The WordPress REST API is a built-in interface that allows external applications and services to interact with your WordPress site using standard HTTP requests and JSON data. It was introduced in WordPress 4.7 and provides endpoints for posts, pages, users, comments, and more.
How It Works
The REST API is accessible at /wp-json/wp/v2/. For example:
/wp-json/wp/v2/posts— Lists all published posts/wp-json/wp/v2/users— Lists users (may expose usernames)/wp-json/wp/v2/pages— Lists all pages
Security Concerns
While the REST API is essential for many plugins (like Gutenberg), the default configuration can expose sensitive data:
- User enumeration — The
/wp/v2/usersendpoint can reveal usernames, which attackers can use for brute-force login attacks. - Content exposure — Draft or private posts might be accessible through certain endpoints if permissions aren't properly configured.
- Information disclosure — The API reveals your WordPress version, installed plugins (via their routes), and site structure.
Recommendations
You don't need to disable the REST API entirely (it would break Gutenberg and many plugins), but you should:
- Restrict the
/wp/v2/usersendpoint to authenticated requests only - Remove unnecessary API endpoints
- Use authentication for sensitive operations
What InspectWP Checks
InspectWP checks whether the REST API is publicly accessible and whether sensitive endpoints like user enumeration are exposed. It also detects the REST API URL from the HTML head link tag.