Created
May 12, 2021 18:32
-
-
Save johnalarcon/9ad93f247bfdcee8edb21cd9c26f7e1e to your computer and use it in GitHub Desktop.
Remove the /users/ REST API endpoint in WordPress and ClassicPress
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * The following code will remove access to the /users/ endpoint. This makes the | |
| * endpoint inaccessible while not blocking access to other endpoints. This code | |
| * works with both WordPress and ClassicPress. | |
| * | |
| * Why do this? The REST API is very handy, however, by default, it exposes data | |
| * that you may not want exposed – namely, your site's usernames. With a list of | |
| * your usernames, the success of a brut-force attack becomes more likely. | |
| * | |
| */ | |
| function codepotent_disable_rest_user_endpoint($endpoints) { | |
| $route = '/wp/v2/users'; | |
| if (isset($endpoints[$route])) { | |
| unset($endpoints[$route]); | |
| } | |
| if (isset($endpoints[$route.'/(?P<id>[\d]+)'])) { | |
| unset($endpoints[$route.'/(?P<id>[\d]+)']); | |
| } | |
| return $endpoints; | |
| } | |
| add_filter('rest_endpoints', 'codepotent_disable_rest_user_endpoint'); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment