WordPress outputs user login IDs and ID numbers in JSON. Although this is a specification, it may make your site more vulnerable to hackers for security reasons.
WordPress JSON output function of user information
When accessing a WordPress site with the following URL, the user’s login ID and ID in the database will be output in a data format called JSON.
(This is a WordPress specification.)
http://your wordpress url/wp-json/wp/v2/users
Dangers of user JSON data output
This user data output by wordpress includes the user’s login ID, a feature that makes it possible to mechanically obtain IDs from hundreds of sites from the outside. From this ID, it is possible to be vulnerable to an attack called a brute force attack.
A brute force attack is an attack that uses a dictionary of commonly-used passwords to mechanically repeat logins to the administrator screen hundreds of thousands of times to seize administrator privileges.
(If the password is strong enough, the administrator privileges can still be broken. 、、、、)
Also,
http://your wordpress url/wp-json/wp/v2/users/userid-number
will allow you to retrieve login IDs and other information for users who have more than one post.
*The acquisition of information for users who have not made a single post will be blocked.
Stop outputting JSON data of users
For WordPress sites that have multiple contributors and are adding posts, we recommend that you stop this JSON data output.
(Also, user passwords should be a random string of 12 or more characters containing alphanumeric symbols.)
You can stop the user JSON data output by adding the following code to your theme’s Function.php.
add_filter('rest_endpoints', function( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] ); }
}
if ( isset( $endpoints['/wp/v2/users/(?P [\d] )'] ) ) {
unset( $endpoints['/wp/v2/users/(?P [\d] )'] ); }
}
return $endpoints; }
});
[Free] WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].
