REST API endpoints are now enabled by default.

Hello @7thcircle

The REST API endpoints are enabled by default because moving forward some of the default plugin’s functionality will rely on REST API, like many other plugins. Also, the plugin is currently being used by a number of integrations (from third parties) that will require these REST API endpoints.

Would you please explain in detail what the user case is here and why you’d want to disable them? We want to learn about your setup, and see how to better support your requirements.

Looking forward to hearing from you.

Thank you for sharing your concern, however, rest assured that it is not another source for “potential data leaks and security issues”. Like many other plugins (such as WooCommerce) and WordPress, such as WooCommerce and other popular ones, REST API endpoints are becoming a standard feature and with time the plugin will be using them even more, so they will be needed. For example WordPress’ own block editor uses the REST API, and so does the Site Editor.

The REST API endpoints for WP 2FA are not about “accessing your security from another platform”. They do not allow you to access anything. They actually allow you to verify a 2FA code. In terms of functionality, they do the job of the 2FA page that is displayed when you try to log in to your website.

Having said that, we will look into including a new setting in the plugin that allows you to disable the REST API endpoints.

Thank you for using our plugin and for sharing your feedback. Should you have any other questions, please do not hesitate to ask.