WordPress REST API User Enumeration
Description
WordPress versions prior to 4.7.1 expose a REST API endpoint that allows unauthenticated users to enumerate registered user accounts. The /wp-json/wp/v2/users endpoint returns detailed information about all users who have authored public posts, including usernames, display names, and user IDs. This information disclosure occurs by default without requiring any authentication or special privileges.
Remediation
Apply one or more of the following mitigations:
1. Update WordPress: Upgrade to WordPress 4.7.1 or later, which restricts user enumeration through the REST API by limiting exposure to post types explicitly configured for REST API visibility.
2. Install a Security Plugin: Deploy the 'Stop User Enumeration' plugin or similar security solutions that detect and block user enumeration attempts via both REST API and author archive scanning.
3. Disable REST API User Endpoint: Add the following code to your theme's functions.php file or a custom plugin to completely disable the users endpoint:
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
}
return $endpoints;
});4. Implement Rate Limiting: Configure web application firewall (WAF) rules or server-level rate limiting to restrict repeated requests to REST API endpoints from single IP addresses.