-------------------------------------------------------- Add the following code to functions.php (Code updated) -------------------------------------------------------- add_filter( 'rest_authentication_errors', function( $result ) { if ( true === $result || is_wp_error( $result ) ) { return $result; } if ( ! is_user_logged_in() ) { return new WP_Error( 'rest_not_logged_in', __( 'You are not currently logged in.' ), array( 'status' => 401 ) ); } return $result; }); ---------------------------------------------------------------------------- This above code should block everything - MAKE SURE YOU ARE LOGGED OUT ---------------------------------------------------------------------------- ------------------------------------------ Check if your site's username is exposed ------------------------------------------ website-URL.com/wp-json/wp/v1/users website-URL.com/wp-json/wp/v2/users website-URL.com/wp-json/ --------------- OLD CODES --------------- if( ! is_user_logged_in() ) { remove_action('rest_api_init', 'create_initial_rest_routes', 99); } ----------------------------------- OR ----------------------------------- remove_action('rest_api_init', 'create_initial_rest_routes', 99);