open can expose user IDs and increase security risks for your WordPress site. Implementing any of the solutions above will help protect your site from unauthorized access and potential attacks.

For best results, consider combining multiple methods—such as restricting access to logged-in users and using security plugins—to maximize protection.

Need help securing your WordPress site? Let us know in the comments or reach out for expert assistance!

Facebook
Twitter
Email
Print

Newsletter

Sign up our newsletter to get update information, news and free insight.

Latest Post