If not being used at all, even a better approach would be to completely disable it via functions.php or some plugin nowadays.
I believe this could depend on few points like the Security Level option, Bot Fight Mode, IP reputation, we can even block the bad ASNs already by IP Access Rules / Firewall Rules for prevention and some other, for example to create a Firewall Rule like “why to allow a request via HTTP/1.0 to the REST API part or some other like wp-cron.php which is not comming from the IP address of the origin host/server?”.
Furthermore, using a Rate Limiting option for the REST API request/URL could help too.
Just few thoughts about it as it could be prevented in the early stage.
I haven’t tested a lot the Managed WAF Rules and WordPress REST API, so I cannot tell due to the lack of the experience and testing.
It’s possibly something exist, but I am afraid it’s not the “one-click solution” (silver bullet) made yet.
Or, if it actually is, then I believe it would be possible to have some blocked even the “good request” as far as from my point of view and complexity of it.
Therefrom, I can admit the Managed WAF Rules are actually good working and doing their job as far as I have tested and used them on a few domains.
Kindly and patiently wait for someone more experienced to provide a bette answer.
@fritexvz thank you for taking the time to write that very detailed information. I appreciate it.
Unfortunately I cannot deny access to unauthenticated users because some plugins require REST.
I put in a rate limit for it, but I am not sure as to exactly how many requests to limit so I got a gauge of what Cloudflare has implemented for their API and I did something similar. That rate limiting is a great feature.
What would you recommend for limiting the use of REST without breaking plugins that use REST? Not exactly sure how many times a minute or 10 seconds plugins use REST.
Thanks again for the knowledge and the time you took to write that. I definitely feel better about the WAF taking care of business.