During the last month, my personal website had 67,068 brute force attacks blocked. A brute force attack is when some hacker is making guesses at your username and password so they can bet access to your site. This is one of the reasons why WordPress tells you NOT to use the default “Admin” for your username. That makes one less thing for the hacker to figure out.
But out of the box, WordPress has the REST API enabled and, unless you turn if off, hackers can easily request a list of user ids from your WordPress site, revealing the Admin user name. How do you tell if your WordPress installation is opening revealing the admin account?
Append “/wp-json/wp/v2/users” to your website address.
For example, if a hacker tries going to www.davidriewe.com/wp-json/wp/v2/users they will get
Which is ok, non authenticated users do not need to access the rest API on my website. They shouldn’t be allowed access on your site either.