added protection for rest api

README.md

@@ -9,10 +9,14 @@ By default, Wordpress will display some sensitive information on author pages. T
 
      https://yourdomain.com/?author=id
 
- or with permalinks 
+ with permalinks 
 
      https://yourdomain.com/author/username
 
+or using REST API
+
+     https://yourdomain.com/wp-json/wp/v2/users
+
 The page will include the full name (first and last name) as well as the username of the author which is used to login to Wordpress. 
 
 In some cases, it is not wanted to expose this information to the public. An attacker is able to brute-force valid IDs or valid usernames. This information might be used for further attacks like social-engineering attacks or login brute-force attacks with gathered usernames. 

wp-author-security/options.php

@@ -37,14 +37,22 @@ function register_wp_author_security_settings() {
         'sanitize_callback' => 'sanitize_checkbox',                                                                                    
         'default' => false                                             
     );
+    $argsRestUser = array(                                     
+        'description' => 'Whether to protect REST API endpoint wp-json/wp/v2/users.',                                          
+        'type' => 'booelan',                                      
+        'sanitize_callback' => 'sanitize_checkbox',                                                                                    
+        'default' => true                                             
+    );
 
     register_setting( 'wp-author-security-group', 'protectAuthor', array_merge($argsBase, $argsAuthor) );
     register_setting( 'wp-author-security-group', 'protectAuthorName', array_merge($argsBase, $argsAuthorName) );
     register_setting( 'wp-author-security-group', 'disableLoggedIn', array_merge($argsBase, $argsLoggedIn) );
+    register_setting( 'wp-author-security-group', 'disableRestUser', array_merge($argsBase, $argsRestUser) );
 
     add_option( 'protectAuthor',  $argsAuthor['default']); 
     add_option( 'protectAuthorName',  $argsAuthorName['default']);
     add_option( 'disableLoggedIn',  $argsLoggedIn['default']);
+    add_option( 'disableRestUser',  $argsLoggedIn['default']);
 };
 
 function wp_author_security_menu() {
@@ -129,6 +137,14 @@ function wp_author_security_options_page() {
             <p>Disable protection for logged in users.</p>
         </td>
         </tr>
+
+        <tr valign="top">
+        <th scope="row">Protect REST API user enumeration</th>
+        <td>
+            <input type="checkbox" name="disableRestUser"<?php if ( get_option('disableRestUser') )  echo ' checked="checked"'; ?> />
+            <p>Disable REST API endpoint wp-json/wp/v2/users.</p>
+        </td>
+        </tr>
     </table>
 
     <?php submit_button(); ?>

wp-author-security/readme.txt

@@ -2,7 +2,7 @@
 Contributors: mgm-sp
 Tags: security, user enumeration
 Requires at least: 4.7
-Tested up to: 5.1.1
+Tested up to: 5.3
 Requires PHP: 5.6
 Stable tag: 1.0
 License: GPLv3

wp-author-security/wp-author-security.php

@@ -4,7 +4,7 @@
  * Description: Protects against user enumeration attacks for author pages. By default, Wordpress will display some sensitive information on author pages. The author page is typically called by requesting the URI https://yourdomain.com/?author=<id> or with permalinks https://yourdomain.com/author/<username>. The page will include the full name (first and last name) as well as the username of the author which is used to login to Wordpress. In some cases, it is not wanted to expose this information to the public. An attacker is able to brute-force valid IDs or valid username. This information might be used for further attacks like social-engineering attacks or login brute-force attacks with gathered usernames. By using the extension, you are able to disable the author pages either completely or only for users that do not have any published posts yet. When the page is disabled the default 404 page not found is displayed.
  * Author: mgm-sp
  * Author URI: https://www.mgm-sp.com
- * Version: 1.0
+ * Version: 1.1.0
  * License: GPL3
  * Plugin URI: https://github.com/mgm-sp/wp-author-security
  */
@@ -17,6 +17,7 @@
 require_once (dirname( __FILE__ ) . '/options.php');
 
 add_action( 'template_redirect', 'check_author_request', 1 );
+add_action( 'rest_api_init', 'check_rest_api', 10);
 
 /**
  * checks for author parameter in requests and decideds wheter to block request (404) 
@@ -42,8 +43,7 @@ function check_author_request() {
         return;
     }
 
-    // check if protection is disabled for logged in user
-    if( is_user_logged_in() && get_option('disableLoggedIn')) {
+    if(!isEnabled()) {
         return;
     }
 
@@ -62,6 +62,26 @@ function check_author_request() {
 
     return;    
 }
+
+/**
+ * disables user enumeration for the REST API endpoint wp-json/wp/v2/users
+ */
+function check_rest_api()
+{
+    // check if protection is disabled for logged in user
+    if( is_user_logged_in() && get_option('disableLoggedIn')) {
+        return;
+    }
+    $pattern = '/wp\/v2\/users/';
+    $restRoute = $_REQUEST['rest_route'];
+    if(isset($_REQUEST['rest_route']) && preg_match($pattern, $_REQUEST['rest_route']) ) {
+        if(get_option( 'disableRestUser' )) {
+            display_404();
+        }        
+    }    
+    return;
+} 
+
 /**
  * Checks if requested user should be blocked or not
  */
@@ -101,3 +121,14 @@ function display_404() {
     exit;
 }
 
+/**
+ * checks whether plugin is enabled for logged in users or not
+ */
+function isEnabled() {
+    // check if protection is disabled for logged in user
+    if( is_user_logged_in() && get_option('disableLoggedIn')) {
+        return false;
+    }
+    return true;
+}
+