There is REST-API integrated into WordPress from version 4.7. It is the way how we will use WP in future, but there are some downsides currently. The problem is, that WP use gravatars in default settings – you can find them in the comments and in user profiles. Both of them has their own endpoint in the REST API:
In case of user profiles it also reveals the user login name so it can be used for weak user password hunt. I was the first who described this issue, but unfortunately WP core team didn’t agree with me. WordFence implemented a fix in 6.2.8.
- disable Gravatars in WP settings
- use plugin Disable REST API
- use security plugin like WordFence
- use my Enhancer mu-plugin to filter sensitive data out