Pinny’s REST Lock – Block REST User Enumeration

Blocks public REST API user enumeration while preserving full WordPress functionality.

Pinny’s REST Lock is an ultra-lightweight security plugin that locks down WordPress REST API user endpoints without breaking your site.

It is designed to fix one of the most common and overlooked WordPress security issues — public user enumeration via the REST API — using the correct, core-aligned approach.

🚨 Why This Plugin Is Necessary

By default, WordPress publicly exposes REST API endpoints such as:

On public sites, these endpoints can be accessed without authentication and are routinely used as the first step in real-world attacks.

This is where attackers start.

Public access to REST user endpoints allows attackers to:

• Enumerate valid usernames
• Identify administrator and privileged accounts
• Eliminate guesswork before brute-force attacks
• Chain enumeration with login abuse and password reset attacks

This is not theoretical. User enumeration is a baseline reconnaissance technique used by bots and human attackers alike.

Blocking public access to REST user endpoints should be considered required security hygiene for every WordPress site.

⚠️ Common REST Protection Pitfalls

Securing REST user endpoints requires precision. Broad or poorly timed restrictions often introduce serious side effects.

Common issues include:

• Blocking all users, including administrators, which breaks authenticated workflows
• Disabling the REST API entirely, causing the block editor, WooCommerce, and modern plugins to fail
• Applying restrictions before authentication, preventing WordPress from distinguishing public and authorized requests
• Allowing low-privilege roles, such as subscribers, to retain access — leaving user enumeration possible

Effective protection must be narrowly scoped, permission-aware, and aligned with WordPress core behavior.

✅ How Pinny’s REST Lock Works

Pinny’s REST Lock takes a surgical, WordPress-native approach:

• Targets only REST API user endpoints
• Runs after WordPress authentication
• Allows access only to users with appropriate permissions
• Returns a proper 403 Forbidden response to unauthorized requests

What this means:

• Administrators continue to work normally
• The REST API remains fully functional
• Gutenberg, WooCommerce, and REST-based plugins are unaffected
• Only public user enumeration is blocked

This follows WordPress core’s intended permission model.

🚀 Ultra-Lightweight by Design

Pinny’s REST Lock is intentionally minimal:

• ~1.3 KB uncompressed
• Single-file plugin
• No settings page
• No database tables
• No logs
• No tracking
• No ads
• No performance impact

It activates, applies the protection, and gets out of the way.

🛡️ A Required Fix for Modern WordPress Sites

If your site is public, your REST user endpoints should not be.

Pinny’s REST Lock closes one of the most common entry points attackers look for — without breaking WordPress, without blocking admins, and without adding bloat.

Install it. Activate it. And remove an entire class of attacks from your site.