Increase the security of your WordPress website by hiding usernames from WP-JSON that are otherwise publicly accessible.
Not everyone knows this, but by default WordPress discloses usernames and makes them available to the public via WP’s REST API. This may not be a problem for public blogs, but can become a problem for private or business sites.
A list of all users can be found at https://<your-domain.com> /wp-json/wp/v2/users, and you can also retrieve information about a specific user at https://<your-domain.com> /wp-json/wp/v2/users/1, where 1 is the ID of the user.
To deactivate these two endpoints, add this code snippet to the functions.php file of your theme:
add_filter('rest_endpoints', function( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
});