WordPress 4.7.1 REST API still exposing users

I have upgraded my WordPress to 4.7.1, and after that I’ve tried to enumerate users through REST API, which should be fixed, but I was able to retrieve users.



[{"id":1,"name":"admin","url":"","description":"","link":"https:\/\/mywebsite\/author\/admin\/","slug":"admin","avatar_urls":{"24": ...

Changelog from latest version:

The REST API exposed user data for all users who had authored a post
of a public post type. WordPress 4.7.1 limits this to only post types
which have specified that they should be shown within the REST API.
Reported by Krogsgard and Chris Jean.

After installing plugin Disable REST API, it seems that everything is working fine, but I don’t like to use for every little thing plugin.

The output after using plugin is:

{"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}

How can I fix this issue without using plugin, or why even after upgrading this stil exist?

EDIT 30.9.2017

I realized that there is a conflict between contact 7 plugin and Disable REST API and that will give you 401 unauthorized error.

When you try to send a message through contact 7 form, it will make a request


and disabling that is not a good idea.


This code snippet will hide the users, posts, and comments endpoint results and give 404 as the result, while the rest of the API calls keep running as they were.


add_filter('rest_endpoints', function(){
    $toRemove = ['users', 'posts', 'comments'];
    foreach($toRemove as $val)
        if (isset($endpoints['/wp/v2/'.$val])) {

        if(isset($endpoints['/wp/v2/'.$val.'/(?P<id>[\d]+)'])) {
    return $endpoints;


This snippet will remove all the default endpoints.

<?php remove_action('rest_api_init', 'create_initial_rest_routes', 99); ?>

Leave a Comment