You may or may not herd of Rest API. Is installed on millions of WordPress sites by default and enabled by default. I won’t bore you with the details.
Basically WordPress Gravatar uses this API to retrieve information such as pictures, display names, real names and email addresses. It may sound harmless, but is actually more harmful than you think.
Imagine what bad actors can do with those kind of information. Bad actors can simply generate a list of hashes into a csv file for example, decode them and expose the data and possibly sell them to the dark web. It also gives them lead way to compromise your site.
I did a few tests on big name sites and I was shocked by the amount of information I get including the admin of the site, a list of email addresses with some still hashed.
However, there is a nitch plugin called Disable REST API that allows the Rest API on WordPress to be disabled. I wish WordPress would have this on by default without us resorting to 3rd party plugins.