<b>REST API Lockdown SOP</b>

<b>REST API Lockdown SOP</b>
Run on every WordPress site — the API is open by default.

— Step 1: Test exposure. Hit <code>/wp-json/wp/v2/users</code> — if it returns names and slugs, you're leaking your login usernames.
— Step 2: Require authentication on the <code>users</code> endpoint via a <code>rest_authentication_errors</code> filter for unauthenticated requests.
— Step 3: Don't blanket-disable the API — Gutenberg and many plugins need it. Scope restrictions to sensitive routes.
— Step 4: Remove author enumeration from the front end too. Block <code>?author=1</code> redirects at the server.
— Step 5: Verify usernames differ from display names. Same value = handed attackers half the credential.

Run this every time.