Support » Plugin: All In One WP Security & Firewall » Disabling User Enumeration Also Disables Rest API

  • Resolved Howdy_McGee


    It looks like that whenever the Disable Users Enumeration setting is enabled it also disables the Rest API entirely for non-logged in users which seems out of scope of this option entirely. Inside the stop-users-enumeration.php file we have the following code:

    add_action( 'rest_api_init', 'check_rest_api_requests', 10, 1);
    function check_rest_api_requests($rest_server_object){
        $rest_user = wp_get_current_user();
            wp_die('You are not authorized to perform this action'); 

    This prevents some plugins that require the Rest API from working entirely. For example, Contact Form 7 uses the rest API to handle their form submissions, but when User Enumeration is disabled, non-logged in users cannot submit to Contact Form 7 forms.

    If the goal is to to disable the Users endpoint of the Rest API then target that endpoint specifically.

    I don’t think this should be in the file and if anything should be a setting on its own.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor mbrsolution


    Hi, thank you for reporting this. The plugin developers are already aware of this issue and will release a fix soon. You can read more about it from the following support thread.

    Kind regards

    I can confirm after updating WP Security on Friday 22nd WordPress Popular Posts plugin stopped recording post count, due to the enabled option of Disable Users Enumeration setting.

    After unticking this setting, the plugin seems to have started counting again.

    I can also confirm and have multiple sites with this issue so am anxiously awaiting the update. Any progress on that to report?

    Just found this. Why can’t the authors push out a fix for this bug? It’s certainly not a feature request after all and it’s affecting live sites that automatically updated.

    Plugin Contributor mbrsolution


    Hi all, the developers are working hard on this fix. They are just making sure they release a proper patch. Please be patient as a fix will be out soon.

    Kind regards

    As far as I can tell this has been fixed.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Disabling User Enumeration Also Disables Rest API’ is closed to new replies.