The WordPress REST API is a powerful tool that allows developers to interact with a site’s content programmatically. However, it also introduces security concerns—one of the most common being the exposure of user IDs through the /wp-json/wp/v2/users
endpoint. If left unprotected, this can make your site vulnerable to attacks like brute-force login attempts and user enumeration.
In this post, we’ll explain the issue and show you how to lock down your WordPress REST API to prevent unauthorized access to sensitive user information.
The Issue: Exposed User IDs
By default, WordPress exposes user information through its REST API. If you visit:
https://yoursite.com/wp-json/wp/v2/users
You might see a JSON response like this:
[
{
"id": 1,
"name": "Admin",
"url": "https://yoursite.com",
"link": "https://yoursite.com/author/admin/",
"slug": "admin"
}
]
This exposes user IDs, usernames, and profile links, making it easier for attackers to target your site. To secure your WordPress site, follow these steps to disable or restrict access to the users’ endpoint.
Solution 1: Disable REST API User Endpoint via functions.php
A simple way to prevent exposure is by disabling the /users
endpoint in the WordPress REST API. Add the following code to your theme’s functions.php
file:
function disable_rest_api_users_endpoint($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
return $endpoints;
}
add_filter('rest_endpoints', 'disable_rest_api_users_endpoint');
This removes the users
endpoint from the REST API while leaving other endpoints functional.
Solution 2: Block Access via .htaccess (Apache Servers)
If your site is hosted on an Apache server, you can block access to the endpoint at the server level. Add the following to your .htaccess
file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [NC]
RewriteRule .* - [F,L]
</IfModule>
This will return a 403 Forbidden
error when someone tries to access the users’ endpoint.
Solution 3: Restrict Access to Logged-in Users
Another approach is to restrict access so that only logged-in users can access the REST API. Add this code to functions.php
:
function restrict_rest_api_access($result, $wp_rest_server, $request) {
if (strpos($request->get_route(), '/wp/v2/users') !== false) {
return new WP_Error('rest_no_route', __('No route was found matching the URL and request method.'), array('status' => 404));
}
return $result;
}
add_filter('rest_pre_dispatch', 'restrict_rest_api_access', 10, 3);
This will return a 404 error when an unauthorized user tries to access the endpoint.
Solution 4: Disable REST API Completely for Non-Logged-in Users
If your site doesn’t rely on the REST API for public access, you can block it entirely for non-logged-in users:
add_filter('rest_authentication_errors', function($result) {
if (!is_user_logged_in()) {
return new WP_Error('rest_disabled', __('REST API restricted.'), array('status' => 403));
}
return $result;
});
This ensures that only authenticated users can interact with the REST API.
Solution 5: Use a Security Plugin
If you’re not comfortable adding custom code, you can use a security plugin like:
- Disable REST API
- WP Hide & Security Enhancer
These plugins provide a user-friendly way to control API access and block sensitive endpoints.
Leaving the REST API users’ endpoint open can expose user IDs and increase security risks for your WordPress site. Implementing any of the solutions above will help protect your site from unauthorized access and potential attacks.
For best results, consider combining multiple methods—such as restricting access to logged-in users and using security plugins—to maximize protection.
Need help securing your WordPress site? Let us know in the comments or reach out for expert assistance!