Hide Your WordPress
REST API Index

Did you know that by default, WordPress exposes a full directory of your REST API endpoints to anyone who visits /wp-json/? This “index” is a goldmine for attackers, bots, and data scrapers.

With API Security, you can hide your REST API index and keep your endpoints invisible to outsiders—without breaking legitimate integrations.

The Problem

Exposed API Index = Exposed Attack Surface

What is the REST API Index?

• The index is a directory at /wp-json/ that lists all available API namespaces and endpoints, including the index of any namespaces.
• It reveals every route, including custom endpoints from plugins and themes.
• Anyone (even unauthenticated users) can see your API structure by default.

{
  "name": "WP-JSON",
  "description": "This is what a default WP-JSON index looks like.",
  "url": "http://unsecure.api",
  "home": "https://unsecure.api",
  "gmt_offset": "0",
  "timezone_string": "",
  "page_for_posts": 93,
  "page_on_front": 112,
  "show_on_front": "page",
  "namespaces": [
    "oembed/1.0",
    "wp/v2",
    "wp-site-health/v1",
    "wp-block-editor/v1"
  ],
  "authentication": {
    "application-passwords": {
      "endpoints": {
        "authorization": "https://unsecure.api/wp-admin/authorize-application.php"
      }
    }
  },
  "routes": {
    "/": {
      "namespace": "",
      "methods": [
        "GET"
      ],
      "endpoints": [
        {
          "methods": [
            "GET"
          ],
          "args": {
            "context": {
              "default": "view",
              "required": false
            }
          }
        }
      ],
      "_links": {
        "self": [
          {
            "href": "https://unsecure.api/wp-json/"
          }
        ]
      }
    }
  },
  "site_logo": 526,
  "site_icon": 525,
  "site_icon_url": "https://unsecure.api/content/media/2025/08/api-security-icon.png",
  "_links": {
    "help": [
      {
        "href": "https://developer.wordpress.org/rest-api/"
      }
    ],
    "wp:featuredmedia": [
      {
        "embeddable": true,
        "type": "site_logo",
        "href": "https://unsecure.api/wp-json/wp/v2/media/526"
      },
      {
        "embeddable": true,
        "type": "site_icon",
        "href": "https://unsecure.api/wp-json/wp/v2/media/525"
      }
    ],
    "curies": [
      {
        "name": "wp",
        "href": "https://api.w.org/{rel}",
        "templated": true
      }
    ]
  }
}

Why is This Dangerous?

• Reconnaissance: Attackers use the index to map your API, looking for weak spots.
• Automated Scanning: Bots scrape the index to find endpoints for brute force, spam, or data theft.
• Sensitive Data Exposure: Some plugins or custom code may unintentionally expose private endpoints.
• Zero-Day Exploits: When a new vulnerability is discovered, attackers use the index to instantly find and target affected endpoints.

The Solution

Hide the REST API Index. Keep it just about your site and nothing more.

{
  "name": "API Security",
  "description": "Safe guard the REST API instantly with enhanced security, block unknown outsiders, rate limit requests and protect data exposure – simple, secure, and hassle-free.",
  "gmt_offset": "0",
  "timezone_string": "",
  "site_icon_url": "https://apisecurity.pro/content/media/2025/01/api-security-icon.svg"
}

How API Security Protects You

• Removes the index directory from public view at /wp-json/ and namespaces.
• Blocks unauthenticated users from seeing your API structure.
• Prevents endpoint enumeration by bots and attackers.
• Maintains compatibility for legitimate, authenticated API consumers.
• Works out of the box — no configuration required.

What Stays Accessible?

• Direct endpoint access: Your API still works for apps, plugins, and integrations that know the endpoint URLs.
• Authenticated users: Can access the index if needed (configurable).
• No impact on REST API functionality for trusted clients.

How Attackers Exploit the Index

1. Scan /wp-json/ to list all available endpoints.

2. Identify custom or vulnerable routes (e.g., from plugins or themes).

3. Automate attacks against login, user, or data endpoints.

4. Harvest data from open or misconfigured endpoints.

5. Exploit zero-days by instantly finding and targeting new vulnerabilities.

💡With the index hidden, attackers are left in the dark.

Real-World Benefits

• Reduce Attack Surface: Fewer visible endpoints means fewer opportunities for attackers.
• Stop Automated Scanners: Bots can’t enumerate your API routes.
• Protect Sensitive Integrations: Hide custom endpoints from competitors and scrapers.
• Comply with Security Best Practices: Follows the principle of least privilege and “security through obscurity” as a defense-in-depth measure.
• Peace of Mind: Know that your API structure isn’t being broadcast to the world.

Who Needs This?

• E-commerce stores: Hide sensitive order, customer, and product endpoints.
• Membership sites: Protect user and subscription APIs.
• Headless WordPress: Prevent frontend discovery of backend routes.
• Agencies & Developers: Secure client sites and custom APIs.
• Anyone who values privacy and security for their WordPress data.

Get Stealthy in Seconds

1. Install & activate API Security.
2. REST API index is hidden — no setup required.
3. Enjoy peace of mind knowing your API structure is invisible to outsiders.

The Bottom Line

Don’t let your API be an open book. Hiding the REST API index is a simple, powerful way to:

• Reduce your attack surface
• Stop automated endpoint discovery
• Protect your data and users
• API Security makes it effortless.

After enabling API Security, our REST API endpoints disappeared from public view. We saw an immediate drop in bot traffic and automated scans. It’s a must-have for any serious WordPress site.

Erik Acadia

Security Lead