API Protection

Block the ?author redirect

Adding ?author=1 to any URL normally reveals a user's login name. SentinelSecurity blocks that redirect so the response is the homepage — nothing useful for an attacker.

Require login for the user list

The REST API user endpoint lists every account on your site. SentinelSecurity makes it visible only to logged-in users — anonymous visitors receive nothing.

Lock /users/me to authorised tools only

This endpoint can expose session details about the logged-in account. SentinelSecurity blocks all anonymous calls while your dashboard and trusted apps continue to use it normally.

Block anonymous access to /settings

The settings endpoint can reveal which plugins, languages and timezones you run. SentinelSecurity makes it accessible only to administrators — site configuration stays invisible to outsiders.

Strip author info from oEmbed responses

When a post is shared on social media, the oEmbed response normally includes the author's name and login slug. SentinelSecurity removes that data — posts still preview correctly, just without the attribution.

Remove the API discovery link

WordPress advertises the REST API address in every page's HTML head. SentinelSecurity removes that line — tools that already know the address keep working, automated scanners no longer get a pointer.

Per-IP rate limit with 429 responses

SentinelSecurity counts API requests per IP address and returns a standard 429 response when the limit is reached. Headers like X-RateLimit-Remaining help well-behaved clients back off gracefully.

Tune limits or turn any protection off

Each of the 7 protections has its own toggle and adjustable values. Set the request count and time window to suit your traffic — no protection is mandatory.