Is my WordPress site handing out sensitive information/misconfigured?

The /?rest_route URL is the non-prettified version of /wp-json, which is the URI the WordPress REST API uses.

The REST API should not be disabled since the Admin UI relies upon it. Having said that, you can require the REST API only service authenticated users. To require authentication, add the following rest_authentication_errors filter:

add_filter( 'rest_authentication_errors', function( $result ) {
    // If a previous authentication check was applied,
    // pass that result along without modification.
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;
    }

    // No authentication has been performed yet.
    // Return an error if user is not logged in.
    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )
        );
    }

    // Our custom authentication check should have no effect
    // on logged-in requests
    return $result;
});

I added it to my /wp-includes/rest-api.php file as part of the rest_api_default_filters() function definition. Clearly, this will be overwritten as soon as a new version of WordPress is release, so this is only a temporary measure. When I visit my site via the REST API url above, without being authenticated, I see the following:

enter image description here

Related Posts:

  1. How to force JWT auth for default GET endpoints of WordPress rest api?
  2. Is it Ok to restrict Access-Control-Allow-Origin for /wp-json requests?
  3. wp_nonce vs jwt
  4. Securing REST API wp-json/wp/v2/users endpoint
  5. Does something like is_rest() exist
  6. REST API purpose?
  7. Get post count in wp rest API v2 and get all categories
  8. WP REST API — How to change HTTP Response status code?
  9. Search WP API using the post title
  10. Displaying a page built with Elementor using the REST API [closed]
  11. Understanding SHORTINIT with WordPress 5
  12. Does pre_get_posts affect REST API responses?
  13. wordpress wp-json prefix issue
  14. Get blog title with REST v2
  15. Is it possible to nest the JSON result of WordPress REST API?
  16. Filter post_content before loading in Gutenberg editor
  17. Create post using rest api with html content
  18. Trying to get an api request getting error 404
  19. rest_post_query on multiple post types?
  20. Wp Rest Api Custom Endpoint for page subpages
  21. How should an old API version be deprecated gracefully?
  22. WP REST API returns incorrect data?
  23. WP 5.5 Fatal Error – get_rest_controller() in rest-api.php
  24. REST API GET users
  25. wp_get_object_terms() returns invalid taxonomy inside rest_api_init hook
  26. Is it posible to use wp.data.select(‘core’) outside a block?
  27. Can you Use the Rest API to query a custom database table
  28. Is there anyway to format my EndPoint URL in WordPress?
  29. Return WP_Error as WP_REST_Response
  30. Authenticating with REST API
  31. Make authorization mandatory on custom routes
  32. Custom Rest API POST endpoint with conditionally required parameters
  33. What is the meta field in the response of the user REST API?
  34. Is there any way to clear cache when making REST API request?
  35. how to avoid timeouts with remote API requests?
  36. Custom API endpoint to create gallery for post
  37. Register REST route with a multi-value parameter
  38. How do I add meta when creating a post with rest api?
  39. rest_api_init is run on every rest call to endpoint
  40. WordPress + REST API v2 and private pages Load by slug
  41. Change permissions on REST api?
  42. WP-REST create user with custom meta
  43. receive a custom parameter with rest api
  44. PHP: authenticate for a REST request?
  45. Validate rest-api call on create
  46. Authenticate current user to REST API
  47. rest api endpoint – accept diacritic characters
  48. Core function to check if a rest namespace exists
  49. WordPress REST API rest_comment_invalid_author Sorry, you are not allowed to edit ‘author’ for comments
  50. How to delete user using rest api without reassigning
  51. Accessing private posts through REST API, same code that works in remote doesn’t in local
  52. Rest API: trouble receiving response through script (browser and Postman display correctly)
  53. Advanced Access Manager: RESTful endpoint to refresh token
  54. `WP_REST_Controller::get_endpoint_args_for_item_schema` Does Not Set `required` Property from Schema
  55. Extending REST API responses
  56. How would I know if my system using REST api or not?
  57. Error message: Response is not a valid JSON response
  58. How to use query parameters, as “_fields”, to filter data inside an array in the REST API?
  59. WordPress server banning IP
  60. How to display relations via wordpress Rest API
  61. How to add Relations of a CCT from JetEngine via WordPress Rest API
  62. WP Rest_API- Post request for images returns empty
  63. DELETE request using WP REST API
  64. Fetching WordPress Private Posts, Public Posts Via Default REST API Endpoint
  65. Pass multiple tags slug to rest API
  66. Return a WP_REST_Response from an inner function (and not from the root callback)
  67. register_rest_route with method POST but in wp-json/ is showing GET
  68. Rest Api fetching only one random post
  69. Accessing Custom REST endpoint with rest_do_request()
  70. How to add taxonomy to a post using WP REST API?
  71. Got Blank issue for get data from /wp-json/v2/post
  72. How do i POST to WordPress rest API from the same domain?
  73. WP CLI in WP 5.3 with PHP 7.4
  74. Get wordpress post with featured image, category and tag from WordPress API
  75. WP API file_get_contents return TTP request failed! HTTP/1.1 401 Unauthorized
  76. Extract XML/JSON element from Zillow API response and populate into Gravity Forms field
  77. REST API and Loopback error
  78. Rest API: Register and Login errors aren’t specific
  79. How can I secure my custom rest api endpoint or add under a already existing rest group
  80. WordPress single page website redirect to index.html
  81. How to get the most recently updated orders via the REST API?
  82. Fetching all users that didn’t post with rest api (current version 2)
  83. Calling a python script from custom wordpress rest api returns null
  84. WordPress RESTAPI – Restrict unknown
  85. WordPress Rest API Error 502
  86. Custom rest API route not passing data along
  87. Fix Characters WordPress Ionic App
  88. How to filter wp-json/wp/v2/users response on custom metas?
  89. Can we use website data which is having wp rest api plugin?
  90. WP Rest API V2 OR Operator in URL
  91. how can I add an URL parameter to a rest route using register_rest_route()?
  92. Fatal error: Call to undefined function register_rest_route()
  93. Is it possible to bulk update a table using WP Rest API?
  94. Call to undefined function upload_is_user_over_quota()
  95. Delete row from table using custom endpoint via API
  96. How can I set the default ‘orderby’ and ‘order’ parameters for a REST API call?
  97. get the current logged in user using WooCommerce API in React App [closed]
  98. What filtering is available for backbone.js?
  99. Woocommerce API for calling products by Category ID
  100. wordpress rest api authentication failed