REST API Diagnosis
REST API Diagnosis inspects the access control state of each WordPress REST API endpoint and scores information disclosure risks.
Why REST API Diagnosis Is Necessary
The WordPress REST API is enabled by default, and many endpoints are accessible without authentication. This creates the following risks:
- User information leaks: Admin usernames can be retrieved via
/wp-json/wp/v2/users - Content data leaks: Draft posts or private information may be readable through the API
- Plugin information exposure: Installed plugin versions can be identified
- Attack reconnaissance: Gathered information can be used to launch brute-force or zero-day attacks
/wp-json/wp/v2/users endpoint is particularly susceptible to username enumeration attacks, which serve as the first step in brute-force attacks.
Diagnostic Items (28 Items)
User & Auth (5 items)
| Check Item | Risk | Severity |
|---|---|---|
| /wp/v2/users endpoint | Whether user list can be retrieved | 🔴 High |
| ?author=N enumeration | Username identification via Author ID | 🔴 High |
| /wp/v2/users/me | Current user's own info exposed | 🟠 Medium |
| /wp/v2/settings | Site configuration accessible without auth | 🔴 High |
| Anonymous access to sensitive endpoints | Auth requirements on restricted endpoints | 🔴 High |
Content (5 items)
| Check Item | Risk | Severity |
|---|---|---|
| /wp/v2/media upload | Unauthenticated media uploads | 🔴 High |
| /wp/v2/comments anonymous post | Unauthenticated comment creation | 🟠 Medium |
| Draft/private post exposure | Access to unpublished content | 🔴 High |
| Revisions exposure | Post revision history accessible | 🟡 Low |
| Search endpoint | Information gathering via search | 🟡 Low |
System & Infrastructure (11 items)
| Check Item | Risk | Severity |
|---|---|---|
| REST API status | Whether REST API is enabled at all | 🟠 Medium |
| REST API route listing | Exposure of all available endpoints | 🟠 Medium |
| Themes/plugins exposure | Plugin and theme information via REST | 🔴 High |
| WordPress version exposure | Version info in API responses | 🟠 Medium |
| oEmbed exposure | Information leakage via oEmbed | 🟠 Medium |
| CORS configuration | Cross-origin request permissions | 🟠 Medium |
| Rate limiting | Whether REST API rate limiting is active | 🟠 Medium |
| HTTP Basic Auth | Basic auth exposure on API | 🟡 Low |
| Application passwords | Application password authentication | 🟠 Medium |
| REST prefix | Default REST prefix (/wp-json) in use | 🟡 Low |
| JWT authentication | JWT token handling | 🟡 Low |
Content Types & Taxonomies (3 items)
| Check Item | Risk | Severity |
|---|---|---|
| Post types exposure | Custom post type information | 🟡 Low |
| Taxonomies exposure | Taxonomy structure information | 🟡 Low |
| Media metadata exposure | EXIF and file metadata | 🟡 Low |
API Security (4 items)
| Check Item | Risk | Severity |
|---|---|---|
| Namespace exposure | API namespace enumeration | 🟡 Low |
| Custom endpoints security | Permission checks on plugin endpoints | 🟠 Medium |
| API filters security | Hook/filter abuse potential | 🟡 Low |
| Nonce validation | CSRF protection on API endpoints | 🟠 Medium |
XML-RPC (1 item)
| Check Item | Risk | Severity |
|---|---|---|
| xmlrpc.php enabled | Brute-force and DDoS abuse via XML-RPC | 🔴 High |
Score Calculation
Each item has a weight, and points are deducted based on the severity of detected issues.
- 🔴 High severity: -10 to -15 points
- 🟠 Medium severity: -5 to -8 points
- 🟡 Low severity: -2 to -3 points
| Score | Rating |
|---|---|
| 90–100 | Excellent: Nearly all risks are mitigated |
| 70–89 | Good: Major risks are addressed |
| 50–69 | Needs Improvement: Some significant risks remain |
| 0–49 | Critical: Urgent action required |
Running the Diagnosis
- Navigate to SentinelSecurity → REST API
- Click the Run Diagnosis button
- Results for each check item are displayed in card format
Using Diagnosis Results
Issues identified in the diagnosis can be addressed comprehensively using the API Protection feature. Depending on your environment, the following manual countermeasures are also useful:
Quick Fixes (Manual)
Prevent user enumeration (add to functions.php):
// Disable user enumeration via REST API
add_filter('rest_endpoints', function($endpoints) {
unset($endpoints['/wp/v2/users']);
return $endpoints;
});Disable XML-RPC:
add_filter('xmlrpc_enabled', '__return_false');Dashboard-Based Countermeasures
Enable the API Protection feature to selectively block specific endpoints from the admin dashboard. See the "API Protection" documentation for details.