How to Secure the WordPress REST API (Practical Guide)

The REST API powers the block editor, headless setups, and countless integrations — but it’s also increasingly probed by bots for user enumeration and abuse. The goal isn’t to disable it (that breaks WordPress) but to secure it.

Common REST API risks

User enumeration via /wp-json/wp/v2/users, which leaks usernames for brute-force attacks.
Unauthenticated access to endpoints that should be restricted.
Automated scraping and abuse of public endpoints.

How to lock it down

Require authentication for sensitive endpoints and restrict the users endpoint.
Rate-limit and block IPs that probe the API aggressively.
Keep WordPress and plugins updated, since many REST issues are plugin-specific.
Monitor REST traffic so you can see enumeration and abuse attempts.

Don’t disable — monitor

Because the editor and many plugins depend on the REST API, blanket-disabling it causes more problems than it solves. The better approach is visibility plus targeted blocking.

How Obzervi helps

Obzervi treats the REST API as a first-class attack surface — logging requests, surfacing suspicious patterns with AI, and blocking abusive IPs, right alongside login and XML-RPC protection.

See who’s probing your REST API — install Obzervi and watch it live.

How to Secure the WordPress REST API

Common REST API risks

How to lock it down

Don’t disable — monitor

How Obzervi helps

Know what's happening on your WordPress site.

More from the blog

WordPress Login Security: The Ultimate Guide (2026)

WordPress Brute Force Protection: How to Stop Login Attacks (Step by Step)