...
This plugin disables the /users API endpoint as well as prevents form logins for any users with “@” in their username. This mitigates concerns around brute force attacks on the site.
Note: It is still possible to create a user with elevated privileges and a simple password that would be allowed to login into the website. It is recommended to disable this functionality entirely on production to prevent unauthorized access using manually created users.
digimod-theme-assets (DIGIMOD - Block Theme Frontend Enhancements)
...