Securing the WP REST API

Just about everything is available to anyone or anything that asks for it posts, pages, categories, tags, comments, taxonomies, media, users, settings, and more.   Just like with RSS feeds, RESTfully delivered JSON content is scraped and used for spam, phishing, plagiarism, adsense, and other foul things...   Everything else, all domain thanks to REST API..   To give you concrete example of the data that is shared via REST API, consider the URL https digwp com wp-json wp v2 users 3.   content is content, and REST API makes it easier than ever for anyone and anything to manipulate your site's content, categories, tags, meta, and much more.   For example, before the WP 4.7.1 update, REST API exposed data for ALL registered users, regardless of whether or not they are credited as Author for any post ..   This important step helps to reduce data exposure, and that the WP team is working to keep WordPress as safe and secure as possible.   unfortunately most WordPress users will remain unaware and do nothing.   By default helps to protect the majority of, Disabling exposure of user data WordPress users, and of course developers always will be savvy enough to enable the data endpoints if when needed.   Here are some related materials and resources FYI Quotes taken from this FB thread Why Showing the Username is Not Security Risk Why REST API User Endpoint Still is not Fixed 4 good reason to use strong passwords and or 3+factor authentication Brute-Force Login Drip Attack 6 Protect Against WordPress Brute Force Amplification Attack...   Read more