WordPress Security

NexGen Innovators: WordPress Protection | Brute Force Attack Prevention

Written by Rahul Bhardwaj
Posted on - 5 min read

Steps to Stop Exposing your WordPress user’s details in wp-json API.

Step 1. Check user list is exposed or not.

You can add wp-json/wp/v2/users at the end of your website and if it prints list of your users then you haven’t disabled it. like in nexgi.com case it will be https://www.nexgi.com/wp-json/wp/v2/users.

If you are getting something like below – means you are already secure.

{"code":"rest_no_route","message":"No route was found matching the URL and request method.","data":{"status":404}}

Step 2. Disable wp-json/wp/v2/users API

There are two options via which you can disable it.

2.1. Through code without using any plugin

Step 1. Open your functions.php file of the theme folder and paste the below code at the end.

// disabling user list exposing in public
add_filter( 'rest_endpoints', function( $endpoints ){
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    return $endpoints;

2.2. Using a plugin

I have converted the above code into a plugin. You can download this plugin via click here. Just Download, Install & Activate the plugin. That’s all.

Step 3. Repeat step 1 again.

In case unable to disable the problem you can comment below. And If you would like us to manage your server & web app security. Please feel free to connect with us.