內容簡介
Pinny’s REST Lock 是一款輕量級的安全外掛,專門用來阻擋公開的 REST API 使用者列舉,確保 WordPress 的功能完整性,並修正常被忽視的安全問題。
【主要功能】
• 阻擋公開的 REST API 使用者列舉
• 僅針對 REST API 使用者端點進行保護
• 不影響管理員和其他授權使用者的正常操作
外掛標籤
開發者團隊
② 後台搜尋「Pinny’s REST Lock – Block REST User Enumeration」→ 直接安裝(推薦)
原文外掛簡介
Blocks public REST API user enumeration while preserving full WordPress functionality.
Pinny’s REST Lock is an ultra-lightweight security plugin that locks down WordPress REST API user endpoints without breaking your site.
It is designed to fix one of the most common and overlooked WordPress security issues — public user enumeration via the REST API — using the correct, core-aligned approach.
🚨 Why This Plugin Is Necessary
By default, WordPress publicly exposes REST API endpoints such as:
/wp-json/wp/v2/users
On public sites, these endpoints can be accessed without authentication and are routinely used as the first step in real-world attacks.
This is where attackers start.
Public access to REST user endpoints allows attackers to:
Enumerate valid usernames
Identify administrator and privileged accounts
Eliminate guesswork before brute-force attacks
Chain enumeration with login abuse and password reset attacks
This is not theoretical. User enumeration is a baseline reconnaissance technique used by bots and human attackers alike.
Blocking public access to REST user endpoints should be considered required security hygiene for every WordPress site.
⚠️ Common REST Protection Pitfalls
Securing REST user endpoints requires precision. Broad or poorly timed restrictions often introduce serious side effects.
Common issues include:
Blocking all users, including administrators, which breaks authenticated workflows
Disabling the REST API entirely, causing the block editor, WooCommerce, and modern plugins to fail
Applying restrictions before authentication, preventing WordPress from distinguishing public and authorized requests
Allowing low-privilege roles, such as subscribers, to retain access — leaving user enumeration possible
Effective protection must be narrowly scoped, permission-aware, and aligned with WordPress core behavior.
✅ How Pinny’s REST Lock Works
Pinny’s REST Lock takes a surgical, WordPress-native approach:
Targets only REST API user endpoints
Runs after WordPress authentication
Allows access only to users with appropriate permissions
Returns a proper 403 Forbidden response to unauthorized requests
What this means:
Administrators continue to work normally
The REST API remains fully functional
Gutenberg, WooCommerce, and REST-based plugins are unaffected
Only public user enumeration is blocked
This follows WordPress core’s intended permission model.
🚀 Ultra-Lightweight by Design
Pinny’s REST Lock is intentionally minimal:
~1.3 KB uncompressed
Single-file plugin
No settings page
No database tables
No logs
No tracking
No ads
No performance impact
It activates, applies the protection, and gets out of the way.
🛡️ A Required Fix for Modern WordPress Sites
If your site is public, your REST user endpoints should not be.
Pinny’s REST Lock closes one of the most common entry points attackers look for — without breaking WordPress, without blocking admins, and without adding bloat.
Install it. Activate it. And remove an entire class of attacks from your site.
