WordPress REST API Security Scanner — Find user enumeration + draft leaks

Default WordPress exposes /wp-json/wp/v2/users to anonymous callers — returning every registered user's login slug, display name, and URL. That's user enumeration handed to an attacker on a plate, with no rate limit. Combine with /wp-json/wp/v2/plugins (CVE checklist) and you have a complete brute-force attack profile. This actor finds those leaks in 30 seconds.

WordPress powers ~43% of the web. Most installs run the default REST API with zero endpoint restrictions. This scanner probes the core + WooCommerce + common-plugin endpoints to surface every leak.

💸 Found a leak? Two ways to get it fixed:

• $29 quick scan + 1-page report in 24h (Stripe) — for when you want sanity check before committing
• $99 full hardening — I write a mu-plugin tailored to your site + install + verify, 48h, money-back (Stripe)

⭐️ Solo dev competing with bigger Apify publishers. A 30-second review is the single thing that lifts ranking. Thank you.

Why this exists

WordPress's REST API is on by default and mostly public by default. The core endpoints anyone can query without auth:

• /wp-json/wp/v2/users — every user's slug + display name → username enumeration → brute-force target list
• /wp-json/wp/v2/posts?status=draft — draft posts (CMS often allows this even though it shouldn't)
• /wp-json/wp/v2/plugins — installed plugin list → attacker's CVE checklist (Wordfence Premium 7.x.x? Now they know to try CVE-2024-xxxx)
• /wp-json/wp/v2/settings — site settings (admin email, blog name, etc.)
• /wp-json/wc/v3/customers (WooCommerce) — customer emails + addresses if API keys misconfigured
• /wp-json/wc/v3/orders — same risk

The WordPress security plugins (Wordfence, iThemes) catch some, miss others. This scanner is non-destructive — it only does GETs with no auth, just like an attacker would.

How to run

Either:

1. Leave inputs empty + click Run for a DEMO sample report
2. Provide your wordpressUrl to scan your actual site

{
  "wordpressUrl": "https://your-site.com",
  "endpointHints": ["custom/v1/private-route"],
  "outputFormat": "both"
}

What you get

• HTML report in run's KV store: severity-coded findings, curl reproducers, paste-ready mu-plugin code to fix
• Dataset rows: one structured row per finding

Sample finding

[CRITICAL] /wp/v2/users — user enumeration
Total records: 12
Description: User enumeration — usernames, slugs, display names exposed
Reproducer:
curl 'https://your-site.com/wp-json/wp/v2/users'

How to fix (quick mu-plugin)

// wp-content/mu-plugins/disable-anon-rest.php
<?php
add_filter('rest_endpoints', function ($endpoints) {
  if (!current_user_can('list_users')) {
    unset($endpoints['/wp/v2/users']);
    unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
  }
  return $endpoints;
});

add_filter('rest_pre_dispatch', function ($result, $server, $request) {
  $route = $request->get_route();
  $deny_anon = ['/wp/v2/plugins', '/wp/v2/themes', '/wp/v2/settings'];
  foreach ($deny_anon as $denied) {
    if (str_starts_with($route, $denied) && !current_user_can('manage_options')) {
      return new WP_Error('rest_forbidden', 'Forbidden.', ['status' => 401]);
    }
  }
  return $result;
}, 10, 3);

Drop that file in wp-content/mu-plugins/ and re-run the scanner.

Plugin alternative

• Disable WP REST API — quickest, blocks ALL anon access
• WPS Hide Login — also moves wp-admin
• Wordfence Premium → REST API hardening rules

Ethical use

• Only scan sites you own or have explicit permission to scan
• Probes are read-only GETs with no auth, identical to what an unauthenticated visitor sees

Related

• $29 quick scan + report: buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u
• $99 turnkey hardening: buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01
• Weekly auto-scans ($29/mo): rls-monitor.vercel.app
• Sister scanners for BaaS platforms: Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, Nhost.

Built and maintained by Renzo Madueño, founder of Rotate Pilot, aviation exam-prep software. More tools on GitHub.