🔒 Close the Security Hole
Most WordPress hacks exploit REST API endpoints. Don’t need headless? Disable it.
// Disable REST API for non-logged users
add_filter('rest_authentication_errors', function($result) {
if (!is_user_logged_in()) {
return new WP_Error(
'rest_disabled',
'REST API disabled',
array('status' => 401)
);
}
return $result;
});
What This Blocks: Automated user enumeration, content scraping, brute force via API, vulnerability scanning.
Still Works: WordPress admin, Gutenberg editor, logged-in users.
Check: Visit yoursite.com/wp-json/wp/v2/users – should return error, not user list.