methodology / Security & Infrastructure / #6

WordPress REST API user enumeration exposure

live factor #6 · Security & Infrastructure · scoring impl: implemented · weight 3.3%

What we measure

WordPress ships with a public API that lists every user account on your site by default — including your admin login names. Anyone can see them in seconds. That's half the information a hacker needs to attempt a break-in.

How to improve your score

Block `/wp-json/wp/v2/users` via a security plugin (Wordfence, iThemes Security) or by adding a `functions.php` filter that returns an empty array for unauthenticated requests.

Data source

Data source for this factor is not yet documented.

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.1.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Version history

← back to methodology