WordPress Rest API Authentication
By miniOrange
WordPress REST API Authentication plugin provides the security from unauthorized access to your WordPress REST APIs.
Meet us at WordCamp Europe | ShopTalk | DrupalCon Conferences to explore our solutions. Know More
WordPress REST API Basic Authentication Method
WordPress REST API Basic Authentication allows you to verify access to the WordPress REST APIs by validating an API token generated from the username, password, or client credentials.
Whenever a request is made to access a WordPress REST API endpoint, it undergoes authentication against the associated token. Subsequently, access to the resources for that specific API request is determined based on the successful validation of this API token. To maintain security, the access token is encrypted to prevent any security/data breaches.
Steps to Download & Installation
- Log into your WordPress account as an admin.
- Go to the WordPress Dashboard -> Plugins and click on Add New.
- Search for a WordPress REST API Authentication plugin and click on Install Now.
- Once installed, click on Activate.
Use Case: Protect/Secure WordPress REST API Endpoint Access Using Basic Authentication
1. Based on User credentials:
Suppose you have an Android/iOS app and have given your users the feature to post their personal feeds or blogs on the mobile app.
In this case, requests on your mobile app should be authenticated.
The WordPress Basic Authentication REST API with username and password is the best authentication method for this case. It will be helpful to perform WordPress operations via REST APIs that involve user permissions or capabilities.
The user session will be created, and on the basis of their WordPress capabilities, he/she will be allowed to access the REST API content or perform the desired operations.
2. Based on Client Credentials:
Imagine you have an Android or iOS application and wish to interact with WordPress content through its REST API endpoints. However, you're reluctant to utilize WP user credentials to prevent any potential exposure that might enable an intruder to gain unauthorized access to the WP site.
In such a scenario, it is advisable to employ the WordPress Basic Authentication Rest API, utilizing a client ID and client secret to safeguard your WP user credentials.
With this method, you only need to include the Client ID and Client Secret provided by the plugin in each request. Consequently, security remains uncompromised, as the Client ID and Secret are transmitted in an encrypted format within the Basic Authorization header of each API request. These credentials are then validated, and upon successful validation, WP API Basic Auth grants access to the requested APIs.
Some Use Cases For The Following Rest API Basic Authentication Methods:
Setup REST API Basic Authentication Method
REST API Basic Auth using UserName & Password :
- In the plugin, go to the Configure Methods tab in the left section.
- Click on Basic Authentication as the API Authentication method.
- Select Username & Password with Base64 Encoding and click Next in the top right corner.
- In order to test the functionality, Fill in the username and Password fields for an existing user.
- You can edit the REST API endpoint to fetch details from that endpoint. Example: /pages endpoint has been selected here:
- Click on the Test Configuration button, and verify the result shown on the screen.
- Click the Finish button.
- After you save the REST API Basic Auth Configuration with Username and Password, to access the WordPress REST APIs, you need to send a REST API request with your respective Authorization Key. You need to use the request format as shown below.
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization: Basic base64encoded <username:password>
Sample Request Format-
Example => username : testuser and password : password@123
Sample curl Request Format-
curl -H "Authorization:Basic base64encoded <username:password>"
-X POST http://<wp_base_url>/wp-json/wp/v2/posts -d "title=sample post&status=publish"
base64_encode(‘testuser:password@123’) will results into ‘eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RV FNLZw==’ as output.
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
Code samples in programming languages
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AlwaysMultipartFormData = true;
request.AddParameter("title", "Sample Post");
request.AddParameter("status", "publish");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
.addFormDataPart("title","Sample Post")
.addFormDataPart("status", "publish")
.build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("POST", body)
.build();
Response responseclient.newCall(request).execute();
var form = new FormData();
form.append("title","Sample Post");
form.append("status", "publish");
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "POST",
"timeout": 0,
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => array('title' => 'Sample Post','status' => 'publish'),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
import mimetypes
from codecs import encode
conn = http.client.HTTPSConnection("<wp_base_url>")
dataList= []
boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=title;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("Sample Post"))
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=status;'))
dataList.append('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("publish"))
dataList.append(encode('--'+boundary+'--'))
dataList.append(encode(''))
body = b'\r\n'.join(dataList)
payload= body
headers = {
'Content-type': 'multipart/form-data; boundary={}'.format(boundary)
}
conn.request("POST", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
Postman Samples:
- Click on the Postman Samples tab in the plugin.
- Now, hover over the Basic Authentication Postman Samples card.
- Import the downloaded JSON file into the Postman Application as shown below.
- Once you import the json file, click on the REST API request under the Collections as shown in the last figure. Replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the base64encoded <username:password> in the header with the base encoded value.
- Import the downloaded JSON file into the Postman Application as shown below.
- Once you import the json file, click on the REST API request under the Collections as shown in the last figure. Now replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the base64encoded <clientid:clientsecret> in the header with the base encoded value.
Follow the steps below to make REST API request using Postman:
a) For Username-Password
Example:
For Username: testuser and password: password@123 the base64 encoded value will be ‘dGVzdHVzZXI6cGFzc3dvcmRAMTIz’
b) For Client ID and Client Secret
Feature Description
- First, go to the plugin ‘Advanced Settings’ tab.
- Then, in the Role based Restriction section, all the roles by default will be allowed to access the APIs. You can enable the checkbox of the roles for which you want to restrict access.
- In the above image, the subscriber role checkbox is enabled. So whenever an API request is made by the user, with his role as a subscriber, then that user won’t be allowed to access the requested resource.
- First, go to the plugin ‘Advanced Settings’ tab.
- Then in the ‘Custom Header’ section, you can edit the textbox to enter the custom name you want.
- First, go to the plugin ‘Advanced Settings’ tab.
- Then in the ‘Exclude REST APIs’, you can enter your APIs in the prescribed format which needs to be whitelisted for public access.
-
Example: Suppose you want to exclude the REST API ‘
/wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox.
1. Role-Based REST API restriction:
This feature allows you to restrict REST API access in accordance with user roles. You have the option to specify the roles that are permitted to access the requested resource through REST APIs. Consequently, when a user makes a REST API request, their role is checked, and access to the resource is granted exclusively if their role is included in the whitelist.
How to configure it?
Note: The Role-based restriction feature is valid for Basic authentication (Username: password), JWT method, and OAuth 2.0 (Password grant).
2. Custom Header:
This feature offers the ability to select a personalized header instead of the default 'Authorization' header. This enhances security by allowing you to name the header as per your custom preference. Consequently, if someone attempts to make a REST API request with a header named 'Authorization,' they will be allowed to access the APIs.
How to configure it?
3. Exclude REST APIs:
This feature allows you to designate certain REST APIs as whitelisted, permitting them to be accessed directly without the need for authentication. Consequently, all these whitelisted REST APIs become publicly accessible.
How to configure it?
4. Enable Advanced Encryption for the tokens using HMAC :
This feature is offered within the Basic Authentication method, where the token is typically encrypted using Base64 encoding by default. However, with the advanced option, the token can be encrypted using the highly secure HMAC encryption method, which ensures a very high level of security.
Additional Resources
- WordPress REST API OAuth 2.0 Authentication Method
- WordPress REST API Key Authentication Method | Secure REST API
Need Help?
Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
×
![ADFS_sso]()
Trending searches:
Hello there!
Need Help? We are right here!
