Pinny’s REST Lock – Block REST User Enumeration
Prevents public access to REST API user endpoints while allowing authorized roles.
00
·10 active installs·Updated 1 month agoAs of April 2026, Pinny’s REST Lock is a WordPress rest plugin with 10 active installations and a 0/5 rating0. It has been downloaded 187 times in total. Requires WordPress 5.0+ and PHP 7.0+. Available on WordPress.org since 2026. Actively maintained — updated within the last month. Top alternative: Disable REST API.
0/5Rating
10active installs
187total downloads
3 monthssince 2026
Overview
Blocks public REST API user enumeration while preserving full WordPress functionality.
Pinny’s REST Lock is an ultra-lightweight security plugin that locks down WordPress REST API user endpoints without breaking your site.
It is designed to fix one of the most common and overlooked WordPress security issues — public user enumeration via the REST API — using the correct, core-aligned approach.
🚨 Why This Plugin Is Necessary
By default, WordPress publicly exposes REST API endpoints such as:
/wp-json/wp/v2/users
On public sites, these endpoints can be accessed without authentication and are routinely used as the first step in real-world attacks.
This is where attackers start.
Public access to REST user endpoints allows attackers to:
- Enumerate valid usernames
- Identify administrator and pri…
Ratings & Reviews
00 reviews
5 ★
0
4 ★
0
3 ★
0
2 ★
0
1 ★
0
Compatibility
| WordPress | 5.0+ requiredTested up to 6.9.4 |
| PHP | 7.0+ required |
Top Alternatives to Pinny’s REST Lock – Block REST User…
Frequently Asked Questions
Changelog
1.0.0
- Initial release
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.