WordPress REST API Exposure Checker Tool Online

Last updated:

Check whether a WordPress site exposes REST API user data, public author slugs, and XML-RPC signals that should be reviewed during security hardening.

Enter a WordPress site URL to check public REST exposure:

How the WordPress REST API Checker Works

The checker requests common WordPress endpoints and reports whether public data is visible.

  1. REST root check, it requests /wp-json/ and looks for WordPress namespaces and routes.
  2. User endpoint check, it requests /wp-json/wp/v2/users and caps any returned users for safe display.
  3. WordPress signal check, it looks for WordPress and XML-RPC hints on the home page.
  4. Recommendations, the result explains what to harden based on the exposure found.

Why REST Exposure Matters

Public author data is not always critical, but it can help attackers build better login attacks and target real people.

  • Login risk, exposed slugs can reveal likely usernames or author identities.
  • Attack surface, open endpoints should match business needs, not default leftovers.
  • Maintenance hygiene, REST exposure checks belong with updates, backups, plugin review, and security monitoring.
  • Broader protection, pair this with the Security Headers Checker.

WordPress Hardening Recommendations

AreaRecommended action
REST usersRestrict anonymous access to public user lists unless your site intentionally needs them.
Author slugsAvoid author slugs that match login usernames.
XML-RPCDisable XML-RPC when unused, or rate-limit and protect it if required.
UpdatesKeep core, plugins, themes, and PHP versions current.
AccessUse strong passwords, multi-factor authentication, and least-privilege accounts.

For ongoing support, review our WordPress maintenance services.

WordPress REST API Exposure Reference

The REST API powers the block editor and many integrations, so disabling it wholesale usually breaks the site. The right move is to restrict the specific public routes that leak data while leaving the rest intact. Here are the endpoints worth reviewing, what each can disclose to anonymous visitors, and how to lock it down.

Endpoint What it can leak Fix
/wp-json/wp/v2/users Display names and author slugs of users who have published content. Slugs often match login usernames. Require authentication for the users route, or remove the public collection route via a security plugin or a rest_endpoints filter.
/wp-json/ (REST root) The full list of registered namespaces and routes, which fingerprints active plugins and the site's capabilities. Leave reachable (core needs it), but review which plugin routes are exposed and restrict sensitive custom routes.
/wp-json/wp/v2/media URLs and metadata of uploaded files, occasionally including documents not meant to be discoverable. Review uploads for sensitive files; store private documents outside the media library or behind auth.
/wp-json/wp/v2/posts & pages Published content (intended), but custom fields or draft data if a plugin exposes them carelessly. Audit plugins that register fields with show_in_rest; do not expose private meta to public routes.
Author archives (/?author=N) The same slug-to-username leak as the users route, via a redirect to the author archive URL. Block author archive redirects and disable user enumeration alongside restricting the REST users route.

Reviewing every public route as plugins come and go is exactly the recurring work our WordPress website maintenance services cover, alongside updates, backups, and security monitoring.

Next steps

WP REST API Exposure Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

WordPress REST API Exposure Checker: FAQ

What endpoints does the REST exposure checker request?
It checks the site's origin at /wp-json/, /wp-json/wp/v2/users, and the homepage in parallel. Each request has a 12-second timeout and does not use your logged-in WordPress session.
What does REST API reachable mean?
It means the REST root or users endpoint returned a successful response. WordPress relies on REST for core and plugin features, so public reachability alone is not evidence of a vulnerability.
How is public user exposure detected?
The tool parses the unauthenticated users endpoint and reports the name and slug from up to the first 10 returned entries. It does not enumerate every page of results or test other user-related routes.
Why can public names or slugs matter?
They can reveal author identities and login-like identifiers that help reconnaissance, although they do not reveal passwords. Decide whether this information is needed for author archives, bylines, APIs, and integrations before restricting it.
Should I disable the entire WordPress REST API?
Usually no. Restrict anonymous access to sensitive endpoints, minimize exposed fields, and test the editor, forms, mobile apps, plugins, and integrations. Broadly disabling REST can break legitimate site functions.
What does the XML-RPC hint prove?
Only that the homepage source contains xmlrpc.php. It does not request the endpoint or determine whether XML-RPC methods or pingbacks work; use a dedicated XML-RPC check for that.
Why might the result miss WordPress or show no exposed users?
A firewall, consent response, custom REST prefix, disabled default route, authentication requirement, headless setup, response variation, or timeout can hide signals. No returned users is not a full access-control audit.
Is the URL or returned user data stored?
The URL is sent to WebAloha's server for the three live requests. This endpoint does not save the submitted URL, homepage, REST response, names, slugs, or result to a database or cache.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Need WordPress Hardening?

We keep WordPress sites updated, backed up, monitored, and hardened against common exposure and maintenance risks.