Hi @efinancialmodels!
Thanks for your question; security is something that should be taken very seriously.
First, just to clear a common misunderstanding: the REST API itself is not a vulnerability. It’s part of WordPress core, used by the Block Editor, Site Health, and countless plugins. By default it’s safe: anonymous visitors can only see what’s already public, and anything sensitive (creating posts, managing settings, etc.) requires proper authentication and nonces.
Where things sometimes do go wrong is with poorly coded or abandoned plugins that add insecure endpoints. That’s why the golden rule is: stick to serious, actively maintained plugins. Installing “random” plugins with a handful of downloads is where security holes usually come from (and that doesn’t impact only the REST API, WordPress can be accessed in so many other ways).
With AI Engine, you don’t need to worry:
- We work with two independent security teams to review and test the plugin.
- Whenever a potential issue is even suspected, we treat it as a top priority, long before it could ever be exploited.
- Our endpoints follow WordPress security standards (capability checks, nonces, etc.), and the ones that are public (like the chatbot) are designed that way with built-in safeguards.
As for plugins like “Disable WP REST API”: they’re a bit like turning off your electricity because you’re worried about one faulty appliance 🥲 It shuts everything down (including features you actually need), without really solving the root problem. If you really want to do this, a better approach is to control and filter what you don’t want:
- Block or hide specific sensitive endpoints (e.g.
/wp/v2/users) if you don’t use them.
- Use a firewall or security plugin (Wordfence, WP Cerber, iThemes Security, Cloudflare) to add rate limiting and protection.
- Keep WordPress and plugins up to date.
So the short answer: WordPress + REST API + good plugins = safe. The long answer: we’re always watching, always patching, and you’re in good hands.
