ClassicPress provides many helpful REST API endpoints that expose data about your site. For the most part, this is a handy feature. In the case of usernames, however, allowing this endpoint to be accessed anonymously can make your site more susceptible to brut force attacks. This plugin prevents anonymous access to the endpoint.
Do you even need this plugin? To find out, log out of your site, then open the following URLs in separate browser tabs. Be sure to replace https://www.yoursite.com/ with the URL to your ClassicPress installation.
Inspect the output of each URL. Do you find any usernames or display names? If not, you're all set – you don't need this plugin! If you do find usernames or display names, follow the instructions below to install the plugin.
- Download the package to your local computer.
- Navigate to
Dashboard > Plugins > Add New > Upload Pluginand upload the package to your site.
- Click to install, then activate the plugin.
There are no configuration settings – the plugin is designed to just work. If you would like to personally verify that it is working as expected, you can log out of the site and revisit the URLs above. When you are logged out, the usernames and display names are removed; when you are logged in, they are accessible, as expected.
NOTE: While this plugin does work with WordPress, it may cause certain aspects of JetPack to fail. See this thread for a workaround.