It’s one thing to have to disable a feature – Another thing entirely for that thing to be embedded in WordPress core, found only by those who care enough to look.
Well, that’s what I found myself in the middle of doing this morning. Thanks in part to checking the core for as long as I have, I know to disable this “feature” (note: It took me long enough – considering how long the site’s been up already.)

It’s not really a concern – After all, hiding it is mere security by obscurity. That’s the stance I’ve been given by at least two people I’ve talked to on the subject.
Still, is it really worth exposing the usernames of all your users on a publicly accessible REST API? I feel like there has to be some kind of limit there, surely.

I see the problem in the REST API endpoint wp/v2/users. It returns a list of every single user that’s ever registered to the site. By itself, not a problem – However, it lists *every* user, *every* admin, and it allows unauthenticated access.
In my eyes, this removes one layer of security straight from the get-go, simply by exposing the users on your site by login name. It’s not even a useful metric for an outsider – What is someone supposed to gain from viewing, as I assume it was intended, every single author on the site, with no relation to what posts or pages they have authored?
Add to that any sort of members-only functionality (online stores, sign-in-only posts, …) and the problem is exacerbated.

To top it all off, it’s not like it’s easy to find out how to remove it — well, searching online is a correct first step, but most of the results only show you how to disable the API at large, or disable the API if you’re not authorized (in most cases this means “signed in”).
And if you’re not using the Classic Editor (unless Gutenberg is absolutely required, you really should do that) or a fork of WordPress that removes Gutenberg, well, you’re stuck using the API solely because Gutenberg updates posts through the very same REST API.

This here’s an excerpt of the function I wrote to limit access to this API:

    add_filter('rest_authentication_errors', 'disableUsersAPI');

    function disableUsersAPI($result)
    {
        global $wp;

        if (isset($result) || is_user_logged_in() || empty($wp->query_vars['rest_route'])) {
            return $result;
        }

        // ... allow access to certain endpoints here ...

        return new \WP_Error(
            'rest_authorization_required',
            __('Sorry, you are not allowed to access this page.'),
            rest_authorization_required_code()
        );
    }

So many things in here that seem like archaic WordPress knowledge (The superglobal $wp that you use basically nowhere else in day-to-day operation, or the rest_authorization_required_code function for example) or that you have to sift through the documentation for. All just to disable one innocent looking, but to me, frankly useless API endpoint.