Strategic OSINT: Finding Out Who Has Access to the Bellingham Public Schools Website
By Jamisen Renoud
May 11th, 2025
While exploring the Bellingham Public Schools website, I discovered it runs on WordPress, which exposes some surprisingly useful API endpoints.
By querying /wp-json/wp/v2/users, I could pull a list of every registered author with access to publish content on the site — no login or credentials required.
The Endpoint
This URL revealed the full author list:
https://bellinghamschools.org/wp-json/wp/v2/users
Users Discovered
(District Site)
- Amelia Vader - Grant Writer and Special Projects Manager
- Andrew Forhan - Communications Technician Specialist
- Bill Palmer - Director, Teaching and Learning - Technology Integration
- Caitlin - Unidentified
- Cara Forhan - Executive Administrative Assistant, Human Resources
- Clover Martin - Administrative Assistant, Health Services
- Dana Smith - Assistant Director, Communications
- Gladys Serrano - Administrative Assistant, Teaching and Learning
- Greg Baker - Superintendent
- Heather Steele - Director, Teaching and Learning - Career and Technical Education
Oddly, this is only some users, most likely ones with admin access, but thats a guess, as users Janis Velasquez Farmer (Director of DEI), as well as Lisa Hust (not on district website, but I suspect was HR from some searching) found at https://bellinghamschools.org/wp-json/wp/v2/users/3 do not appear in that list.
Users Discovered
(Sehome Site)
Now I went to look at sehome.bellinghamschools.org and found everything is basically the same, and found these users.
- Amy Hjelt - Unknown
- Andrew Forhan - Communications Technician Specialist
- Lisa Gilchrist - Unknown
- Lisa Hust - Unknown
- Margaret Gude - Communications Specialist
- Monica Contreras - Administrative Assistant to the Principal
- Nicky Cook-Desler - Library Media Specialist
Why It Matters
Even though no private data was exposed, this tells us who has backend access, and could be targeted by phishing campaigns.
Note: This is a completely public endpoint. No login or security was bypassed.
This post is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license.