WP REST API Block JSON Requests to the users & comments Routes

[AITpro Admin]

If you would like to block the WP REST API JSON Requests to the /users and /comments Routes do the steps below to add this htaccess code to BPS Custom Code.  Blocking the WP REST API JSON Requests to the /users and /comments Routes prevents your author name/username and User ID from being publicly displayed (see the Examples below).  Logically if you have a very secure password then it does not matter if your username is displayed publicly.

Note:  BPS Pro JTC Anti-Spam|Anti-Hacker blocks 100% of automated Brute Force Attacks.  So even if your username is publicly displayed/known and used by a bot, the bot/attack will still be blocked.

1. Copy the code below to this BPS Root Custom Code text box:  CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.

# WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES
# Block/Forbid Requests to: /wp-json/wp/v2/users and wp-json/wp/v2/comments
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments) [NC]
RewriteRule ^(.*)$ - [F]

Example:  The WP REST API /users Route exposes the author/username and User ID pubicly.  See example JSON Response below.
http://www.example.com/wp-json/wp/v2/users

[{"id":1,"name":"Gumby","url":"","description":"","link":"http:\/\/demo2.local\/author\/gumby\/","slug":"gumby","avatar_urls":{"24":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=24&d=mm&r=g","48":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=48&d=mm&r=g","96":"http:\/\/1.gravatar.com\/avatar\/191d483b8bc404be9b10fa87b18922cd?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users"}]}}]

Example: The WP REST API /comments Route exposes the author/username and User ID publicly.  See example JSON Response below.
http://www.example.com/wp-json/wp/v2/comments

[{"id":2,"post":27,"parent":0,"author":1,"author_name":"Gumby","author_url":"","date":"2016-12-26T14:41:17","date_gmt":"2016-12-26T22:41:17","content":{"rendered":"<p>testing<\/p>\n"},"link":"http:\/\/demo2.local\/idle-session-logout-test\/#comment-2","status":"approved","type":"comment","_links":{"self":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/comments\/2"}],"collection":[{"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/comments"}],"author":[{"embeddable":true,"href":"http:\/\/demo2.local\/wp-json\/wp\/v2\/users\/1"}]

Other WP REST API Routes (URI’s)
Note: None of these other WP REST API Routes expose the author/username or User ID publicly, but if you want to block these other WP REST API Routes you would add each Route name that you want to block to the WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES htaccess code.  See the WP REST API BLOCK JSON REQUESTS TO ALL ROUTES example htaccess code below.

http://www.example.com/wp-json/wp/v2/posts
http://www.example.com/wp-json/wp/v2/pages
http://www.example.com/wp-json/wp/v2/media
http://www.example.com/wp-json/wp/v2/types
http://www.example.com/wp-json/wp/v2/statuses
http://www.example.com/wp-json/wp/v2/taxonomies
http://www.example.com/wp-json/wp/v2/categories
http://www.example.com/wp-json/wp/v2/tags
http://www.example.com/wp-json/wp/v2/settings

# WP REST API BLOCK JSON REQUESTS TO ALL ROUTES
# Block/Forbid Requests to all WP REST API Routes: users, comments, posts, etc.
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments|posts|pages|media|types|statuses|taxonomies|categories|tags|settings) [NC]
RewriteRule ^(.*)$ - [F]

[Jose]

Hi,

In case of existing Speed Boost Cache Code, should this code be written before or after it?
And, if the comments to my website are totally disabled, would this line below be all right?

RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users) [NC]

Thanks in advance.

[AITpro Admin]

You should probably add the code before your Speed Boost Cache code, but I don’t think the order of the code really matters for this particular code.  If you have comments disabled and no old comments exist anywhere then yep you use the code you posted.  If you want to check your site use this URI: http://www.example.com/wp-json/wp/v2/comments to see anything is displayed publicly.

[Jose]

It only shows: [ ] so I will try this other line.

[AITpro Admin]

That’s fine.  If you are only seeing [] in the JSON Response then that means there is not any comments data that will be displayed publicly.

[Jose]

Hi,

<IfModule mod_headers.c>
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
# Block other sites from displaying your website in iFrames
# Protects against Clickjacking
Header always append X-Frame-Options SAMEORIGIN
# Protects against Drive-by Download attacks
# Protects against MIME/Content/Data sniffing
Header set X-Content-Type-Options nosniff
</IfModule>

Should the above code be attached between these two other codes?

# WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES
# Block/Forbid Requests to: /wp-json/wp/v2/users
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users) [NC]
RewriteRule ^(.*)$ - [F]

# BEGIN WEBSITE SPEED BOOST
# Time cheat sheet in seconds
# A86400 = 1 day
# A172800 = 2 days.....

Thanks in advance.

[AITpro Admin]

@ Jose – You should probably add the code before your Speed Boost Cache code, but I don’t think the order of the code really matters for this particular code.

[Jose]

OK, thank you. I added it and it worked perfectly.

[Author]

Posts