[Defender] security is needed

If i type: /wp-json/wp/v2/users at the end of my website, all users are listed! Wordfence security has the ability to block for free - why this i am paying for :slight_smile:?? Supposedly this will end it: # WP REST API BLOCK JSON REQUESTS TO USERS & COMMENTS ROUTES
# Block/Forbid Requests to: /wp-json/wp/v2/users and wp-json/wp/v2/comments
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments) [NC]
RewriteRule ^(.*)$ - [F]

see here: https://onlinesynlighed.dk/blog/stort-sikkerhedshul-kan-se-dit-wordpress-brugernavn/