Title: Pinny’s REST Lock – Block REST User Enumeration
Author: Pinny Fried
Published: <strong>January 25, 2026</strong>
Last modified: May 21, 2026

---

Search plugins

![](https://ps.w.org/pinnys-rest-lock/assets/banner-772x250.png?rev=3479456)

![](https://ps.w.org/pinnys-rest-lock/assets/icon-256x256.png?rev=3479468)

# Pinny’s REST Lock – Block REST User Enumeration

 By [Pinny Fried](https://profiles.wordpress.org/realpinny/)

[Download](https://downloads.wordpress.org/plugin/pinnys-rest-lock.1.0.0.zip)

 * [Details](https://vec.wordpress.org/plugins/pinnys-rest-lock/#description)
 * [Reviews](https://vec.wordpress.org/plugins/pinnys-rest-lock/#reviews)
 * [Development](https://vec.wordpress.org/plugins/pinnys-rest-lock/#developers)

 [Support](https://wordpress.org/support/plugin/pinnys-rest-lock/)

## Description

**Blocks public REST API user enumeration while preserving full WordPress functionality.**

**Pinny’s REST Lock** is an ultra-lightweight security plugin that locks down WordPress
REST API user endpoints **without breaking your site**.

It is designed to fix one of the most common and overlooked WordPress security issues—**
public user enumeration via the REST API** — using the correct, core-aligned approach.

### 🚨 Why This Plugin Is Necessary

By default, WordPress publicly exposes REST API endpoints such as:

    ```
    /wp-json/wp/v2/users
    ```

On public sites, these endpoints can be accessed without authentication and are 
routinely used as the **first step in real-world attacks**.

This is where attackers start.

Public access to REST user endpoints allows attackers to:

 * Enumerate valid usernames
 * Identify administrator and privileged accounts
 * Eliminate guesswork before brute-force attacks
 * Chain enumeration with login abuse and password reset attacks

This is not theoretical. User enumeration is a **baseline reconnaissance technique**
used by bots and human attackers alike.

Blocking public access to REST user endpoints should be considered **required security
hygiene for every WordPress site**.

### ⚠️ Common REST Protection Pitfalls

Securing REST user endpoints requires precision. Broad or poorly timed restrictions
often introduce serious side effects.

Common issues include:

 * **Blocking all users**, including administrators, which breaks authenticated 
   workflows
 * **Disabling the REST API entirely**, causing the block editor, WooCommerce, and
   modern plugins to fail
 * **Applying restrictions before authentication**, preventing WordPress from distinguishing
   public and authorized requests
 * **Allowing low-privilege roles**, such as subscribers, to retain access — leaving
   user enumeration possible

Effective protection must be narrowly scoped, permission-aware, and aligned with
WordPress core behavior.

### ✅ How Pinny’s REST Lock Works

Pinny’s REST Lock takes a **surgical, WordPress-native approach**:

 * Targets **only** REST API user endpoints
 * Runs **after WordPress authentication**
 * Allows access **only** to users with appropriate permissions
 * Returns a proper `403 Forbidden` response to unauthorized requests

What this means:

 * Administrators continue to work normally
 * The REST API remains fully functional
 * Gutenberg, WooCommerce, and REST-based plugins are unaffected
 * Only public user enumeration is blocked

This follows WordPress core’s intended permission model.

### 🚀 Ultra-Lightweight by Design

Pinny’s REST Lock is intentionally minimal:

 * **~1.3 KB uncompressed**
 * Single-file plugin
 * No settings page
 * No database tables
 * No logs
 * No tracking
 * No ads
 * No performance impact

It activates, applies the protection, and gets out of the way.

### 🛡️ A Required Fix for Modern WordPress Sites

If your site is public, your REST user endpoints should not be.

Pinny’s REST Lock closes one of the most common entry points attackers look for —
without breaking WordPress, without blocking admins, and without adding bloat.

Install it. Activate it. And remove an entire class of attacks from your site.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Pinny’s REST Lock – Block REST User Enumeration” is open source software. The following
people have contributed to this plugin.

Contributors

 *   [ Pinny Fried ](https://profiles.wordpress.org/realpinny/)

[Translate “Pinny’s REST Lock – Block REST User Enumeration” into your language.](https://translate.wordpress.org/projects/wp-plugins/pinnys-rest-lock)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/pinnys-rest-lock/),
check out the [SVN repository](https://plugins.svn.wordpress.org/pinnys-rest-lock/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/pinnys-rest-lock/)
by [RSS](https://plugins.trac.wordpress.org/log/pinnys-rest-lock/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0

 * Initial release

## Meta

 *  Version **1.0.0**
 *  Last updated **2 months ago**
 *  Active installations **10+**
 *  WordPress version ** 5.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.0 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/pinnys-rest-lock/)
 * Tags
 * [enumeration](https://vec.wordpress.org/plugins/tags/enumeration/)[no-bloat](https://vec.wordpress.org/plugins/tags/no-bloat/)
   [rest](https://vec.wordpress.org/plugins/tags/rest/)[security](https://vec.wordpress.org/plugins/tags/security/)
   [users](https://vec.wordpress.org/plugins/tags/users/)
 *  [Advanced View](https://vec.wordpress.org/plugins/pinnys-rest-lock/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/pinnys-rest-lock/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/pinnys-rest-lock/reviews/)

## Contributors

 *   [ Pinny Fried ](https://profiles.wordpress.org/realpinny/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/pinnys-rest-lock/)