There is REST-API integrated into WordPress from version 4.7. It is the way how we will use WP in future, but there are some downsides currently. The problem is, that WP use gravatars in default settings – you can find them in the comments and in user profiles. Both of them has their own endpoint in the REST API:

• /wp-json/wp/v2/users
• /wp-json/wp/v2/comments

Gravatars use MD5 hashes for user e-mails, so it is relatively easy to reverse many of them. Chris Herbert made a  very nice tool called WordPress Expose to demonstrate this problem.

In case of user profiles it also reveals the user login name so it can be used for weak user password hunt. I was the first who described this issue, but unfortunately WP core team didn’t agree with me. WordFence implemented a fix in 6.2.8.

Mitigation:

• disable Gravatars in WP settings
• use plugin Disable REST API (allows you to disable endpoints you don’t need)
• allow to use REST API only for authenticated users or your own rules with rest_authentication_errors hook
• use security plugin like WordFence
• use my Enhancer mu-plugin to filter sensitive data out

Check my WordCamp Europe talk to more tips: