Jethost’s Help Center


Disable “List Users” function in WordPress REST API

The WordPress REST API is useful for many features but it also exposes user data by default. Anyone can make a request to /wp-json/wp/v2/users/ and retrieve your site’s public usernames. The JetHost Total Care disable “list users” function of the WordPress REST API setting blocks this endpoint and helps protect against user enumeration and targeted attacks.

Why You Might Want to Block the User List Endpoint

Usernames are valuable to attackers. The REST API allows anyone to list users without logging in, which makes it easier to identify valid accounts for brute-force attempts or phishing.

Disabling this feature helps you:

  • Hide your site’s usernames from unauthenticated requests
  • Prevent bots from collecting user data
  • Reduce one more vector for login-related attacks

If your theme or plugins don’t rely on public user data, this is a safe and smart option to enable.

What the REST API User Endpoint Does

The endpoint /wp-json/wp/v2/users/ lists all users with a public profile. Even if you’re not using the REST API actively, this route is enabled by default and available to the public unless blocked.

For example:

Visiting https://example.com/wp-json/wp/v2/users/ might show a list of usernames especially author and admin accounts.

How to Disable “List Users” with JetHost Total Care

To control autosave using JetHost Total Care:

1. Log in to your WordPress dashboard.
2. Open the JetHost Total Care section from the sidebar.
3. In the tab Security, find the setting labeled Disable “List Users” function of the WordPress REST API.
4. Toggle the switch to enable it.

JetHost Total Care disable list users function of the REST API

JetHost Total Care saves and applies the block automatically.

JetHost Total Care Security setting updated

What Changes After You Enable It

After turning this setting on, WordPress will stop responding to REST API user listing requests unless they come from an authenticated source with permission. Bots, tools, and curious visitors won’t be able to see your usernames via the API.

Your site’s normal features stay intact. This setting only disables unauthenticated access to the user list.

JetHost Experts Tip

This block pairs well with disabling author scans and login protections. Together, they stop attackers from building a list of targets based on your WordPress usernames.

Need More Help?

The JetHost Total Care disable “list users” function of the REST API feature is a quiet but strong improvement to your WordPress privacy and login security. If you’re not using public user profiles, there’s no reason to leave this door open. Combined with other login security settings, it strengthens the first line of defense on your WordPress site. Take a look at more WordPress security guides to stay ahead of common issues.

Back to help