REST API Diagnosis
REST API Diagnosis inspects the access control state of each WordPress REST API endpoint and scores information disclosure risks.
Why REST API Diagnosis Is Necessary
The WordPress REST API is enabled by default, and many endpoints are accessible without authentication. This creates the following risks:
- User information leaks: Admin usernames can be retrieved via
/wp-json/wp/v2/users - Content data leaks: Draft posts or private information may be readable through the API
- Plugin information exposure: Installed plugin versions can be identified
- Attack reconnaissance: Gathered information can be used to launch brute-force or zero-day attacks
/wp-json/wp/v2/users endpoint is particularly susceptible to username enumeration attacks, which serve as the first step in brute-force attacks.
Diagnostic Items (18 Items)
User Information (5 items)
| Check Item | Risk | Severity |
|---|---|---|
| /wp/v2/users endpoint | Whether user list can be retrieved | 🔴 High |
| ?author=N enumeration | Username identification via Author ID | 🔴 High |
| oEmbed user exposure | Whether author name is included in oEmbed responses | 🟠 Medium |
| User metadata | Custom field exposure for users | 🟡 Low |
| User role exposure | User role (permission) information | 🟡 Low |
Content (5 items)
| Check Item | Risk | Severity |
|---|---|---|
| /wp/v2/posts unauthenticated access | Detailed post data retrieval | 🟡 Low |
| /wp/v2/pages unauthenticated access | Detailed page data retrieval | 🟡 Low |
| /wp/v2/media file listing | Media file list retrieval | 🟠 Medium |
| /wp/v2/comments full exposure | Comment data and author emails | 🟠 Medium |
| Draft/private post exposure | Access to unpublished content | 🔴 High |
System Information (4 items)
| Check Item | Risk | Severity |
|---|---|---|
| REST API route listing | Exposure of all available endpoints | 🟠 Medium |
| /wp/v2/plugins | Plugin information exposure | 🔴 High |
| /wp/v2/themes | Theme information exposure | 🟠 Medium |
| WordPress version exposure | Version info in API responses | 🟠 Medium |
XML-RPC (4 items)
| Check Item | Risk | Severity |
|---|---|---|
| xmlrpc.php enabled | Brute-force via XML-RPC | 🔴 High |
| system.listMethods | List of available XML-RPC methods | 🟠 Medium |
| pingback.ping | Abuse for DDoS amplification attacks | 🔴 High |
| wp.getUsersBlogs | User authentication testing | 🟠 Medium |
Score Calculation
Each item has a weight, and points are deducted based on the severity of detected issues.
- 🔴 High severity: -10 to -15 points
- 🟠 Medium severity: -5 to -8 points
- 🟡 Low severity: -2 to -3 points
| Score | Rating |
|---|---|
| 90–100 | Excellent: Nearly all risks are mitigated |
| 70–89 | Good: Major risks are addressed |
| 50–69 | Needs Improvement: Some significant risks remain |
| 0–49 | Critical: Urgent action required |
Running the Diagnosis
- Navigate to SentinelSecurity → REST API Diagnosis
- Click the Run Diagnosis button
- Results for each check item are displayed in card format
Using Diagnosis Results
Issues identified in the diagnosis can be addressed comprehensively using the Pro version's API Protection feature. With the Free version, the following manual countermeasures are necessary:
Quick Fixes (Manual)
Prevent user enumeration (add to functions.php):
// Disable user enumeration via REST API
add_filter('rest_endpoints', function($endpoints) {
unset($endpoints['/wp/v2/users']);
return $endpoints;
});Disable XML-RPC:
add_filter('xmlrpc_enabled', '__return_false');Pro Version Countermeasures
Enable the API Protection feature to selectively block specific endpoints from the admin dashboard. See the "API Protection" documentation for details.