Is it a good idea to restrict the REST API

You can use the rest_dispatch_request filter to catch the /wp/v2/users routes before they deliver their data to the user.


add_filter( 'rest_dispatch_request', 'wpse425815_authenticate_user_route', 10, 4 );
/**
 * Forces authentication on the wp/v2/user route(s).
 *
 * @param  mixed      $result  The current result.
 * @param  WP_Request $request The REST request.
 * @param  string     $route   The requested route.
 * @param  array      $handler The REST handler.
 * @return mixed|WP_Error      Error if unpermitted; otherwise return $result.
 */
function wpse425815_authenticate_user_route( $result, $request, $route, $handler ) {
    if (
        false !== strpos( $route, '/wp/v2/users' ) &&
        ! current_user_can( 'edit_others_posts' )
    ) {
        return new \WP_Error(
            'rest_auth_required',
            'Authentication required',
            array( 'status' => 401 )
        );
    }
    return $result;
}

I’ve tried this code on a local installation, and it seems to do what you’re asking (ie, only allow authenticated users at Editor and above to view the /wp/v2/users REST data) disables direct, unauthenticated access to the /wp/v2/users route (eg https://example.com/wp-json/wp/v2/users` will return a 401) and disables use by the backend of user data for users below Editor level (eg, this disables specifying the author of a post in the Block Editor).

Test it before you use it in production.

References

This answer builds on the code snippet provided here: https://rinat.dev/blog/2020/03/04/how-to-lock-down-wordpress-rest-api-endpoints-or-completely-disable-them/#rest-dispatch-request .

Related Posts:

  1. Custom API plugin to execute 3rd party API to retrieve data
  2. Block Root REST API Route using custom &/or iThemes
  3. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  4. I found this in a plugin. What does it do? is it dangerous?
  5. Disabled plugins are they security holes – rumor or reality?
  6. What could a hacker do with my wp-config.php
  7. To Disable WordPress Rest API or Not To Disable?
  8. Filter out results from REST API
  9. How to authenticate custom API endpoint in WooCommerce [closed]
  10. Should we use plugins that aren’t available from the official WordPress site?
  11. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  12. WordPress pods io – Rest API for fetching fields information for custom post type
  13. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  14. Disabled plugins are security holes – rumor or reality?
  15. Multisite functions to communicate with individual site functions
  16. Should I use RIPS tool to test my themes and plugins?
  17. Prevent Brute Force Attack
  18. Upgrading WordPress 4.0 asks for FTP password
  19. How Restrict access to admin dashboard by specific static ip?
  20. When is it useful to use wp_verify_nonce
  21. Accessing plugin functionality within WP REST API
  22. Protecting against malicious code in WordPress plugin updates
  23. Keep user’s privileges on accessing contents in JSON response
  24. How to limit WordPress pages during updates?
  25. rms_unique_wp_mu_pl_fl_nm.php
  26. Weird problems after recovery from security breach
  27. How to retrieve custom meta term of category taxonomy from WP Rest API?
  28. How can we deal with unmaintained plugins with vulnerabilities?
  29. Security issues with WP sites
  30. Escape when echoed
  31. Remove caching from wp_remote_get calls from custom plugin
  32. Preventing BFA in WordPress without using a plugin
  33. How can I make uploaded images in the editor load with HTTPS?
  34. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  35. How can I capture Memberpress user info after signup [closed]
  36. Custom REST API endpoint returns rest_no_route when called via wp-json permalink
  37. WordPress filter that hook after each action/filter hook
  38. The safest way to automate WordPress backups
  39. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  40. How to save generated JWT token to cookies on login?
  41. Nonce failing on form submission
  42. How to modify WCMP Rest API response?
  43. Access WordPress data from external PHP application.
  44. Limit post creation by role
  45. Why can’t I access my Intranet LDAPS with NADI?
  46. how to do login using woocommerce rest api From android
  47. Stop Plugin Enumeration [closed]
  48. Hack-Proof OR Security in WordPress — is it real?
  49. Security and Must Use Plugins
  50. Is Timthumb still broken? What security measures should be taken?
  51. Is it safe to use admin-ajax.php in the frontend?
  52. Specific way to allow WordPress users to view their current password? And edit it?
  53. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  54. How to prevent plugins from sniffing/stealing other plugins’ options?
  55. How do I make reusable content blocks for header and footer when using WordPress headless with another front-end?
  56. How to deal with Slow HTTP POST (slowloris) vulnerability
  57. Running multiple security plugins
  58. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  59. WP Insert Post If user refreshes override new post
  60. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  61. WordPress search shows protected content
  62. Change Dashboard URL from wp-admin to wp-admin/index.php
  63. WordPress Media Library Folders + Custom Linux Server Hosting
  64. Security of a WordPress Plugin
  65. Can I disable xml-rpc by setting it to false?
  66. Help to Create a Simple Plugin to make a post
  67. How to send SMS notification to customer after click on submit?
  68. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  69. Escape commas in REST API
  70. Adding Custom Endpoint in WordPress Rest API
  71. One WooCommerce Store to multi distributor sites
  72. prevent anonymous access to WordPress site (non-admin site)
  73. Custom REST API POST Endpoint Not Working, 404 Error
  74. is it possible to fetch data from a remote api while admin is writing a new post?
  75. add tags to wordpress post using REST API
  76. “Fire Secure” menu item
  77. Modifying server’s response to API endpoint
  78. Can’t access 3rd party API, code works on local server but not on wordpress
  79. How can I add a permissions callback to the REST API index pages?
  80. https rewrite not working for All in one security Brute force > rename login url
  81. wp rest api (v2) filter not working (404 error – rest_no_route)
  82. WordPress PHP error getting posts from another wordpress blog
  83. custom REST endpoint not passing body of POST request to callback
  84. Upload image to wordpress using ionic/cordova with WP REST API V2
  85. Redux framework somehow added to my site, can’t locate in plugins
  86. How can i see/log all requests coming from a registration form (not from the UI)?
  87. Validating values using Settings API?
  88. using .htaccess only for wordpress security no plugins
  89. How I can hide my wp folders from Inspect Element (Developer Tools)
  90. How to Find WordPress site has backdoor login Codes
  91. How to delete Password Protected posts cookies when a user logged out from the site
  92. Filter custom post type returned from REST api
  93. My wp_update_nav_menu action is firing twice
  94. WordPress REST API Visual Composer Shortcodes
  95. How to rename files during upload to a random string?
  96. Update post meta Rest Api
  97. WordPress REST API filter on blank custom ACF
  98. WooCommerce REST API aborts connection [closed]
  99. How to update a lot of posts on my WP site with additional content?
  100. Stop the user if login from the cookies