WordPress REST API Exposure Checker Tool Online
Last updated:
Check whether a WordPress site exposes REST API user data, public author slugs, and XML-RPC signals that should be reviewed during security hardening.
Enter a WordPress site URL to check public REST exposure:
How the WordPress REST API Checker Works
The checker requests common WordPress endpoints and reports whether public data is visible.
- REST root check, it requests /wp-json/ and looks for WordPress namespaces and routes.
- User endpoint check, it requests /wp-json/wp/v2/users and caps any returned users for safe display.
- WordPress signal check, it looks for WordPress and XML-RPC hints on the home page.
- Recommendations, the result explains what to harden based on the exposure found.
Why REST Exposure Matters
Public author data is not always critical, but it can help attackers build better login attacks and target real people.
- Login risk, exposed slugs can reveal likely usernames or author identities.
- Attack surface, open endpoints should match business needs, not default leftovers.
- Maintenance hygiene, REST exposure checks belong with updates, backups, plugin review, and security monitoring.
- Broader protection, pair this with the Security Headers Checker.
WordPress Hardening Recommendations
| Area | Recommended action |
|---|---|
| REST users | Restrict anonymous access to public user lists unless your site intentionally needs them. |
| Author slugs | Avoid author slugs that match login usernames. |
| XML-RPC | Disable XML-RPC when unused, or rate-limit and protect it if required. |
| Updates | Keep core, plugins, themes, and PHP versions current. |
| Access | Use strong passwords, multi-factor authentication, and least-privilege accounts. |
For ongoing support, review our WordPress maintenance services.
Next steps
WP REST API Exposure Checker related tools and articles
Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.
WordPress REST API Exposure Checker: FAQ
What does the WordPress REST API expose?
The REST API can expose public endpoints for posts, pages, media, settings, and users. Some endpoints are intended for public use, while others should be reviewed for unnecessary disclosure.
Is the WordPress REST API always a security problem?
No. WordPress uses the REST API for legitimate features. The risk is exposing sensitive or unnecessary data, especially public author usernames or slugs.
What is user enumeration?
User enumeration is when an attacker can list usernames or author slugs. Those identifiers can be used in password attacks or social engineering.
What endpoints does this checker test?
The API checks /wp-json/ for WordPress REST signals and /wp-json/wp/v2/users for public author exposure. It also looks for an XML-RPC hint on the home page.
What should I do if users are exposed?
Restrict anonymous access to the users endpoint, change public author slugs where practical, use strong passwords and multi-factor authentication, and monitor login attempts.
Should I disable XML-RPC?
Disable XML-RPC if you do not need Jetpack, mobile publishing, or legacy integrations. If you need it, protect it with rate limits and security rules.
Can this tool prove a site is secure?
No. It checks a specific exposure pattern. A full WordPress security review should also cover plugins, themes, hosting, backups, admin access, headers, and malware scanning.
Does this checker store user data?
No. It returns a capped list of public names and slugs found in the response and does not store the checked result.
Need WordPress Hardening?
We keep WordPress sites updated, backed up, monitored, and hardened against common exposure and maintenance risks.