Title: Pinny’s REST Lock – Block REST User Enumeration Author: Pinny Fried Published: 25 Ocak 2026 Last modified: 6 Mart 2026 --- Eklentilerde ara ![](https://ps.w.org/pinnys-rest-lock/assets/banner-772x250.png?rev=3479456) ![](https://ps.w.org/pinnys-rest-lock/assets/icon-256x256.png?rev=3479468) # Pinny’s REST Lock – Block REST User Enumeration [Pinny Fried](https://profiles.wordpress.org/realpinny/) tarafından [İndir](https://downloads.wordpress.org/plugin/pinnys-rest-lock.1.0.0.zip) * [Detaylar](https://tr.wordpress.org/plugins/pinnys-rest-lock/#description) * [İncelemeler](https://tr.wordpress.org/plugins/pinnys-rest-lock/#reviews) * [Geliştirme](https://tr.wordpress.org/plugins/pinnys-rest-lock/#developers) [Destek](https://wordpress.org/support/plugin/pinnys-rest-lock/) ## Açıklama **Blocks public REST API user enumeration while preserving full WordPress functionality.** **Pinny’s REST Lock** is an ultra-lightweight security plugin that locks down WordPress REST API user endpoints **without breaking your site**. It is designed to fix one of the most common and overlooked WordPress security issues—** public user enumeration via the REST API** — using the correct, core-aligned approach. ### 🚨 Why This Plugin Is Necessary By default, WordPress publicly exposes REST API endpoints such as: ``` /wp-json/wp/v2/users ``` On public sites, these endpoints can be accessed without authentication and are routinely used as the **first step in real-world attacks**. This is where attackers start. Public access to REST user endpoints allows attackers to: * Enumerate valid usernames * Identify administrator and privileged accounts * Eliminate guesswork before brute-force attacks * Chain enumeration with login abuse and password reset attacks This is not theoretical. User enumeration is a **baseline reconnaissance technique** used by bots and human attackers alike. Blocking public access to REST user endpoints should be considered **required security hygiene for every WordPress site**. ### ⚠️ Common REST Protection Pitfalls Securing REST user endpoints requires precision. Broad or poorly timed restrictions often introduce serious side effects. Common issues include: * **Blocking all users**, including administrators, which breaks authenticated workflows * **Disabling the REST API entirely**, causing the block editor, WooCommerce, and modern plugins to fail * **Applying restrictions before authentication**, preventing WordPress from distinguishing public and authorized requests * **Allowing low-privilege roles**, such as subscribers, to retain access — leaving user enumeration possible Effective protection must be narrowly scoped, permission-aware, and aligned with WordPress core behavior. ### ✅ How Pinny’s REST Lock Works Pinny’s REST Lock takes a **surgical, WordPress-native approach**: * Targets **only** REST API user endpoints * Runs **after WordPress authentication** * Allows access **only** to users with appropriate permissions * Returns a proper `403 Forbidden` response to unauthorized requests What this means: * Administrators continue to work normally * The REST API remains fully functional * Gutenberg, WooCommerce, and REST-based plugins are unaffected * Only public user enumeration is blocked This follows WordPress core’s intended permission model. ### 🚀 Ultra-Lightweight by Design Pinny’s REST Lock is intentionally minimal: * **~1.3 KB uncompressed** * Single-file plugin * No settings page * No database tables * No logs * No tracking * No ads * No performance impact It activates, applies the protection, and gets out of the way. ### 🛡️ A Required Fix for Modern WordPress Sites If your site is public, your REST user endpoints should not be. Pinny’s REST Lock closes one of the most common entry points attackers look for — without breaking WordPress, without blocking admins, and without adding bloat. Install it. Activate it. And remove an entire class of attacks from your site. ## İncelemeler Bu eklenti için herhangi bir değerlendirme bulunmuyor. ## Katkıda Bulunanlar ve Geliştiriciler “Pinny’s REST Lock – Block REST User Enumeration” açık kaynaklı yazılımdır. Aşağıdaki kişiler bu eklentiye katkıda bulunmuşlardır. Katkıda bulunanlar * [ Pinny Fried ](https://profiles.wordpress.org/realpinny/) [“Pinny’s REST Lock – Block REST User Enumeration” eklentisini dilinize çevirin.](https://translate.wordpress.org/projects/wp-plugins/pinnys-rest-lock) ### Geliştirmeyle ilgilenir misiniz? [Kodu görüntüleyin](https://plugins.trac.wordpress.org/browser/pinnys-rest-lock/), [SVN deposuna](https://plugins.svn.wordpress.org/pinnys-rest-lock/) göz atın ya da [RSS](https://plugins.trac.wordpress.org/log/pinnys-rest-lock/?limit=100&mode=stop_on_copy&format=rss) ile [geliştirme günlüğüne](https://plugins.trac.wordpress.org/log/pinnys-rest-lock/) abone olun. ## Değişiklik Kaydı #### 1.0.0 * Initial release ## Meta * Sürüm **1.0.0** * Son güncelleme **1 ay önce** * Etkin kurulumlar **10+** * WordPress sürümü ** 5.0 veya üstü ** * Test edilen sürüm **6.9.4** * PHP sürümü ** 7.0 veya üstü ** * Dil * [English (US)](https://wordpress.org/plugins/pinnys-rest-lock/) * Etiketler * [enumeration](https://tr.wordpress.org/plugins/tags/enumeration/)[no-bloat](https://tr.wordpress.org/plugins/tags/no-bloat/) [rest](https://tr.wordpress.org/plugins/tags/rest/)[security](https://tr.wordpress.org/plugins/tags/security/) [users](https://tr.wordpress.org/plugins/tags/users/) * [Gelişmiş görünüm](https://tr.wordpress.org/plugins/pinnys-rest-lock/advanced/) ## Puanlar No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/pinnys-rest-lock/reviews/#new-post) [Tüm değerlendirmeleri görün](https://wordpress.org/support/plugin/pinnys-rest-lock/reviews/) ## Katkıda bulunanlar * [ Pinny Fried ](https://profiles.wordpress.org/realpinny/) ## Destek Söyleyeceğiniz bir şey mi var? Yardım mı lazım? [Destek forumunu görüntüle](https://wordpress.org/support/plugin/pinnys-rest-lock/)