WordPress REST API: 7 dangerous endpoints enabled by default
> TL;DR: Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.
WordPress exposes more than you think
By default, WordPress enables a complete REST API accessible to any visitor.
Endpoint 1: /wp-json/wp/v2/users
Lists all users with names and slugs.
Endpoint 2: /wp-json/acf/v3/options
ACF Pro can return ALL site options — including API keys and tokens.
Endpoint 3: /wp-json/wp/v2/media
Enumeration of all uploaded files. Sequential IDs = download private files.
Endpoints 4-7: Custom namespaces
Every plugin registering a REST namespace creates potentially unauthenticated endpoints.
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
WordPress 6.8: what the move to bcrypt really changes for security
WordPress 6.8 replaced phpass with bcrypt for user passwords and introduced BLAKE2b for several application secrets. Here is what that really changes, and what it does not fix.
Laravel: when Ziggy exposes the complete map of your application
Ziggy route exposure gives attackers a complete map of your Laravel app architecture.
Firebase Firestore: why 'allow read, write: if request.auth != null' is not security
The basic Firestore authentication rule doesn't protect your data. Here's why and how to fix it.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.