Its very easy for a malicious actor to see a list of the usernames used on your wordpress installation if you have not locked that information down.
Use the code below in your functions.php file to hide external requests to your rest api.
EG: https://www.yourdomainname.com/wp-json/wp/v2/users/
The script below will close off the rest API from /wp-json/ and only allow local access to it.
########################
// Prevent external reading of json api
// See: https://www.jucra.com/whmcs/knowledgebase/183/
########################
function restrict_rest_api_to_localhost() {
//only allow admins access
if(!is_admin()) {
$whitelist = [ '127.0.0.1', "::1" ];
$message = "REST API is disabled.";
if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){
die( $message );
}
}
}
add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );