Reputation: 121
Wordpress REST API app key
I'm thinking of making a frontend application based on Wordpress and the Wordpress REST API and I'm not a security expert. I noticed that by default I can fetch the content without having an auth key for the application, so basically everyone can get the content without being authorized (and I am giving for granted that at least I cannot post anything if I am not logged in). Is that normal?
Does anyone know how I can restrict this behaviour by creating a key?
Thank you very much
Upvotes: 2
Views: 476
Answers (2)
Reputation: 404
To do what you're attempting you'll need a healthy understanding of JSON Web Tokens and two plugins.
The first plugin is My Private Site. This plugin will prevent users from viewing any content on the website front end. Turning Wordpress into a content editor with only a REST API available to access content.
The second plugin you'll want is Advanced Access Manager. This will allow you to require JWT authentication anytime a user requests data from the RestApi. Here's an article from AAM on how to set up JWT in Wordpress.
I hope this helps :D
Upvotes: 2
Reputation: 121
Just enable CORS in the header.php Enable CORS on JSON API Wordpress
The following can be a useful consideration even though:
By keeping to what it is stated here https://www.wpwhitesecurity.com/wordpress-security/wordpress-rest-api-and-the-security-worries/:
the information that is available via the WordPress REST API is already available to the public via other > means, such as the website itself and RSS. The only difference between the front-end of the website, RSS and the REST API is the way the data is presented.
One one the questions at the bottom of this article is about DoS attacks and the answer is the following:
As explained in the post the data available through REST API is already publicly available, so as much as an attacker can create a DoS-type attack on the REST API he can do the same on the website. Actually, requesting something from the REST API is more efficient than when requesting it from the interface since the request and response contain much less data (the interface itself) so in a way, it is more efficient.
Upvotes: -1
Related Questions
- How can I mix the Wordpress API with ReactJs
- How to give allowance to take data from rest API?
- How to render content of wordpress api?
- access to the endpoints wp api rest title post rendered inreact app
- react/redux - Fetch API in react-redux app
- Deploying React w/ WordPress as Backend using WP Rest API
- React Axios better way to get single post from WordPress REST
- React Redux & Wordpress API - how to load single post from Redux store?
- ReactJS display data from Wordpress API
- Requesting resource from API server