To understand whether REST-API is a security issue for WordPress, let us first try to understand what it means, in brief. Representational State Transfer or REST is a stateless client-server protocol, mostly used over the HTTP protocol. In simpler words, it is a standard protocol that is mostly used over the web and is not specific to WordPress.
It makes your WordPress website available as a web service, which means that other desktop/server software, mobile applications, websites, etc. can programmatically retrieve information that is already publicly available, such as posts, pages, media files, etc. from your WordPress website easily and automatically, without accessing the website from a browser.
It can also update and retrieve user profile information or a post, once authenticated. Basically, it does not require a human-friendly interface to function.
Now, talking about whether it poses any security risks, one fact is that it can only access data that is already publicly available through other media, for example, RSS and the website itself. The major difference lies in the way this information is presented. The real reason it can be a security risk is that it is just another surface to attack. However, there has been no vulnerability identified in the REST-API thus far, and hence, there is no reason to fret if you keep your WordPress up to date.
One area that often concerns WordPress website owners is that the REST-API exposes the usernames of a site. The fear is that once a hacker has the user name they are ‘half way in’. This is not actually true and a long complex password is the security ‘lock’ not the user name. Also exposing the username is not a new thing introduced by the REST-API, it has always been a feature of WordPress, and known as ‘user enumeration’. Whilst stopping user enumeration is not security in its own right, it is a useful way of detecting attack vectors or adding barriers. If you are concerned about exposing usernames through traditional methods or REST-API methods, we published a free plugin many years ago ( and still popular today) called Stop User Enumeration.
Additionally, there is also no harm in getting to know some basics regarding APIs. Since APIs can be used to retrieve website data and show it in a different format, the website can be controlled by sending commands remotely. You can use this for posts, comments, categories, pages, tags, settings, media, users, and so on, and this is why hackers are attracted to it.
Some mistakes that beginner users of APIs can make include using user or authentication credentials on a live site—always use basic authentication in a protected environment (not doing so can expose login credentials, for example, usernames and passwords and two-factor authentication), not making use of encrypted authentication information, and displaying sensitive user information (this happens as they are not aware that API displays all data by default—there are tools, for instance, Postman, which make this data easier to read).
In short, WordPress REST-API is a bridge that you should protect from both the ends and right in the middle, and for this purpose, both you and your external client (if any) require an SSL certificate. Moreover, as a thumb rule, always ensure the sending of authentication via the HTTPS protocol so that any attacker only sees encrypted data.
To conclude, if you use the WordPress REST-API in a particular manner it has been designed, you are pretty much safe.