I noticed that WordPress has alot of API endpoints and I came across the 'users' endpoint (wp-json/wp/v2/users) which exposes alot of sensitive data. I do understand that Metabox adds the fields to the API which is great, but I noticed that the default users data is exposed to visitors and hackers.
What is the best approach to managing this? is it best to disable all endpoints not being used and create new endpoints to control the data for visitors only? I need to use the API for visitors so its not like I can use the 'nonce'.
Or can I show/hide specific Metabox fields within the API?
or shall I add in authentication to access the API, like a API key?
Thanks, any help/advice would be great.