WordPress has already included a few versions of an API that, by default, is active and open to all users in reading mode.
Although at first, there is no explicit security problem in it, it is true that unless the API is used it does not make much sense to leave it open since a series of queries can be generated that do not make any sense in it.
An example to verify what it is is is to access the main page of your WordPress site and add to the URL the /wp-json/. For example, https://example.com/wp-json/.
By default, you will see information about your site in a text format (or, if your browser formats it, in a more or less comprehensive way).
To prevent this leakage of information, you can activate a plugin such as Disable WP REST API, which automatically and easily will only give access to users who have accessed this information as registered, and closes it to anonymous browsing.
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.