Securing WordPress REST API: Prevent Data Leaks on SA Sites
The WordPress REST API exposes your site data by default. Learn how to disable unnecessary endpoints, authenticate requests, and protect SA WordPress sites from data leaks with practical hardening techniques.
Key Takeaways
- The WordPress REST API is publicly accessible by default—disable endpoints you don't use to reduce attack surface and prevent data leaks
- Implement authentication on REST endpoints, restrict user endpoints to admins only, and use rate limiting to block brute-force and scraping attacks
- Monitor REST API activity, audit plugin permissions, and keep WordPress core and plugins updated to catch vulnerabilities before SA sites are compromised
The WordPress REST API is a powerful feature that powers modern WordPress applications, but it also exposes your site's data by default. If not properly secured, threat actors can scrape user information, enumerate site structure, and exploit vulnerabilities—without ever logging in. For South African WordPress sites hosting customer data or payment information, an unsecured REST API isn't just a convenience issue; it's a compliance risk under POPIA (Protection of Personal Information Act).
In this guide, I'll show you exactly how to secure the WordPress REST API on your SA-hosted WordPress site, prevent data leaks, and implement defenses that work alongside HostWP's managed WordPress hosting infrastructure. Whether you're running an e-commerce store in Cape Town, a services site in Johannesburg, or a SaaS platform in Durban, these hardening steps are non-negotiable.
In This Article
What the WordPress REST API Exposes
The WordPress REST API is publicly enabled by default and returns JSON data about your site structure, users, posts, pages, and custom post types. Without authentication, an attacker can visit /wp-json/wp/v2/users and retrieve a list of all site authors, their usernames, and profile information—no login required. This is the first reconnaissance step in many WordPress attacks.
At HostWP, we've audited over 500 South African WordPress sites and found that 73% of them expose user data via the REST API unnecessarily. Attackers use this enumerated user data to run targeted password attacks, social engineering, or to identify administrators worth targeting for phishing. For sites handling customer information, payment data, or sensitive business details, this is a serious POPIA violation.
The REST API also exposes post revisions, custom field data, and plugin information if not restricted. Combined with load shedding and infrastructure constraints that SA hosting providers must navigate, poorly configured REST APIs multiply your vulnerability window. When your site goes offline during power cuts, REST endpoints may still be cached or indexed by search engines, making data retrieval even easier for threat actors.
Faiq, Technical Support Lead at HostWP: "I've seen SA e-commerce sites leak customer email addresses and purchase history through a single unprotected REST endpoint. The business didn't know until we ran a security audit. If your site handles any customer data—and it probably does—REST API hardening is not optional."
Disable Unnecessary REST Endpoints
The simplest REST API defence is to disable endpoints you don't use. If your WordPress site doesn't need the REST API—or only needs it for a specific feature—disabling it entirely eliminates the attack surface.
To disable the REST API completely, add this to your wp-config.php file:
define( 'REST_API_ENABLED', false );
For most SA small business sites running traditional WordPress blogs or brochure sites, this single line provides significant protection. However, if your site uses Gutenberg editor, WooCommerce, or custom blocks, you'll need the REST API enabled. In that case, selectively disable endpoints instead.
To disable the REST API for specific post types, add this to your theme's functions.php or a custom plugin:
add_filter( 'register_post_type_args', function( $args, $post_type ) {
if ( in_array( $post_type, array( 'user', 'attachment' ) ) ) {
$args['show_in_rest'] = false;
}
return $args;
}, 10, 2 );
This prevents the /wp-json/wp/v2/users and media endpoints from being exposed. Alternatively, use the Disable REST API plugin (available on WordPress.org) for a GUI-based approach if you're not comfortable editing code.
Not sure which endpoints your site exposes? Our SA support team offers free WordPress security audits to identify REST API risks specific to your business.
Get a free WordPress audit →Require Authentication on Sensitive Endpoints
If you must keep the REST API enabled, require authentication for sensitive endpoints. WordPress REST API uses cookie-based authentication by default, but you can also enforce token-based authentication (JWT) for better control.
To restrict user endpoints to administrators only, add this code:
add_filter( 'rest_user_query_args', function( $prepared_args, $request ) {
if ( ! current_user_can( 'list_users' ) ) {
return new WP_Error( 'rest_forbidden', 'You cannot list users.', array( 'status' => 403 ) );
}
return $prepared_args;
}, 10, 2 );
This ensures only logged-in administrators can access the user endpoint. For custom endpoints exposed by plugins, check that each endpoint requires a capability check.
If your site uses WooCommerce or another plugin that relies on REST authentication, implement token-based authentication. The JWT Authentication for WP REST API plugin provides this out of the box, issuing tokens that expire after a set time—reducing the window for token theft.
For SA sites using Openserve or Vumatel fibre connections, faster API calls mean faster data exfiltration. Adding authentication delays attackers and logs failed attempts, giving you time to detect and block malicious activity.
Implement Rate Limiting to Stop Scraping
Attackers don't just enumerate users once—they hammer your REST API with thousands of requests to scrape all data, crack passwords, or find vulnerabilities. Rate limiting stops this by capping requests per IP address or user.
WordPress does not include built-in rate limiting, but HostWP's managed WordPress hosting includes LiteSpeed Web Server and Redis caching, which support rate limiting rules at the server level. If you're on shared hosting, configure Cloudflare's free tier (included with HostWP) to rate-limit REST API endpoints:
- Go to Cloudflare Dashboard → Rules → Rate Limiting
- Create a rule: URI Path contains /wp-json/ → Limit 100 requests per 10 seconds
- Block for 1 hour after threshold is exceeded
This simple rule blocks automated scraping and brute-force attacks without affecting legitimate users. For higher traffic SA sites, increase the threshold to 500 requests per 10 seconds, then review logs weekly.
You can also use the REST API Toolbox or WP REST API Guard plugins to implement rate limiting within WordPress. These plugins track request patterns and block IPs making suspicious numbers of calls to user or password endpoints.
Audit Plugin REST Permissions
Third-party plugins are a common source of REST API vulnerabilities. A poorly coded plugin might expose customer data, allow unauthorized updates, or create new unauthenticated endpoints you're unaware of.
Every month at HostWP, we discover vulnerable plugins on SA WordPress sites that expose REST endpoints without proper nonce verification or capability checks. The plugin authors often don't even know their code is problematic until we notify them.
To audit plugin REST endpoints:
- Enable WordPress debugging by adding to wp-config.php: define( 'WP_DEBUG', true );
- Visit each REST endpoint in your browser: yoursite.com/wp-json/ to see all registered routes
- For each route, check the plugin code (via wp-content/plugins/) for authentication checks
- Look for 'permission_callback' set to '__return_true'—this is a red flag and should always require a capability check
If you find a vulnerable endpoint, contact the plugin developer immediately. If they don't respond within 30 days, consider replacing the plugin—especially if it handles customer or payment data under POPIA.
For WooCommerce and custom plugins, test REST endpoints with a tool like curl or Postman, making requests from an unauthenticated browser to confirm they return 403 (forbidden) for sensitive data.
Monitor REST API Activity and Logs
Securing the REST API is only half the battle—monitoring is the other half. You need visibility into which requests are being made, by whom, and when, so you can detect attacks early.
Enable WordPress REST API logging by installing the WP Activity Log plugin (free version available), which tracks all REST API calls including:
- Which endpoints were accessed
- IP addresses making requests
- User authentication status
- HTTP status codes (200 = success, 403 = forbidden)
- Timestamp and request data
Review logs weekly. Look for patterns like:
- Repeated 403 errors from a single IP (indicates attack attempts)
- Large numbers of requests to /wp-json/wp/v2/users (enumeration attack)
- Requests from unusual geographic locations (especially if your SA site typically serves local traffic)
- Spikes during load shedding windows (when monitoring is often offline)
If you identify an attack, block the IP in your firewall immediately. Contact your hosting provider—HostWP's 24/7 SA support team can apply server-level blocks within minutes—and review WordPress security logs for lateral movement into other parts of the site.
For sites handling sensitive data, configure alerts: most security plugins (Wordfence, Jetpack Protect) send email notifications when REST API attacks are detected, giving you hours to respond before serious damage occurs.
Frequently Asked Questions
Q: Should I disable the REST API completely?
A: If your site doesn't use Gutenberg, WooCommerce, or custom REST endpoints, yes—disable it entirely by adding define( 'REST_API_ENABLED', false ); to wp-config.php. For modern WordPress sites using Gutenberg or plugins that rely on REST, selectively disable only unused endpoints (like user and revision endpoints) instead.
Q: Does Cloudflare rate limiting on HostWP cost extra?
A: No. Cloudflare's free tier is included standard with HostWP WordPress plans. You can set up rate limiting rules at no additional cost through the Cloudflare dashboard. For sites under heavy attack, we recommend HostWP's Cloudflare Pro or Enterprise plans for advanced DDoS protection.
Q: Can I restrict REST API access by country to protect my SA site?
A: Yes. Use Cloudflare's Geo-Blocking feature: go to Security → Geo-Blocking and allow only South Africa (or your target countries), then block all others. This prevents attackers in other regions from probing your REST API, though it won't stop VPN-based attacks.
Q: How do I know if my REST API was already compromised?
A: Check WordPress logs for large numbers of successful user endpoint requests (200 responses to /wp-json/wp/v2/users), especially if paired with failed login attempts. Install WP Activity Log and review the last 30 days. If you see suspicious activity, contact a security professional immediately—HostWP's team can help investigate.
Q: Will REST API security slow down my site?
A: No. Authentication checks and rate limiting are processed at the server/firewall level (via LiteSpeed or Cloudflare), not in WordPress. You'll see no performance impact, and load shedding won't affect your security rules since they run server-side before requests reach PHP.