{"id":276994,"date":"2026-01-25T08:16:28","date_gmt":"2026-01-25T08:16:28","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/pinnys-rest-lock\/"},"modified":"2026-03-06T07:17:55","modified_gmt":"2026-03-06T07:17:55","slug":"pinnys-rest-lock","status":"publish","type":"plugin","link":"https:\/\/so.wordpress.org\/plugins\/pinnys-rest-lock\/","author":23272894,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.0","stable_tag":"1.0.0","tested":"6.9.4","requires":"5.0","requires_php":"7.0","requires_plugins":null,"header_name":"Pinny's Rest Lock","header_author":"Pinny Fried","header_description":"Prevents public access to REST API user endpoints while allowing authorized roles.","assets_banners_color":"044b60","last_updated":"2026-03-06 07:17:55","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/pinnyfried.com","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":10,"downloads":187,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"realpinny","date":"2026-03-06 07:17:55"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3479468,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3479468,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3479456,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3479456,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[14924,257230,2299,600,1917],"plugin_category":[54],"plugin_contributors":[252008],"plugin_business_model":[],"class_list":["post-276994","plugin","type-plugin","status-publish","hentry","plugin_tags-enumeration","plugin_tags-no-bloat","plugin_tags-rest","plugin_tags-security","plugin_tags-users","plugin_category-security-and-spam-protection","plugin_contributors-realpinny","plugin_committers-realpinny"],"banners":{"banner":"https:\/\/ps.w.org\/pinnys-rest-lock\/assets\/banner-772x250.png?rev=3479456","banner_2x":"https:\/\/ps.w.org\/pinnys-rest-lock\/assets\/banner-1544x500.png?rev=3479456","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/pinnys-rest-lock\/assets\/icon-128x128.png?rev=3479468","icon_2x":"https:\/\/ps.w.org\/pinnys-rest-lock\/assets\/icon-256x256.png?rev=3479468","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Blocks public REST API user enumeration while preserving full WordPress functionality.<\/strong><\/p>\n\n<p><strong>Pinny\u2019s REST Lock<\/strong> is an ultra-lightweight security plugin that locks down WordPress REST API user endpoints <strong>without breaking your site<\/strong>.<\/p>\n\n<p>It is designed to fix one of the most common and overlooked WordPress security issues \u2014 <strong>public user enumeration via the REST API<\/strong> \u2014 using the correct, core-aligned approach.<\/p>\n\n\n\n<h3>\ud83d\udea8 Why This Plugin Is Necessary<\/h3>\n\n<p>By default, WordPress publicly exposes REST API endpoints such as:<\/p>\n\n<pre><code>\/wp-json\/wp\/v2\/users\n<\/code><\/pre>\n\n<p>On public sites, these endpoints can be accessed without authentication and are routinely used as the <strong>first step in real-world attacks<\/strong>.<\/p>\n\n<p>This is where attackers start.<\/p>\n\n<p>Public access to REST user endpoints allows attackers to:<\/p>\n\n<ul>\n<li>Enumerate valid usernames<\/li>\n<li>Identify administrator and privileged accounts<\/li>\n<li>Eliminate guesswork before brute-force attacks<\/li>\n<li>Chain enumeration with login abuse and password reset attacks<\/li>\n<\/ul>\n\n<p>This is not theoretical. User enumeration is a <strong>baseline reconnaissance technique<\/strong> used by bots and human attackers alike.<\/p>\n\n<p>Blocking public access to REST user endpoints should be considered <strong>required security hygiene for every WordPress site<\/strong>.<\/p>\n\n\n\n<h3>\u26a0\ufe0f Common REST Protection Pitfalls<\/h3>\n\n<p>Securing REST user endpoints requires precision. Broad or poorly timed restrictions often introduce serious side effects.<\/p>\n\n<p>Common issues include:<\/p>\n\n<ul>\n<li><strong>Blocking all users<\/strong>, including administrators, which breaks authenticated workflows<\/li>\n<li><strong>Disabling the REST API entirely<\/strong>, causing the block editor, WooCommerce, and modern plugins to fail<\/li>\n<li><strong>Applying restrictions before authentication<\/strong>, preventing WordPress from distinguishing public and authorized requests<\/li>\n<li><strong>Allowing low-privilege roles<\/strong>, such as subscribers, to retain access \u2014 leaving user enumeration possible<\/li>\n<\/ul>\n\n<p>Effective protection must be narrowly scoped, permission-aware, and aligned with WordPress core behavior.<\/p>\n\n\n\n<h3>\u2705 How Pinny\u2019s REST Lock Works<\/h3>\n\n<p>Pinny\u2019s REST Lock takes a <strong>surgical, WordPress-native approach<\/strong>:<\/p>\n\n<ul>\n<li>Targets <strong>only<\/strong> REST API user endpoints<\/li>\n<li>Runs <strong>after WordPress authentication<\/strong><\/li>\n<li>Allows access <strong>only<\/strong> to users with appropriate permissions<\/li>\n<li>Returns a proper <code>403 Forbidden<\/code> response to unauthorized requests<\/li>\n<\/ul>\n\n<p>What this means:<\/p>\n\n<ul>\n<li>Administrators continue to work normally<\/li>\n<li>The REST API remains fully functional<\/li>\n<li>Gutenberg, WooCommerce, and REST-based plugins are unaffected<\/li>\n<li>Only public user enumeration is blocked<\/li>\n<\/ul>\n\n<p>This follows WordPress core\u2019s intended permission model.<\/p>\n\n\n\n<h3>\ud83d\ude80 Ultra-Lightweight by Design<\/h3>\n\n<p>Pinny\u2019s REST Lock is intentionally minimal:<\/p>\n\n<ul>\n<li><strong>~1.3 KB uncompressed<\/strong><\/li>\n<li>Single-file plugin<\/li>\n<li>No settings page<\/li>\n<li>No database tables<\/li>\n<li>No logs<\/li>\n<li>No tracking<\/li>\n<li>No ads<\/li>\n<li>No performance impact<\/li>\n<\/ul>\n\n<p>It activates, applies the protection, and gets out of the way.<\/p>\n\n\n\n<h3>\ud83d\udee1\ufe0f A Required Fix for Modern WordPress Sites<\/h3>\n\n<p>If your site is public, your REST user endpoints should not be.<\/p>\n\n<p>Pinny\u2019s REST Lock closes one of the most common entry points attackers look for \u2014 without breaking WordPress, without blocking admins, and without adding bloat.<\/p>\n\n<p>Install it. Activate it. And remove an entire class of attacks from your site.<\/p>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>","raw_excerpt":"Prevents public access to REST API user endpoints while allowing authorized roles.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/276994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=276994"}],"author":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/realpinny"}],"wp:attachment":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=276994"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=276994"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=276994"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=276994"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=276994"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=276994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}