After the recent discovery of REST API vulnerabilities in WordPress 4.7.1 and 4.7 Mika Epstein wrote an impactful post recently entitled “A Case for REST API”. I really like this calm approach to the subject – I highly recommend you take a minute to read her thoughts.
The bottom line: leaving the REST API on and dealing with possible future vulnerabilities is less of a risk then turning it off.
