Prevent username enumeration via WordPress / ClassicPress REST API.

functions.php

/**
	 * Prevent username enumeration via REST API
	 *
	 * This function allows normal (anonymous) access to the REST API, but makes
	 * sure that site usernames are not exposed through it. This code can be added
	 * to your theme's functions.php file.
	 *
	 * Note: there has been a report that this code may interfere with JetPack's operation.
	 * See https://twitter.com/PrysmcatBooks/status/1082022370817261568
	 */

	add_filter('rest_authentication_errors', 'codepotent_prevent_anonymous_username_enumeration');

	function codepotent_prevent_anonymous_username_enumeration() {

		// If user is admin, no need to block access.
		if (current_user_can('manage_options')) {
			return;
		}

		// If user is logged in, *probably* no need to block access.
		if (is_user_logged_in()) {
			return;
		}

		// If here, user is anonymous; selectively block access.

		// Get the requested URL.
		$url = $_SERVER['REQUEST_URI'];

		// Is this a REST API type of URL?
		if (strstr($url, '/wp-json/')) {
			// Oh, it is? Well, is it the URL that would expose usernames?
			if (!strstr($url, '/users')) {
				// No? Ok, well then, no need to block access.
				return;
			}
		}

		// If here, anonymous user requested user list; block access.

		/**
		 * I did my error message in ASCII art just for a bit of fun. ¯\_(ツ)_/¯
		 * You can do yours however you like.
		 */
		$message  = "                                              .-'''-.                                 _____                                  _____      \n";
		$message .= "                                             '   _    \                              /    /                                 /    /      \n";
		$message .= "         __.....__                         /   /` '.   \                            /    /                                 /    /       \n";
		$message .= "     .-''         '.                      .   |     \  '                           /    /                                 /    /        \n";
		$message .= "    /     .-''\"'-.  `.  .-,.--.  .-,.--.  |   '      |  ' .-,.--.                 /    /             .-''` ''-.          /    /         \n";
		$message .= "   /     /________\   \ |  .-. | |  .-. | \    \     / /  |  .-. |               /    /  __        .'          '.       /    /  __      \n";
		$message .= "   |                  | | |  | | | |  | |  `.   ` ..' /   | |  | |              /    /  |  |      /              `     /    /  |  |     \n";
		$message .= "   \    .-------------' | |  | | | |  | |     '-...-'`    | |  | |             /    '   |  |     '                '   /    '   |  |     \n";
		$message .= "    \    '-.____...---. | |  '-  | |  '-                  | |  '-             /    '----|  |---. |         .-.    |  /    '----|  |---. \n";
		$message .= "     `.             .'  | |      | |                      | |                /          |  |   | .        |   |   . /          |  |   | \n";
		$message .= "       `''-...... -'    | |      | |                      | |                '----------|  |---'  .       '._.'  /  '----------|  |---' \n";
		$message .= "                        |_|      |_|                      |_|                           |  |       '._         .'              |  |     \n";
		$message .= "                                                                                       /____\         '-....-'`               /____\    \n";
		$message .= "                                                                                                                 _..._                     \n";
		$message .= "                                                                                               .---.          .-'_..._''.                  \n";
		$message .= "  /|                                 __.....__                                  __.....__      |   | .--.   .' .'      '.\ .--.            \n";
		$message .= "  ||          .-.          .-    .-''         '.                   _.._     .-''         '.    |   | |__|  / .'            |__|            \n";
		$message .= "  ||           \ \        / /   /     .-''\"'-.  `.               .' .._|   /     .-''\"'-.  `.  |   | .--. . '              .--.            \n";
		$message .= "  ||  __        \ \      / /   /     /________\   \              | '      /     /________\   \ |   | |  | | |              |  |     __     \n";
		$message .= "  ||/'__ '.      \ \    / /    |                  |            __| |__    |                  | |   | |  | | |              |  |  .:--.'.   \n";
		$message .= "  |:/`  '. '      \ \  / /     \    .-------------'           |__   __|   \    .-------------' |   | |  | . '              |  | / |   \ |  \n";
		$message .= "  ||     | |       \ `  /       \    '-.____...---.              | |       \    '-.____...---. |   | |  |  \ '.          . |  | `\" __ | |  \n";
		$message .= "  ||\    / '        \  /         `.             .'               | |        `.             .'  |   | |__|   '. `._____.-'/ |__|  .'.''| |  \n";
		$message .= "  |/\'..' /         / /            `''-...... -'                 | |          `''-...... -'    '---'          `-.______ /       / /   | |_ \n";
		$message .= "  '  `'-'`      |`-' /                                           | |                                                   `        \ \._,\ '/ \n";
		$message .= "                 '..'                                            |_|                                                             `--'  `\"  \n";

		// Print the message and kill the script with fire.
		die($message);

	}

Note that you can pass $message into the json_encode() function to convert it to JSON before displaying it. The only caveat is that, if you're doing an ASCII art thing like I've done here, you will have to use only characters that don't require escaping, since all the backslashes will ruin the aesthetic of your design. If you need a free, online ASCII text generator, this one is pretty great.