WordPress REST API Exposure Checker Tool Online
Last updated:
Check whether a WordPress site exposes REST API user data, public author slugs, and XML-RPC signals that should be reviewed during security hardening.
Enter a WordPress site URL to check public REST exposure:
We upgrade & secure WordPress sites, safely.
Backups, PHP upgrades, plugin compatibility checks, rollback safety. You saw the problem above; fixing it is literally our day job.
Stack looks healthy. Want it kept that way?
Our WordPress care plans handle updates, security, backups, and PHP upgrades from $49/mo, so it stays healthy.
Want us to act on this result? Fix these findings →
Prefer the partnership route? Refer clients to us, earn 10% →
How the WordPress REST API Checker Works
The checker requests common WordPress endpoints and reports whether public data is visible.
- REST root check, it requests /wp-json/ and looks for WordPress namespaces and routes.
- User endpoint check, it requests /wp-json/wp/v2/users and caps any returned users for safe display.
- WordPress signal check, it looks for WordPress and XML-RPC hints on the home page.
- Recommendations, the result explains what to harden based on the exposure found.
Why REST Exposure Matters
Public author data is not always critical, but it can help attackers build better login attacks and target real people.
- Login risk, exposed slugs can reveal likely usernames or author identities.
- Attack surface, open endpoints should match business needs, not default leftovers.
- Maintenance hygiene, REST exposure checks belong with updates, backups, plugin review, and security monitoring.
- Broader protection, pair this with the Security Headers Checker.
WordPress Hardening Recommendations
| Area | Recommended action |
|---|---|
| REST users | Restrict anonymous access to public user lists unless your site intentionally needs them. |
| Author slugs | Avoid author slugs that match login usernames. |
| XML-RPC | Disable XML-RPC when unused, or rate-limit and protect it if required. |
| Updates | Keep core, plugins, themes, and PHP versions current. |
| Access | Use strong passwords, multi-factor authentication, and least-privilege accounts. |
For ongoing support, review our WordPress maintenance services.
WordPress REST API Exposure Reference
The REST API powers the block editor and many integrations, so disabling it wholesale usually breaks the site. The right move is to restrict the specific public routes that leak data while leaving the rest intact. Here are the endpoints worth reviewing, what each can disclose to anonymous visitors, and how to lock it down.
| Endpoint | What it can leak | Fix |
|---|---|---|
| /wp-json/wp/v2/users | Display names and author slugs of users who have published content. Slugs often match login usernames. | Require authentication for the users route, or remove the public collection route via a security plugin or a rest_endpoints filter. |
| /wp-json/ (REST root) | The full list of registered namespaces and routes, which fingerprints active plugins and the site's capabilities. | Leave reachable (core needs it), but review which plugin routes are exposed and restrict sensitive custom routes. |
| /wp-json/wp/v2/media | URLs and metadata of uploaded files, occasionally including documents not meant to be discoverable. | Review uploads for sensitive files; store private documents outside the media library or behind auth. |
| /wp-json/wp/v2/posts & pages | Published content (intended), but custom fields or draft data if a plugin exposes them carelessly. | Audit plugins that register fields with show_in_rest; do not expose private meta to public routes. |
| Author archives (/?author=N) | The same slug-to-username leak as the users route, via a redirect to the author archive URL. | Block author archive redirects and disable user enumeration alongside restricting the REST users route. |
Reviewing every public route as plugins come and go is exactly the recurring work our WordPress website maintenance services cover, alongside updates, backups, and security monitoring.
Next steps
WP REST API Exposure Checker related tools and articles
Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.
WordPress REST API Exposure Checker: FAQ
What endpoints does the REST exposure checker request?
What does REST API reachable mean?
How is public user exposure detected?
Why can public names or slugs matter?
Should I disable the entire WordPress REST API?
What does the XML-RPC hint prove?
Why might the result miss WordPress or show no exposed users?
Is the URL or returned user data stored?
Free 48-Hour Website Audit
Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.
Need WordPress Hardening?
We keep WordPress sites updated, backed up, monitored, and hardened against common exposure and maintenance risks.