Is my WordPress site handing out sensitive information/misconfigured?

The /?rest_route URL is the non-prettified version of /wp-json, which is the URI the WordPress REST API uses. The REST API should not be disabled since the Admin UI relies upon it. Having said that, you can require the REST API only service authenticated users. To require authentication, add the following rest_authentication_errors filter: add_filter( ‘rest_authentication_errors’, … Read more

WP_REST_Request::get_json_params() Parsing null as Zero

This is related to how you declare the parameter types for the endpoint. If you use integer then the parameters will be converted to integers, so in cases where a null value is being used you will get 0. The solution is to add support for both integer and null e.g. ‘type’ => [‘integer’, ‘null’],