REST API Guard

Lock down and rate-limit the WordPress REST API before bots abuse it.

REST API Guard restricts and rate-limits access to the WordPress REST API, disabling risky endpoints like user enumeration, requiring authentication, and blocking abusive automated requests, so attackers can't quietly scrape usernames or hammer your API across any of your sites.

In short

REST API Guard is a WP Tailwatch feature that restricts and rate-limits the WordPress REST API across all your connected sites. It disables risky endpoints such as user enumeration via /wp/v2/users, requires authentication for sensitive routes, and blocks abusive automated requests, closing data-leak and abuse gaps without breaking the API your site actually needs.

/wp/v2/users enumerationusername scrape attempt · blocked
Blocked
Sensitive route lockedauth required · 401 returned
Protected
Editor & plugin routeslegitimate API traffic · allowed
Allowed
Rate limit triggered120 req/min from one IP · throttled
Throttled
What it does

Close the REST API gaps attackers love.Lock down endpoints without breaking your site.

The REST API ships enabled and wide open by default, perfect for bots that enumerate usernames and probe endpoints. REST API Guard tightens it down so only the traffic you allow gets through.

  • Restricts and rate-limits access to the WordPress REST API
  • Disables risky endpoints like user enumeration via /wp/v2/users
  • Requires authentication for sensitive REST API routes
  • Applies one API policy across every connected site
How it works

From wide-open API to locked down.Restrict, rate-limit, and require authentication.

WP Tailwatch closes risky endpoints, throttles automated requests, and requires authentication, so your REST API stops leaking data to bots.

1

Set your policy

Choose which REST API endpoints to disable, which to require authentication for, and what request rate to allow, including switching off user enumeration via /wp/v2/users.

2

Filter every request

REST API Guard inspects incoming API requests against your policy, letting legitimate editor and plugin calls through while blocking enumeration, abuse, and unauthenticated access to sensitive routes.

3

Apply, watch, get alerted

Push the same policy to every connected site, watch blocked abuse in one dashboard, and get a push alert when abusive REST API traffic is detected and stopped.

Why it matters

Why REST API hardening matters.An open API quietly leaks users and content.

The WordPress REST API is enabled by default and exposes a set of endpoints that power the block editor, themes, and plugins. Some of those endpoints, most notably /wp/v2/users, can leak data such as usernames if left open, giving attackers a tidy list of accounts to target with brute-force attempts. Source: WordPress REST API Handbook. Because the API is on out of the box, most site owners never realize how much it exposes.

REST API Guard turns that open surface into a controlled one. You disable the risky endpoints, require authentication where it matters, and rate-limit the rest, without breaking the API calls your site genuinely depends on. That is the WP Tailwatch difference: hardening built in, instead of one more plugin to bolt on.

Last updated: July 2026

Plan availability

Free hardening, more power on paid.Secure one site, then every site you run.

Start locking down the REST API for free, upgrade for rate-limiting, alerts, and scale.

Basic, Free

REST API hardening for 1 site. Disable user enumeration and require authentication on sensitive endpoints yourself.

Business, Rate-limited

Full REST API Guard with rate-limiting and abuse push alerts for 1-20 sites. Throttle bots before they enumerate or overload.

Agency, At scale

Apply one REST API policy across 21-1,000 sites with tiered volume pricing and one dashboard for everything.

Works together with

Part of your mobile-first stack.One platform in place of separate plugins.

REST API Guard pairs with the rest of WP Tailwatch to replace 50+ separate plugins.

FAQ

REST API Guard questions.Answers on endpoints, limits, and compatibility.

Common questions about restricting and rate-limiting the WordPress REST API with WP Tailwatch.

REST API Guard restricts and rate-limits access to the WordPress REST API. It can disable risky endpoints such as user enumeration via /wp/v2/users, require authentication for sensitive routes, and block abusive automated requests, applied consistently across all your connected sites.

The REST API is enabled by default and exposes endpoints that, if left open, can leak data such as usernames. The /wp/v2/users endpoint, for example, can be used to enumerate accounts that attackers then target with brute-force attempts. REST API Guard lets you close those gaps without breaking the parts of the API your site needs.

No. REST API Guard restricts access selectively. You can require authentication for sensitive endpoints and disable enumeration while leaving the routes your themes, plugins, and the block editor depend on working normally, so legitimate functionality is preserved.

Rate-limiting caps how many REST API requests a single client can make in a given window. That blunts automated scraping and abuse, bots hammering endpoints get throttled or blocked before they can enumerate users or overload your server.

Yes. WP Tailwatch is multi-site by design, so you set your REST API Guard policy once and apply it across every connected WordPress site from a single dashboard and the mobile app, no configuring each site by hand.

On paid plans, WP Tailwatch can send a push alert to your phone when abusive REST API traffic is detected and blocked, so you know when something is probing your sites instead of finding out after the fact.

Yes. Core REST API hardening, including disabling user enumeration and requiring authentication, is available on the free Basic plan for one site. Paid Business and Agency plans add rate-limiting, abuse push alerts, and policy across many sites from one place.

Yes. REST API Guard is one of the tools that lets WP Tailwatch replace 50+ separate plugins. Instead of installing a standalone API-hardening plugin on every site, REST API protection is built into the same platform that handles your security, backups, and monitoring.

Stop leaving your REST API wide open.

Disable risky endpoints, require authentication, and rate-limit abusive bots, across every site from one dashboard. Start free today.

  • Free forever plan
  • No credit card
  • 14-day money-back on paid plans