REST API Enumeration

Red Team, Blue Team and OSINT Analysts

I recently developed a bookmarklet that enables users to quickly identify usernames on a WordPress site they’re visiting. The concept was inspired by Mishaal Khan, who demonstrated how the WordPress REST API can be used to enumerate usernames through the /wp-json/wp/v2/users endpoint.

I adapted this idea by combining the endpoint with a curl command to create a lightweight, accessible tool. While I initially envisioned this as a helpful resource for OSINT analysts, it also raised an important question: how can WordPress site owners harden their installations to prevent this type of enumeration and render the bookmarklet ineffective?

Example:

I began to research what it was that allowed this script to work on some websites, but not others. What I discovered was that WordPress exposes author usernames publicly, which can be a problem since attackers often pair those with brute-force login attempts.

Options to Resolve this:

• Modify the funcions.php to remove the /wp/v2/users endpoint.
• Require authentication for user data in the functions.php file.
• Use a security plugin. Plugins like Wordfence, iThemes Security, or Disable REST API let you control or lock down API access without coding.
• Block the endpoint on the server .htaccess file.

Additional Mitigations:

• Disable the default admin user.

• Require strong passwords.

• Enable 2FA (via Wordfence, iThemes, or WP 2FA plugin).

• Limit login attempts or use Fail2Ban at the server level.

A good balanced solution would be to restrict /wp/v2/users inside WordPress itself (filter) + block /?author= leaks + enforce strong auth.

I think this bookmarklet can be helpful for Red Team, Blue Team and OSINT Analysts. Let me know if you found this helpful.

I would enjoy hearing your feedback on this topic. Please feel free to reach out.