WordPress REST API Authentication plugin provides the security from unauthorized access to your WordPress REST APIs.
Search Results :
×Meet us at WordCamp Kerala 2024 Conference to explore solutions. Know More
WordPress REST API key authentication involves verifying the API key (Bearer token) to gain access to the WP REST APIs. Each time a request is initiated to access WP REST API endpoints, authentication is necessary using the key (Bearer token). Access to resources for the requested WordPress REST API endpoint is granted based on the validation of the API key (Bearer token).
For the record, the API key is an authentication protocol designed to allow developers to generate authentication keys that could be used for resources such as server-side processes, mobile phone applications, and desktop computers.
The WordPress API key authentication method is a vital means to ensure the security of your WordPress REST API. If the API key becomes compromised, it can be regenerated, causing all previously generated keys to expire automatically. The newly created key will then be employed for WP API Key Authentication. Failing to secure your REST API can pose significant security risks, as it can provide unauthorized individuals with access to your system, potentially leading to data breaches.
This guide will walk you through a detailed, step-by-step process for installing and configuring WordPress REST API Authentication to enhance the security of your REST API.
WordPress REST API Authentication plugin provides the security from unauthorized access to your WordPress REST APIs.
1. API Key authentication can serve as a safeguard for your WordPress REST API Endpoints, such as posts, pages, or any other REST APIs of WordPress, shielding them from unauthorized access and negating the need to share a user's WP login credentials or client ID and client secret for authentication. This WordPress API key generator approach creates a unique authentication key, which you can utilize to authenticate various WordPress REST APIs on your website.
Utilizing the WordPress REST API key authentication represents one of the easiest and most widely adopted approaches to fortifying your WP REST API with API key authentication. This approach enhances the security of REST APIs on your WordPress website.
2. Imagine you've developed a Blog Application for Android and iOS, and you've published all your blogs on WordPress. However, you'd like to retrieve the posts/blogs from WordPress REST APIs while keeping them inaccessible to the public. In such cases, it's advisable to implement WordPress REST API Key Authentication to safeguard your GET requests, ensuring the security of your endpoints.
The plugin provides two kinds of API keys/ security tokens that can be used to authenticate WordPress REST APIs -
I. Universal API Key - The Universal API key will be most suitable to authenticate the WP REST APIs, which involve the HTTP GET method and do not require WordPress user capabilities.
Please note: This key does not involve user capabilities and cannot be used to access those APIs for which WordPress expects user permissions. “Example - If you just want to use the GET APIs for fetching general WordPress posts, comments, etc.”
II. User-specific API Key - The user-based API will be the most suitable to authenticate the WP REST APIs that involve any of the HTTP methods like - GET, POST, PUT, DELETE, especially in those cases in which you want to perform operations that involve user capabilities.
Example - If you want to perform any operations like fetching WordPress posts based on user capabilities (their WP roles), user data, or want to create new users, new posts, etc.
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header:Authorization: Bearer <token>
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header:Authorization: Bearer kGUfhhzXZuWisofgnkAsuHGDyfw7gfhg5s
Sample curl Request Format-
curl -H "Authorization:Bearer <token-value>"
-X GET http://<wp_base_url>/wp-json/wp/v2/posts
-H 'app-name:TheAppName'
I. Authorization :
The
HTTP Authorization request header typically includes the user agent's credentials or token type
and token value, serving as a means to authenticate the user agent with a server. This commonly occurs
following an unsuccessful authentication attempt, where the server responds with a status of 401
Unauthorized.
II. Bearer <token-value>:
The
Bearer <token-value> is created by the Authentication server. When a client application
requests the authentication server then the server authenticates that token and gives a response to the
client application accordingly.
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("Authorization", "Bearer <token-value>");
request.AddHeader = ("app-name", "TheAppName");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("GET", null)
.addHeader = ("Authorization", "Bearer <token-value>");
.addHeader = ("app-name", "TheAppName");
.build();
Response responseclient.newCall(request).execute();
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "GET",
"timeout": 0,
"headers": {
"Authorization": "Bearer < access_token / id_token >",
"app-name": "TheAppName"
},
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_HTTPHEADER => array(
'Authorization: Bearer <token-value>'
'app-name: TheAppName'
),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
conn = http.client.HTTPSConnection("<wp_base_url>")
payload= "
headers = {
'Authorization': 'Bearer <token-value>'
'app-name': 'TheAppName',
}
conn.request("GET", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
Follow the steps below to make REST API request using Postman:
1. Role-Based REST API Restrictions:
This feature enables restricting REST API access according to user roles. You have the option to specify which roles should be permitted to access the requested resource through REST APIs. Therefore, when a user initiates a REST API request, their role is retrieved, and access to the resource is only granted if their role is included in the whitelist.
How to configure it?
Note: The Role-based restriction feature is valid for Basic authentication (Username: password), JWT method, OAuth 2.0 (Password grant), and API Key Auth (User-specific API key).
2. Custom Header
This feature provides an option to choose a custom header rather than the default ‘Authorization’ header. This will enhance security by introducing a custom-named header. If an individual attempts to send a REST API request with an 'Authorization' header, they will be unable to access the APIs.
How to configure it?
3. Exclude REST APIs
This feature allows you to create a whitelist for your REST APIs, enabling direct access to them without the need for authentication. Consequently, all REST APIs included in this whitelist become publicly accessible.
How to configure it?
4. Create User Specific API keys/tokens
How to use this feature:
Congratulations! You have successfully configured the WordPress REST API Key Authentication using this guide. Now, your WordPress REST API endpoints are secure, and your data is protected from unauthorized access.
Mail us on apisupport@xecurify.com for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
Thanks for your inquiry.
If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com
This privacy statement applies to miniorange websites describing how we handle the personal information. When you visit any website, it may store or retrieve the information on your browser, mostly in the form of the cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not directly identify you, but it can give you a more personalized web experience. Click on the category headings to check how we handle the cookies. For the privacy statement of our solutions you can refer to the privacy policy.
Necessary cookies help make a website fully usable by enabling the basic functions like site navigation, logging in, filling forms, etc. The cookies used for the functionality do not store any personal identifiable information. However, some parts of the website will not work properly without the cookies.
These cookies only collect aggregated information about the traffic of the website including - visitors, sources, page clicks and views, etc. This allows us to know more about our most and least popular pages along with users' interaction on the actionable elements and hence letting us improve the performance of our website as well as our services.