WordPress REST API Exposure Checker Tool Online

Last updated:

Check whether a WordPress site exposes REST API user data, public author slugs, and XML-RPC signals that should be reviewed during security hardening.

Enter a WordPress site URL to check public REST exposure:

How the WordPress REST API Checker Works

The checker requests common WordPress endpoints and reports whether public data is visible.

  1. REST root check, it requests /wp-json/ and looks for WordPress namespaces and routes.
  2. User endpoint check, it requests /wp-json/wp/v2/users and caps any returned users for safe display.
  3. WordPress signal check, it looks for WordPress and XML-RPC hints on the home page.
  4. Recommendations, the result explains what to harden based on the exposure found.

Why REST Exposure Matters

Public author data is not always critical, but it can help attackers build better login attacks and target real people.

  • Login risk, exposed slugs can reveal likely usernames or author identities.
  • Attack surface, open endpoints should match business needs, not default leftovers.
  • Maintenance hygiene, REST exposure checks belong with updates, backups, plugin review, and security monitoring.
  • Broader protection, pair this with the Security Headers Checker.

WordPress Hardening Recommendations

AreaRecommended action
REST usersRestrict anonymous access to public user lists unless your site intentionally needs them.
Author slugsAvoid author slugs that match login usernames.
XML-RPCDisable XML-RPC when unused, or rate-limit and protect it if required.
UpdatesKeep core, plugins, themes, and PHP versions current.
AccessUse strong passwords, multi-factor authentication, and least-privilege accounts.

For ongoing support, review our WordPress maintenance services.

Next steps

WP REST API Exposure Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

Security Headers Checker Tool Online

Security Headers Checker

 WordPress Theme and Plugin Detector Tool Online

WordPress Theme & Plugin Detector

 wp-config.php Generator Tool Online

wp-config.php Generator

 PHP Extensions for WordPress: What Extensions to Enable?

PHP Extensions for WordPress: What Extensions to Enable?

 WordPress + PHP 8.5 Compatibility: Tested on Real Websites

WordPress + PHP 8.5 Compatibility: Tested on Real Websites

 Recommended PHP Version for WordPress in 2026

Recommended PHP Version for WordPress in 2026

WordPress REST API Exposure Checker: FAQ

What does the WordPress REST API expose?
The REST API can expose public endpoints for posts, pages, media, settings, and users. Some endpoints are intended for public use, while others should be reviewed for unnecessary disclosure.
Is the WordPress REST API always a security problem?
No. WordPress uses the REST API for legitimate features. The risk is exposing sensitive or unnecessary data, especially public author usernames or slugs.
What is user enumeration?
User enumeration is when an attacker can list usernames or author slugs. Those identifiers can be used in password attacks or social engineering.
What endpoints does this checker test?
The API checks /wp-json/ for WordPress REST signals and /wp-json/wp/v2/users for public author exposure. It also looks for an XML-RPC hint on the home page.
What should I do if users are exposed?
Restrict anonymous access to the users endpoint, change public author slugs where practical, use strong passwords and multi-factor authentication, and monitor login attempts.
Should I disable XML-RPC?
Disable XML-RPC if you do not need Jetpack, mobile publishing, or legacy integrations. If you need it, protect it with rate limits and security rules.
Can this tool prove a site is secure?
No. It checks a specific exposure pattern. A full WordPress security review should also cover plugins, themes, hosting, backups, admin access, headers, and malware scanning.
Does this checker store user data?
No. It returns a capped list of public names and slugs found in the response and does not store the checked result.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you — in plain English. Free & non-obligatory.

Get My Free Audit 💪

Need WordPress Hardening?

We keep WordPress sites updated, backed up, monitored, and hardened against common exposure and maintenance risks.

Explore WordPress Maintenance