The /wp-json/wp/v2/users endpoint is part of WordPress’s REST API and allows the retrieval of user information. Hackers frequently attempt to exploit this endpoint because it can reveal usernames and other sensitive details of registered users on a WordPress site. By accessing usernames, attackers can try various tactics, including brute-forcing passwords or other attacks targeting specific accounts.


Purpose of /wp-json/wp/v2/users in WordPress

The wp-json/wp/v2/users endpoint is designed to provide information about users on a WordPress site. It’s part of WordPress’s REST API, which allows developers to interact with WordPress from external applications. Typically, the endpoint is used to retrieve public information about authors, such as:

  • Username or display name
  • User ID
  • User roles (if accessible)

The intention is to allow third-party applications or plugins to display author information, for instance, on posts or comments.

Why Hackers Target /wp-json/wp/v2/users

Hackers target this endpoint because:

  • User Enumeration: It provides access to usernames, a critical piece of information for brute-force login attacks.
  • Information Gathering: Revealing usernames makes it easier for attackers to target specific users, especially administrators or editors with higher privileges.
  • Reconnaissance: This endpoint is used in initial reconnaissance to identify usernames for further attacks, potentially including credential stuffing or phishing.

Example of How Hackers Exploit wp-json/wp/v2/users

Here’s an example of how a hacker might exploit the wp-json/wp/v2/users endpoint:

  1. User Enumeration: The attacker sends a request to:
   https://yourwebsite.com/wp-json/wp/v2/users

This endpoint, by default, lists all users on the site with publicly accessible information, including usernames or display names and user IDs.

  1. Brute-Force Login Attack: After obtaining usernames, the hacker can perform a brute-force attack by trying common passwords (e.g., “password123”) with the usernames they retrieved. This method is known as credential stuffing, where attackers test known usernames with lists of common passwords.
  2. Phishing or Targeted Attacks: If the attacker discovers an admin username, they might attempt spear-phishing or impersonation tactics to gain access to the account.

Securing /wp-json/wp/v2/users from Hackers

To protect your site from attacks targeting the /wp-json/wp/v2/users endpoint, here are some effective strategies:

Restrict Access to the REST API

Restrict access to the REST API, especially for unauthenticated users, by using a plugin or adding custom code to your theme’s functions.php file. Here’s how you can restrict access to logged-in users only:

   add_filter('rest_authentication_errors', function($result) {
       if (!is_user_logged_in()) {
           return new WP_Error('rest_forbidden', __('You are not allowed to access this resource.'), array('status' => 401));
       }
       return $result;
   });

This code will restrict access to the REST API for logged-in users only. Unauthenticated users attempting to access wp-json/wp/v2/users will receive an error response.

Use a Security Plugin to Limit REST API Access

Several WordPress security plugins offer features to restrict or limit access to the REST API:

  • Wordfence: Offers REST API restrictions and other powerful security options.
  • iThemes Security: Allows you to disable parts of the REST API, including the /wp-json/wp/v2/users endpoint.
  • Disable REST API Plugin: Specifically designed to limit REST API usage.

These plugins often offer simple toggles to disable or restrict parts of the REST API without modifying code.

Disable REST API for Specific Endpoints

If you don’t want to disable the entire REST API but only the /wp-json/wp/v2/users endpoint, you can use code to block access to it directly:

   add_filter('rest_endpoints', function($endpoints) {
       if (isset($endpoints['/wp/v2/users'])) {
           unset($endpoints['/wp/v2/users']);
       }
       return $endpoints;
   });

This code will disable access to the /wp-json/wp/v2/users endpoint specifically, reducing the risk of user enumeration.

Implement Strong Login Security

Protect user accounts by implementing robust security measures for logging in, such as:

  • Enable Two-Factor Authentication (2FA): Add 2FA for all users, especially admins, using plugins like Google Authenticator or Wordfence.
  • Limit Login Attempts: Use a plugin to limit login attempts and block IPs with repeated failed login attempts.
  • Enforce Strong Passwords: Require all users to use strong passwords, especially admins and users with elevated roles.

Regularly Monitor for Unusual Activity

Monitoring user login attempts and API access patterns can help you catch suspicious activity early. Use logging plugins, such as WP Activity Log, to record access attempts and flag unusual behavior. By taking these protective measures, you can secure the /wp-json/wp/v2/users endpoint, reducing the risk of attacks and keeping your WordPress site and its user data safer.