Support

Joomla is not WordPress. The REST API in Joomla is not publicly accessible. It requires authentication with a Super User account. Source: I wrote the authentication plugin for the Joomla 4 API application.

For WordPress, we do not include a feature to block the JSON API for two reasons. First, it may be relied on by legitimate software. Second, usernames are public. If your site's security relies on the username being private then the site is insecure by design.

Usernames are included by WordPress in all RSS feeds. The URLs to RSS feeds are easy to determine, even if they are not published for a post or page. Moreover, usernames —being public— are included in the SEO information added by Yoast on every page and post. So what if the REST API lists usernames? So does every page of your site! It's like installing a gate on a path leading to a field but no fence around it. Oh no, how am I going to go past the gate? Right, I will walk around it as there's no fence. /facepalm

WordFence's post did not come from their own research either. It was based on a blog post by an Italian core WordPress contributor who has been discontent with the way WP 5.0 forced Gutenberg on everyone and joined the ClassicPress development team. At around the same time he wrote a blog post about how the WordPress JSON API is "insecure" for allowing enumeration of usernames… which are public and not meant to be secret anyway! We read that blog post too, we had a discussion and we decided that blocking an API request for public information just for sensationalism's sake is not a responsible attitude. Therefore we never included such a pointless feature in our software.