0 Day Analytics

WordPress Security Deep Dive: wp-json Exposure, Exploitable Endpoints & Hidden Login URLs

By sdobreff on · 3 min read · REST API · API, REST, security
Table of Contents

Modern WordPress security is no longer just about disabling XML-RPC or installing a firewall plugin.
Attackers increasingly target the REST API (wp-json) and misconfigured endpoints to gather data, enumerate users, and exploit vulnerabilities.

This guide breaks down:

  • How /wp-json expands your attack surface
  • Common exploitable endpoints
  • How attackers discover hidden login URLs
  • Practical hardening techniques with real code

Understanding wp-json and the REST API Attack Surface

The WordPress REST API is accessible via:

/wp-json/

It exposes structured JSON data for posts, users, taxonomies, and more.
While useful, it also introduces security risks if not controlled.

Example: Enumerating Users

Shell
curl https://example.com/wp-json/wp/v2/users

This often reveals:

  • Usernames
  • Author IDs
  • Slugs

Attackers use this data for brute-force attacks.

High-Risk REST API Endpoints

1. User Enumeration

Endpoint:

/wp-json/wp/v2/users

Risk: Username discovery → brute force.

2. Posts & Metadata Leakage

Endpoint:

/wp-json/wp/v2/posts

Risk:

  • Draft content exposure (misconfigured)
  • Custom fields leakage

3. Plugin Custom Endpoints

Many plugins register endpoints like:

/wp-json/plugin/v1/data

Risk:

  • Missing authentication checks
  • Improper permission callbacks

Example of Vulnerable Endpoint

PHP
\register_rest_route( 'myplugin/v1', '/data', [
    'methods' => 'GET',
    'callback' => 'my_callback',
]);

Problem: No permission check.

Secure Version

PHP
\register_rest_route( 'myplugin/v1', '/data', [
    'methods' => 'GET',
    'callback' => 'my_callback',
    'permission_callback' => function () {
        return \current_user_can( 'manage_options' );
    }
]);

How Attackers Exploit wp-json

  • Automated scanning for endpoints
  • Fuzzing parameters
  • Abusing weak permission callbacks
  • Chaining with plugin vulnerabilities

Restricting REST API Access

Disable for Non-Authenticated Users

PHP
\add_filter( 'rest_authentication_errors', function( $result ) {
    if ( ! \is_user_logged_in() ) {
        return new \WP_Error( 'rest_disabled', 'REST API restricted', [ 'status' => 403 ]);
    }
    return $result;
});

Disable User Enumeration Only

PHP
\add_filter( 'rest_endpoints', function( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    return $endpoints;
});

Server-Level Protection (Nginx)

NGINX
location ~* ^/wp-json/wp/v2/users {
    deny all;
    return 403;
}

Finding Hidden Login URLs (Attacker Techniques)

Changing wp-login.php does not make it invisible.
Attackers use multiple techniques:

1. Direct Access Testing

Shell
curl https://example.com/wp-login.php
curl https://example.com/wp-admin/

2. Redirect Analysis

Many plugins redirect default login:

Shell
curl -I https://example.com/wp-admin/

Response may reveal new login path.

3. REST API Clues

Some plugins expose login-related endpoints:

Shell
curl https://example.com/wp-json/

4. JavaScript & HTML Leaks

Login URLs may appear in:

  • AJAX calls
  • Inline scripts
  • Forms

5. Brute Force Wordlists

Attackers try common paths:

JavaScript
/login/
/admin-login/
/secure-login/
/dashboard/

Properly Hiding Login Endpoints

Block Default Login Access

NGINX
location = /wp-login.php {
    deny all;
}

Custom Login Rewrite

NGINX
location /my-secret-login {
    rewrite ^ /wp-login.php last;
}

Limit Access by IP

NGINX
location = /wp-login.php {
    allow 123.123.123.123;
    deny all;
}

Additional Hardening Techniques

  • Disable XML-RPC if not needed
  • Use rate limiting (fail2ban or Nginx)
  • Monitor wp-json requests in logs
  • Audit plugin endpoints regularly

Logging Suspicious Activity

PHP
\add_action( 'rest_api_init', function() {
    error_log( 'REST API accessed: ' . $_SERVER['REQUEST_URI'] );
});

FAQ

Is wp-json dangerous by default?

Not inherently, but it exposes useful data that attackers can leverage.

Should I disable REST API completely?

Only if your site does not rely on it. Otherwise restrict access.

Does changing wp-login URL improve security?

It reduces noise but is not a complete security solution.

What is the biggest risk in REST API?

Improper permission callbacks in custom endpoints.

Can attackers always find my login URL?

If not properly hidden at the server level, yes.

Final Thoughts

WordPress security today requires understanding how modern attack surfaces work.
The REST API is powerful, but without proper controls, it becomes a reconnaissance tool for attackers.

Focus on:

  • Restricting sensitive endpoints
  • Securing custom API routes
  • Hardening login access at the server level

Security is not about hiding — it’s about controlling access intelligently.

← Building a Custom WordPress Object Cache Backend (Redis & Memcached Deep Dive) How Hackers Actually Hack WordPress: Data Extraction & Exploitation Techniques Explained →
Share this page
Back to top