API Protection
Protect your REST API with 7 security features. Prevent user enumeration attacks, DDoS attacks, and information leaks with comprehensive security measures.
API Endpoints Are Prime Targets for Attackers
WordPress REST API and user information endpoints are exploited as entry points for brute force attacks and information gathering. Proper protection is essential.
Features
Prevention
Applied
Completely Block User Enumeration Attacks
?author=1 Attack
Usernames can be discovered simply by adding ?author=1 to the URL. This becomes the starting point for brute force attacks.
REST API /users
User lists can be retrieved via REST API. In many cases, access is available without authentication.
oEmbed Information
Author information is also included in oEmbed responses used for embedding.
Block all 3 types of user enumeration attacks with a single click.
7 Protection Features for Your API
Multi-layered defense with rate limiting plus 6 information leak prevention features.
Prevent exposure of usernames and configuration info (6 features)
?author=1 Block
Prevent username discovery via URL parameters. Block access to /?author=1 to stop the reconnaissance phase of brute force attacks.
REST API /users Block
Block unauthenticated access to /wp-json/wp/v2/users endpoint. Logged-in users can still access it.
/users/me Block
Prevent exposure of logged-in user info. Protect the /wp/v2/users/me endpoint.
oEmbed Author Info Removal
Remove author information from oEmbed responses. Prevent information leaks through social sharing.
/settings Block
Block access to /wp/v2/settings endpoint. Prevent exposure of site configuration information.
API Discovery Link Removal
Remove REST API links from HTML headers. Conceal the very existence of the API.
Automatically block excessive requests (1 feature)
Enable Rate Limiting
Add X-RateLimit-* headers to REST API responses. Limit the number of requests.
Request Limiting
Limit allowed requests within a time window (default 60 seconds). Returns 429 error when exceeded.
DDoS Prevention
Protect against server overload from mass API requests. Maintain stable site operation.
Detailed configuration to suit your site
Rate Limit Adjustment
Freely configure the request limit (default 100) and time interval (default 60 seconds).
Individual ON/OFF
Toggle each of the 7 protection features individually. Flexible configuration to match your site needs.
Explore Other SentinelSecurity Features
Login Security
Login URL change, IP restriction, brute force protection
HTTP Header Diagnosis
Diagnose security header configuration
REST API Diagnosis
Check REST API security status
Vulnerability Assessment
Check core, plugin, and theme vulnerabilities
File Integrity Monitoring
Detect file changes and discover unauthorized access
Security Header Settings
Manage CSP, HSTS, and other security headers via GUI
Email Notification Settings
Fully customize 7 types of security notifications
Protect Your Site with API Protection
All API protection features are available in the free version.