How to disable WordPress REST API endpoints – example user endpoint


Advanced

Colleague of mine from Sweden pointed out that WordPress REST API is giving username list by default on endpoint /wp-json/wp/v2/users. This is not a vulnerability, but I don’t feel it is a good idea to give easy way for bots to find your admin username. Bots trying to hack your sites use username ‘admin’ and try different passwords. This is why you should not use admin as a username in your WordPress installation. With Rest endpoint it would not be a big deal to program your bot to check admin username from endpoint. Providing you have a good password and up to date WordPress this is probably no problem, but why give attackers any help?

How to disable user endpoint

Easy way to solve this is to disable user endpoint (if you don’t need it in your application). This can be done using rest_endpoints filter in your functions.php. Following filter will disable user endpoints. You can user same logic to any endpoint you want to close.

add_filter( 'rest_endpoints', function( $endpoints ){
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
});

How to disable entire REST API

If you don’t need Rest API at all and you want to disable it for some reason you can use this snippet in your functions.php.

add_filter('rest_enabled', '_return_false');
add_filter('rest_jsonp_enabled', '_return_false');