Update WP Best Practices to include guidance on blocking /wp-json/wp/v2/users to anonymous users

[jazzsequence]

Fixes #8314

Summary

• WordPress Best Practices - Adds a section on how to add a filter which blocks access to the /users endpoint for unauthenticated users.
• Avoid WordPress Login Attacks - Adds a section about blocking anonymous access to the /users endpoint, and why you might want to do it, which links back to the above section in the Best Practices doc.

[pantheon-decoupled]

⚡ Deployed with Pantheon Decoupled

This build was successfully deployed with Pantheon. You can track the build logs here.

👀 Preview: https://pr-9167-documentation.appa.pantheon.site
🛠️ Manage in Pantheon: https://dashboard.pantheon.io/site/2b30153f-e8b1-4427-b076-6109e704ba5d/overview

[pantheon-decoupled]

⚡ Deployed with Pantheon Decoupled

This build was successfully deployed with Pantheon. You can track the build logs here.

👀 Preview: https://pr-9167-documentation.appa.pantheon.site
🛠️ Manage in Pantheon: https://dashboard.pantheon.io/site/2b30153f-e8b1-4427-b076-6109e704ba5d/overview

[pantheon-decoupled]

⚡ Deployed with Pantheon Decoupled

This build was successfully deployed with Pantheon. You can track the build logs here.

👀 Preview: https://pr-9167-documentation.appa.pantheon.site
🛠️ Manage in Pantheon: https://dashboard.pantheon.io/site/2b30153f-e8b1-4427-b076-6109e704ba5d/overview

[rachelwhitton]

@jazzsequence I see we already have a similar example in this doc here: https://docs.pantheon.io/guides/wordpress-developer/wordpress-best-practices#disable-anonymous-access-to-wordpress-rest-api

Is checking for access to the list_users capability the only difference between the two methods? Do we need both?

[jazzsequence]

@rachelwhitton One is to disable the REST API entirely to anonymous users. The other only disables the /users endpoint. The first is a sledgehammer, the second is a scalpel. It depends on what you're doing (or not doing) with the API but since this came in customers wanting to know how to do this, obviously the disabling the entire API solution was insufficient. I don't think it hurts to do both.

[rachelwhitton]

@jazzsequence gotcha, that makes sense. I updated the headers for clarity. LGTM 👍

[pantheon-decoupled]

⚡ Deployed with Pantheon Decoupled

This build was successfully deployed with Pantheon. You can track the build logs here.

👀 Preview: https://pr-9167-documentation.appa.pantheon.site
🛠️ Manage in Pantheon: https://dashboard.pantheon.io/site/2b30153f-e8b1-4427-b076-6109e704ba5d/overview

[pantheon-decoupled]

⚡ Deployed with Pantheon Decoupled

This build was successfully deployed with Pantheon. You can track the build logs here.

👀 Preview: https://pr-9167-documentation.appa.pantheon.site
🛠️ Manage in Pantheon: https://dashboard.pantheon.io/site/2b30153f-e8b1-4427-b076-6109e704ba5d/overview