WordPress REST API: 7 dangerous endpoints enabled by default
WordPress exposes more than you think
By default, WordPress enables a complete REST API accessible to any visitor.
Endpoint 1: /wp-json/wp/v2/users
Lists all users with names and slugs.
Endpoint 2: /wp-json/acf/v3/options
ACF Pro can return ALL site options — including API keys and tokens.
Endpoint 3: /wp-json/wp/v2/media
Enumeration of all uploaded files. Sequential IDs = download private files.
Endpoints 4-7: Custom namespaces
Every plugin registering a REST namespace creates potentially unauthenticated endpoints.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
WordPress 6.8: what the move to bcrypt really changes for security
WordPress 6.8 replaced phpass with bcrypt for user passwords and introduced BLAKE2b for several application secrets. Here is what that really changes, and what it does not fix.
Laravel: when Ziggy exposes the complete map of your application
Ziggy route exposure gives attackers a complete map of your Laravel app architecture.
Supabase RLS: 5 configuration mistakes we find every week
Supabase Row Level Security policies are your first line of defense. Here are the 5 most common mistakes.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.