Basic, Free
REST API hardening for 1 site. Disable user enumeration and require authentication on sensitive endpoints yourself.
REST API Guard restricts and rate-limits access to the WordPress REST API, disabling risky endpoints like user enumeration, requiring authentication, and blocking abusive automated requests, so attackers can't quietly scrape usernames or hammer your API across any of your sites.
REST API Guard is a WP Tailwatch feature that restricts and rate-limits the WordPress REST API across all your connected sites. It disables risky endpoints such as user enumeration via /wp/v2/users, requires authentication for sensitive routes, and blocks abusive automated requests, closing data-leak and abuse gaps without breaking the API your site actually needs.
The REST API ships enabled and wide open by default, perfect for bots that enumerate usernames and probe endpoints. REST API Guard tightens it down so only the traffic you allow gets through.
WP Tailwatch closes risky endpoints, throttles automated requests, and requires authentication, so your REST API stops leaking data to bots.
Choose which REST API endpoints to disable, which to require authentication for, and what request rate to allow, including switching off user enumeration via /wp/v2/users.
REST API Guard inspects incoming API requests against your policy, letting legitimate editor and plugin calls through while blocking enumeration, abuse, and unauthenticated access to sensitive routes.
Push the same policy to every connected site, watch blocked abuse in one dashboard, and get a push alert when abusive REST API traffic is detected and stopped.
The WordPress REST API is enabled by default and exposes a set of endpoints that power the block editor, themes, and plugins. Some of those endpoints, most notably /wp/v2/users, can leak data such as usernames if left open, giving attackers a tidy list of accounts to target with brute-force attempts. Source: WordPress REST API Handbook. Because the API is on out of the box, most site owners never realize how much it exposes.
REST API Guard turns that open surface into a controlled one. You disable the risky endpoints, require authentication where it matters, and rate-limit the rest, without breaking the API calls your site genuinely depends on. That is the WP Tailwatch difference: hardening built in, instead of one more plugin to bolt on.
Start locking down the REST API for free, upgrade for rate-limiting, alerts, and scale.
REST API hardening for 1 site. Disable user enumeration and require authentication on sensitive endpoints yourself.
Full REST API Guard with rate-limiting and abuse push alerts for 1-20 sites. Throttle bots before they enumerate or overload.
Apply one REST API policy across 21-1,000 sites with tiered volume pricing and one dashboard for everything.
REST API Guard pairs with the rest of WP Tailwatch to replace 50+ separate plugins.
Common questions about restricting and rate-limiting the WordPress REST API with WP Tailwatch.
REST API Guard restricts and rate-limits access to the WordPress REST API. It can disable risky endpoints such as user enumeration via /wp/v2/users, require authentication for sensitive routes, and block abusive automated requests, applied consistently across all your connected sites.
The REST API is enabled by default and exposes endpoints that, if left open, can leak data such as usernames. The /wp/v2/users endpoint, for example, can be used to enumerate accounts that attackers then target with brute-force attempts. REST API Guard lets you close those gaps without breaking the parts of the API your site needs.
No. REST API Guard restricts access selectively. You can require authentication for sensitive endpoints and disable enumeration while leaving the routes your themes, plugins, and the block editor depend on working normally, so legitimate functionality is preserved.
Rate-limiting caps how many REST API requests a single client can make in a given window. That blunts automated scraping and abuse, bots hammering endpoints get throttled or blocked before they can enumerate users or overload your server.
Yes. WP Tailwatch is multi-site by design, so you set your REST API Guard policy once and apply it across every connected WordPress site from a single dashboard and the mobile app, no configuring each site by hand.
On paid plans, WP Tailwatch can send a push alert to your phone when abusive REST API traffic is detected and blocked, so you know when something is probing your sites instead of finding out after the fact.
Yes. Core REST API hardening, including disabling user enumeration and requiring authentication, is available on the free Basic plan for one site. Paid Business and Agency plans add rate-limiting, abuse push alerts, and policy across many sites from one place.
Yes. REST API Guard is one of the tools that lets WP Tailwatch replace 50+ separate plugins. Instead of installing a standalone API-hardening plugin on every site, REST API protection is built into the same platform that handles your security, backups, and monitoring.
Disable risky endpoints, require authentication, and rate-limit abusive bots, across every site from one dashboard. Start free today.