API Protection
API Protection is a suite of features that strengthens the security of the WordPress REST API and XML-RPC. You can disable unnecessary endpoints, apply rate limits, and prevent user enumeration — all from the admin dashboard.
Why API Protection Matters
If the REST API Diagnosis detects issues, leaving them unaddressed poses a security risk. However, completely disabling the REST API can break the Gutenberg editor and other plugin functionality.
API Protection takes the approach of selectively blocking only dangerous endpoints while keeping the ones you need.
Feature Overview
1. Endpoint Control
Enable or disable individual REST API endpoints.
| Protected Item | Description | Default |
|---|---|---|
| /wp/v2/users | Block retrieval of the user list | Blocked |
| /wp/v2/users/me | Current logged-in user's own info | Allowed |
| ?author=N | User enumeration via Author ID | Blocked |
| oEmbed Author | Author name in oEmbed responses | Removed |
2. XML-RPC Control
| Setting | Description | Default |
|---|---|---|
| Disable XML-RPC entirely | Block all access to xmlrpc.php | Enabled (recommended) |
| Disable Pingback | Disable only the pingback.ping method | Enabled |
| Application Passwords | Application passwords for REST API | Disabled |
3. Rate Limiting
Limit the number of requests to API endpoints to prevent automated attacks via the API.
| Setting | Description | Default |
|---|---|---|
| Max Requests | Maximum requests per time window | 60/min |
| Block Duration | Block duration when rate is exceeded | 5 minutes |
| Excluded Paths | Paths excluded from rate limiting | /wp/v2/posts (for admin) |
Configuration
- Navigate to SentinelSecurity → REST API → API Protection
- Toggle each protection item on or off
- Configure rate limiting parameters
- Click Save
How User Enumeration Prevention Works
User enumeration prevention protects multiple attack vectors simultaneously.
| Enumeration Method | Countermeasure |
|---|---|
| /wp/v2/users | Block the endpoint entirely |
| ?author=1, ?author=2... | Disable Author Archives redirect |
| oEmbed | Remove author name from responses |
| RSS Feed | Remove author information from feeds |
Compatibility with Gutenberg and Plugins
Even with API Protection enabled, API requests from authenticated users (such as logged-in administrators) are not restricted.
- Gutenberg Editor: Works normally (authenticated requests are allowed)
- WooCommerce REST API: Works normally (authenticated requests)
- Contact Form 7: Works normally
- Jetpack: Some features may be limited if XML-RPC is disabled
Notes
- If you use applications that rely on XML-RPC (such as legacy mobile apps), carefully consider before disabling XML-RPC
- Rate limiting also applies to legitimate high-volume API requests (such as bulk imports). Adjust the settings if you need to temporarily lift restrictions