WordPress REST API Authentication
in REST API
In this tutorial, we're going to investigate authentication with the WordPress REST API. By default, the WordPress REST API has some open endpoints and some cookie authentication endpoints. The main rule of thumb is GET methods such as posts/pages/users are open methods but POST or PUT methods to create new users, for example, are closed methods and require the user to be logged in.
Why Is Authentication Important?
I'm a great believer in the WordPress REST API being locked down by default and can be turned on to the way it currently is with an admin area setting. This is why I always turn off the REST API for everybody unless they are authorized.
Visit the following link to disable the REST API.
This became even more important with the discovery of the security hole with the REST API.
This problem was fixed in WordPress 4.7.2 but if you're running a lower version then you might be open to this security problem.
There is generally 3 options when authenticating your WordPress REST API:
- Cookie authentication
- OAuth authentication
- Basic authentication
My favourite approach to authentication is the OAuth as it's generally more secure than the other methods and you have more control over the apps that have access to your API.
This is the default authentication that comes with WordPress when you log in to the dashboard WordPress will set a cookie on your machine so that it knows you can access the admin area. The REST will use this with nonces to allow you to authorize requests to the API.
A simple solution to authentication is to use Basic authentication that means third party clients to need to mock a login to the WordPress site by passing in the Username and Password into the headers of the API HTTP request.
$headers = array ( 'Authorization' => 'Basic ' . base64_encode( 'admin' . ':' . '12345' ), );
This authorization needs to be done on every request made to the API and will require you storing the username and password in the external client.
The RESP API is currently compatible with the OAuth 1.0a specification and there is a plugin you can install to quickly have this in place on your WordPress site.
The plugin will provide a full GUI in the admin pages to create or revoke tokens for new clients.
After the plugin is installed you need to configure and create your new clients. The plugin will add new endpoints you can use to provide access to the app, first navigate to
http://website.com/wp-json this will provide you with a list of the new endpoints.
To create an application for your REST API you can either use the GUI in the admin area or if you use WP-CLI you can use the command
wp oauth1 add --name=<consumer_name> --description=<consumer_description>
When a client is created you will be given the client key and the client secret codes that you need to give these to the third party client. From these codes, you'll be able to create the OAuth token to get access to the API.
To get temp OAuth access you need to request access to the request endpoint passing in the client key and client secret. I use the application Postman to make it easy to HTTP requests, under the authorization tab on Postman you're able to select OAuth 1.0 from here you can make a request and pass in the client key and secret. Enter this information and make a POST call to the request endpoint
The response of this endpoint will return the
oauth_token and the
You can now take these values and navigate in your browser to the authorize endpoint passing these in as a querystring.
This will ask you to verify the user you are connecting to, if the information is correct click on the Authorize button, you will then be redirected to a page with the verification token.
You will then take this verification code, the short-term OAuth code and secret and POST to
The return of this endpoint will provide you with the long-term oauth_token and oauth_token_secret
Now you can make your first request to the endpoint using OAuth 1.0 with your:
- Client key
- Client Secret
- OAuth token
- OAuth secret
Subscribe To Newsletter
Get weekly updates to your email