WordPress REST API Basic Authentication Method


This method of WordPress REST API endpoints authentication involves the WordPress REST APIs access on validation against the API token generated based on the user’s username, password or on the basis of client credentials. Each time a request to access the WordPress REST API endpoint will be made, the authentication will be done against that token, and on the basis of the verification of the API token, the resources for that API request will be allowed to access. The token will be encrypted hence the security is not compromised.

Download And Installation

  • Log into your WordPress instance as an admin.
  • Go to the WordPress Dashboard -> Plugins and click on Add New.
  • Search for a WordPress REST API Authentication plugin and click on Install Now.
  • Once installed click on Activate.


Use Case: Protect/secure WordPress REST API Endpoints access using Basic Authentication.

    1. By User credentials:

    Suppose you have one Android/IOS Blog Application and you have given capabilities to your users to post their personal feeds or blogs using mobile applications. In this case, your mobile application requests should be authenticated. WordPress Basic Authentication REST API with username and password method is appropriate for this situation where your user credentials will be in the Authorization Header. The user session will be created and on the basis of that user WordPress capabilities, he/she will be allowed to access the REST API content or perform the desired operations. WordPress Basic Authentication with username and password is the most common authentication method and this method will be helpful in case you want to perform WordPress operations via REST APIs which involve user permissions or capabilities.


      WordPress REST API Basic Authentication method using user credentials

    2. By Client credentials:

    Suppose you have one Android/IOS Blog Application and you want to access the WordPress content using its REST API endpoints but do not want to involve the WP user credentials as it may have a chance for exposing and allowing the intruder to access the WP site using those credentials. In that case, you should use WordPress Basic Authentication with a client ID and client secret where your WP user credentials are also safe, and at each request, you just need to pass the Client ID and Client Secret provided by the plugin. Hence security is not a concern. The Client ID and Secret are in fact passed in encrypted format in the Basic Authorization header of each API request, these are validated and on successful validation WP API Basic Auth will allow these APIs to access.


      WordPress REST API Basic Authentication method using client credentials

Read Use Cases for the following Rest API Authentication Methods:

Setup REST API Basic Authentication Method


miniorange img REST API Basic Auth using UserName & Password :

  • In the plugin, go to the Configure Methods tab in the left section.
  • Click on Basic Authentication as the API Authentication method.
  • WordPress REST API Basic Authentication method using username-and-password
  • Select Username & Password with Base64 Encoding and click Next in the top right corner.
  • WordPress REST API Basic Authentication method using username-and-password
  • In order to test the functionality, Fill in the username and Password fields for an existing user.
  • WordPress REST API Basic Authentication method using username-and-password
  • You can edit the REST API endpoint to fetch details from that endpoint. Example: /pages endpoint has been selected here:
  • Click on the Test Configuration button, and verify the result shown on the screen.
  • Click the Finish button.
  • WordPress REST API Basic Authentication method using username-and-password
  • After you save the REST API Basic Auth Configuration with Username and Password, to access the WordPress REST APIs, you need to send a REST API request with your respective Authorization Key. You need to use the request format as shown below.
  • 
       Request: GET https://<domain-name>/wp-json/wp/v2/posts
       Header: Authorization: Basic base64encoded <username:password>
    Sample Request Format- Example => username : testuser and password : password@123

    
         Sample curl Request Format-
         curl -H "Authorization:Basic base64encoded <username:password>"
         -X POST http://<wp_base_url>/wp-json/wp/v2/posts -d "title=sample post&status=publish" 
     
  • PHP base64_encode(string) function for base64 encoding can be used as follows:
  • 
    base64_encode(‘testuser:password@123’) will results into ‘eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RV FNLZw==’ as output.
    Sample request: GET https://<domain-name>/wp-json/wp/v2/posts Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
  • Check out the Error Response for Basic Auth using UserName & Password.

miniorange img Code samples in programming languages



 
    var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
	client.Timeout = -1;
	var request = new RestRequest(Method.POST);
	request.AlwaysMultipartFormData = true;
	request.AddParameter("title", "Sample Post");
	request.AddParameter("status", "publish");
	IRestResponse response = client.Execute(request);
	Console.WriteLine(response.Content);
 
    OkHttpClient client  = new OkHttpClient().newBuilder().build();
    MediaType mediaType = MediaType.parse("text/plain");
    RequestBody body  = new MultipartBody.Builder().setType(MultipartBody.FORM)
    .addFormDataPart("title","Sample Post")
    .addFormDataPart("status", "publish") 
    .build();
    Request request  = new Request.Builder()
    .url("http://<wp_base_url>/wp-json/wp/v2/posts ")
    .method("POST", body)
     .build();
    Response responseclient.newCall(request).execute();
            
 
    var form = new FormData();
    form.append("title","Sample Post");
    form.append("status", "publish"); 

    var settings  = {
        "url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
        "method": "POST",
        "timeout": 0,
        "processData": false,
        "mimeType": "multipart/form-data",
        "contentType": false,
        "data": form
      };
      
      $.ajax(settings).done(function (response)  {
        console.log(response);
      });
      
 
   <?php
     $curl = curl_init();
    curl_setopt_array($curl, array 
        ( CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => '',
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => 'POST',
            CURLOPT_POSTFIELDS => array('title' => 'Sample Post','status' => 'publish'),
            ));
          
    $response = curl_exec($curl);
    curl_close($curl);    
    echo $response;
            
 
    import http.client
    import mimetypes
    from codecs import encode

    conn   = http.client.HTTPSConnection("<wp_base_url>")
    dataList= []
    boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
    dataList.append(encode('--' + boundary))
    dataList.append(encode('Content-Disposition: form-data; name=title;')) 

    dataList.append(encode('Content-Type: {}'.format('text/plain')))    
    dataList.append(encode(''))    

    dataList.append(encode("Sample Post"))
    dataList.append(encode('--' + boundary))    
    dataList.append(encode('Content-Disposition: form-data; name=status;'))    

    dataList.append('Content-Type: {}'.format('text/plain')))
    dataList.append(encode(''))    

    dataList.append(encode("publish")) 
    dataList.append(encode('--'+boundary+'--'))    
    dataList.append(encode(''))    
    body  = b'\r\n'.join(dataList)    
    payload= body
    headers = {
        'Content-type': 'multipart/form-data; boundary={}'.format(boundary) 
     }
    conn.request("POST", "/wp-json/wp/v2/posts ", payload, headers)
    res= conn.getresponse()    
    data = res.read()    
    print (data.decode("utf-8"))   
 

miniorange img Postman Samples:

    Follow the steps below to make REST API request using Postman:

  • Click on the Postman Samples tab in the plugin.
  • WordPress REST API Basic Authentication method postman implementation
  • Now, hover over the Basic Authentication Postman Samples card.
    • a) For Username-Password

        WordPress REST API Basic Authentication method postman JSON file for username : password
      • Import the downloaded JSON file into the Postman Application as shown below.
      • WordPress REST API Basic Authentication method postman import JSON file
      • Once you import the json file, click on the REST API request under the Collections as shown in the last figure. Replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the base64encoded <username:password> in the header with the base encoded value.
        • Example:
          For Username: testuser and password: password@123 the base64 encoded value will be ‘dGVzdHVzZXI6cGFzc3dvcmRAMTIz’

      WordPress REST API Authentication key method postman replace base url

      b) For Client ID and Client Secret

      • WordPress REST API Basic Authentication method postman JSON file for client id and client secret
      • Import the downloaded JSON file into the Postman Application as shown below.
      • WordPress REST API Basic Authentication method postman import JSON file
      • Once you import the json file, click on the REST API request under the Collections as shown in the last figure. Now replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the base64encoded <clientid:clientsecret> in the header with the base encoded value.
      • WordPress REST API Basic Authentication method postman replace base url

miniorange img Feature Description

    1. Role Based REST API restriction:

    This feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then, in the Role based Restriction section, all the roles by default will be allowed to access the APIs. You can enable the checkbox of the roles for which you want to restrict access.
    • WordPress REST API Basic Authentication method postman implementation
    • In the above screenshot, the subscriber role checkbox is enabled. So whenever an API request is made by the user with his role as subscriber then that user won’t be allowed to access the requested resource.

    Note: The Role based restriction feature is valid for Basic authentication(Username: password), JWT method, and OAuth 2.0 (Password grant).

    2. Custom Header:

    This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.

    It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then in the ‘Custom Header’ section, you can edit the textbox to enter the custom name you want.
    • WordPress REST API Basic Authentication method postman implementation

    3. Exclude REST APIs:

    This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.


    How to configure it?

    • First, go to the plugin ‘Advanced Settings’ tab.
    • Then in the ‘Exclude REST APIs’, you can enter your APIs in the prescribed format which needs to be whitelisted for public access.
    • WordPress REST API Basic Authentication method postman implementation
    • Example: Suppose if you want to exclude the REST API ‘<your domain>/wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox.

    4. Enable Advanced Encryption for the tokens using HMAC

    This feature is available with the Basic Authentication method in which by default the token is encrypted using Base64 encoding technique but with the advanced feature, the token can be encrypted with highly secure HMAC encryption which is very secure.

    WordPress REST API Basic Authentication method using user credentials

Need Help?

Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com