Paulund

WordPress REST API Authentication

In this tutorial, we're going to investigate authentication with the WordPress REST API.

By default, the WordPress REST API has some open endpoints and some cookie authentication endpoints.

The main rule of thumb is GET methods such as posts/pages/users are open methods but POST or PUT methods to create new users, for example, are closed methods and require the user to be logged in.

Why Is Authentication Important?

I'm a great believer in the WordPress REST API being locked down by default and can be turned on to the way it currently is with an admin area setting. This is why I always turn off the REST API for everybody unless they are authorized. Visit the following link to disable the REST API. Disable REST API

This became even more important with the discovery of the security hole with the REST API. WordPress REST API Vulnerability This problem was fixed in WordPress 4.7.2 but if you're running a lower version then you might be open to this security problem. Authentication on your API is very important as it stops anybody simply using your API to either edit your data or be able to use your data. Without authentication on your POST or PUT methods then anybody will be able to use an app like Postman and customise your data. By default WordPress POST and PUT method require authentication so this isn't a massive problem but can be improved. The GET endpoints are open and this allows anybody to very quickly create a JavaScript or PHP app to display all your content.

Authentication Options

There is generally 3 options when authenticating your WordPress REST API:

  • Cookie authentication
  • OAuth authentication
  • Basic authentication

My favourite approach to authentication is the OAuth as it's generally more secure than the other methods and you have more control over the apps that have access to your API.

This is the default authentication that comes with WordPress when you log in to the dashboard WordPress will set a cookie on your machine so that it knows you can access the admin area. The REST will use this with nonces to allow you to authorize requests to the API.

Basic Authentication

A simple solution to authentication is to use Basic authentication that means third party clients to need to mock a login to the WordPress site by passing in the Username and Password into the headers of the API HTTP request.

$headers = array (
    'Authorization' => 'Basic ' . base64_encode( 'admin' . ':' . '12345' ),
);

This authorization needs to be done on every request made to the API and will require you storing the username and password in the external client.

OAuth Authentication

OAuth is the authentication method you should use when accessing the API through an external client such as a mobile app or using a JavaScript app. When third party clients need access to the API admin users can log in and create token for these apps to use. This gives control to the admin users to revoke access to the API for a certain app at any time by simply canceling the API token. The RESP API is currently compatible with the OAuth 1.0a specification and there is a plugin you can install to quickly have this in place on your WordPress site. OAuth Plugin The plugin will provide a full GUI in the admin pages to create or revoke tokens for new clients. After the plugin is installed you need to configure and create your new clients. The plugin will add new endpoints you can use to provide access to the app, first navigate to http://website.com/wp-json this will provide you with a list of the new endpoints.

{
    "name": "Paulund",
    "description": "Web Development tutorials and snippets for WordPress, Laravel, Javascript, CSS",
    "url": "https://paulund.co.uk/wp",
    "home": "https://paulund.co.uk",
    "namespaces": ["wp\/v2"],
    "authentication": {
        "oauth": {
            "request": "http://paulund.co.uk/oauth1/request",
            "authorize": "http://paulund.co.uk/oauth1/authorize",
            "access": "http://paulund.co.uk/oauth1/access",
            "version": "0.1",
        }
        },
}

To create an application for your REST API you can either use the GUI in the admin area or if you use WP-CLI you can use the command

wp oauth1 add --name=<consumer_name> --description=<consumer_description>

When a client is created you will be given the client key and the client secret codes that you need to give these to the third party client. From these codes, you'll be able to create the OAuth token to get access to the API. To get temp OAuth access you need to request access to the request endpoint passing in the client key and client secret. I use the application Postman to make it easy to HTTP requests, under the authorization tab on Postman you're able to select OAuth 1.0 from here you can make a request and pass in the client key and secret. Enter this information and make a POST call to the request endpoint http://website.com/oauth1/request The response of this endpoint will return the oauth_token and the oauth_token_secret. You can now take these values and navigate in your browser to the authorize endpoint passing these in as a querystring.


http://website.com/oauth1/authorize?oauth_token=<token_here>&oauth_token_secret=<secret_here>

This will ask you to verify the user you are connecting to, if the information is correct click on the Authorize button, you will then be redirected to a page with the verification token. You will then take this verification code, the short-term OAuth code and secret and POST to


http://website.com/oauth1/access?oauth_verifier=<oauth_verifier_value>

The return of this endpoint will provide you with the long-term oauth_token and oauth_token_secret


oauth_token=<oauth_token_value>&oauth_token_secret=<oauth_secret_value>

Now you can make your first request to the endpoint using OAuth 1.0 with your: - Client key

  • Client Secret
  • OAuth token
  • OAuth secret