Free Feature

REST API Diagnosis

Prevent data leaks with 28 REST API security checks.
Diagnose user enumeration, exposed settings, unauthenticated access,
and more — categorized by severity from Critical to Info.

Get Started SentinelSecurity Overview
REST API Endpoint Scan
24 Total Endpoints
3 Exposed
21 Protected
GET /wp-json/wp/v2/users Exposed
GET /wp-json/wp/v2/posts OK
POST /wp-json/wp/v2/comments OK
Why REST API Security?

REST API: Powerful but a Potential Data Leak Entry Point

WordPress REST API is powerful, but with default settings,
user information and post data can be retrieved externally.
Proper access control is essential.

90%
Sites running with
default settings
28 Items
Security items
diagnosed
Instant
Diagnosis result
display time
REST API Endpoints
GET /wp-json/wp/v2/users
GET /wp-json/wp/v2/posts
GET /wp-json/wp/v2/settings
GET /wp-json/wp/v2/comments
GET /wp-json/
Action required: 2/5 endpoints are publicly exposed
User Enum
Data Leak
The Hidden Risk

REST API
Data Leak Risks

User Enumeration

Accessing /wp-json/wp/v2/users may expose usernames and email addresses.

Unauthenticated Access

Many endpoints are accessible without login, allowing external information gathering.

Used for Attack Reconnaissance

Exposed plugin info and site configuration can be used as a foothold for targeted attacks.

With SentinelSecurity

Instantly detect exposed endpoints and suggest appropriate countermeasures.

REST API Security

28 Security Items Diagnosed

Critical (3), High (7), Medium (8), Low (2), Info (8) — categorized by severity
for comprehensive REST API security evaluation.

Critical

Critical risks requiring immediate action (3 items)

User Enumeration Prevention

Usernames and emails can be retrieved from the /wp-json/wp/v2/users endpoint, making them targets for brute force attacks.

Brute Force Username Leak

Settings Endpoint

Site configuration can be exposed via /wp-json/wp/v2/settings, allowing attackers to understand site structure.

Settings Leak Unauthorized Access

Media Upload

If unauthenticated media uploads are possible, malware or backdoors could be installed.

Malware File Upload Attack
High

Strongly recommended to address (7 items)

Authenticated User Info

Risk of logged-in user info exposure via /wp-json/wp/v2/users/me.

Rate Limiting

Without API request rate limiting, the site is vulnerable to DoS and brute force attacks.

Comment Posting Restriction

If unauthenticated comment posting is possible, it becomes a breeding ground for spam and malicious content.

Theme/Plugin Information

Exposed theme and plugin info can be exploited via known vulnerabilities.

Draft Posts

Unauthenticated access to draft or private posts can lead to confidential information leaks.

Custom Endpoints

Insufficient permission checks on plugin custom endpoints risk privilege escalation.

Nonce Validation

Without REST API nonce token validation, there is risk of CSRF and replay attacks.

Medium

Recommended to address (8 items)

Basic Authentication

Should be disabled in production. Risk of credential exposure.

Anonymous Access

Sensitive endpoints should require authentication.

CORS Configuration

Improper Access-Control-Allow-Origin settings can lead to cross-site attacks.

Media Metadata

Exposed image EXIF data (GPS location, etc.) can lead to personal information leaks.

Version Information

Exposed WordPress version makes the site easier to target with known vulnerabilities.

Search Endpoint

Search endpoint abuse can lead to information gathering and enumeration attacks.

Revision Information

Post revisions (edit history) can expose information that was thought to be deleted.

API Filters

Risk of unauthorized data retrieval and SQL injection via query parameters.

Low

Address as needed (2 items)

oEmbed Endpoint

Site info may be exposed via embed data, but impact is limited.

XML-RPC

Can be abused for brute force and DDoS amplification attacks. Disable if not in use.

Info

System information & diagnosis results (8 items)

REST API Status

Check REST API enabled/disabled state.

REST API Discovery

Check REST API URL exposure in HTML headers.

Application Passwords

Check application password feature status (WordPress 5.6+).

REST API Prefix

Check the REST API URL prefix (usually /wp-json/).

Post Types

Check post types exposed via REST API.

Taxonomies

Check taxonomies exposed via REST API.

JWT Authentication

Check JWT authentication plugin status.

API Namespaces

Check API namespaces exposed via REST API.

Next Step

After Diagnosis, Take Action with API Protection

When REST API diagnosis finds issues, the API Protection feature provides countermeasures. It offers user enumeration prevention, rate limiting, and more to prevent data leaks.

View API Protection
Other Features

Explore Other SentinelSecurity Features

Login Security

Login URL change, IP restriction, brute force protection

HTTP Header Diagnosis

Diagnose security header configuration

API Protection

Rate limiting and user enumeration prevention

Vulnerability Assessment

Check core, plugin, and theme vulnerabilities

Pro

File Integrity Monitoring

Detect file changes and discover unauthorized access

Pro

Security Header Settings

Manage CSP, HSTS, and other security headers via GUI

Pro

Email Notification Settings

Fully customize 7 types of security notifications

Pro

Understand Your Data Leak Risks
with REST API Diagnosis

All REST API diagnosis features are available in the free version.

Get Started Download Free Version Download Brochure