WordPress REST API Basic Authentication Method
This method of WordPress REST API endpoints authentication involves the WordPress REST APIs access on validation against the API token generated based on the user’s username, password or on the basis of client credentials. Each time a request to access the WordPress REST API endpoint will be made, the authentication will be done against that token, and on the basis of the verification of the API token, the resources for that API request will be allowed to access. The token will be encrypted hence the security is not compromised.
Download And Installation
- Log into your WordPress instance as an admin.
- Go to the WordPress Dashboard -> Plugins and click on Add New.
- Search for a WordPress REST API Authentication plugin and click on Install Now.
- Once installed click on Activate.
Use Case: Protect/secure WordPress REST API Endpoints access using Basic Authentication.
1. By User credentials:
Suppose you have one Android/IOS Blog Application and you have given capabilities to your users to post their personal feeds or blogs using mobile applications. In this case, your mobile application requests should be authenticated. WordPress Basic Authentication REST API with username and password method is appropriate for this situation where your user credentials will be in the Authorization Header. The user session will be created and on the basis of that user WordPress capabilities, he/she will be allowed to access the REST API content or perform the desired operations. WordPress Basic Authentication with username and password is the most common authentication method and this method will be helpful in case you want to perform WordPress operations via REST APIs which involve user permissions or capabilities.
2. By Client credentials:
Suppose you have one Android/IOS Blog Application and you want to access the WordPress content using its REST API endpoints but do not want to involve the WP user credentials as it may have a chance for exposing and allowing the intruder to access the WP site using those credentials. In that case, you should use WordPress Basic Authentication with a client ID and client secret where your WP user credentials are also safe, and at each request, you just need to pass the Client ID and Client Secret provided by the plugin. Hence security is not a concern. The Client ID and Secret are in fact passed in encrypted format in the Basic Authorization header of each API request, these are validated and on successful validation WP API Basic Auth will allow these APIs to access.
Read Use Cases for the following Rest API Authentication Methods:
Setup REST API Basic Authentication Method
REST API Basic Auth using UserName & Password :
- In the plugin, go to the Configure Methods tab in the left section.
- Click on Basic Authentication as the API Authentication method.
- Select Username & Password with Base64 Encoding and click Next in the top right corner.
- In order to test the functionality, Fill in the username and Password fields for an existing user.
- You can edit the REST API endpoint to fetch details from that endpoint. Example: /pages endpoint has been selected here:
- Click on the Test Configuration button, and verify the result shown on the screen.
- Click the Finish button.
- After you save the REST API Basic Auth Configuration with Username and Password, to access the WordPress REST APIs, you need to send a REST API request with your respective Authorization Key. You need to use the request format as shown below.
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization: Basic base64encoded <username:password>
Sample Request Format-
Example => username : testuser and password : password@123
Sample curl Request Format-
curl -H "Authorization:Basic base64encoded <username:password>"
-X POST http://<wp_base_url>/wp-json/wp/v2/posts -d "title=sample post&status=publish"
base64_encode(‘testuser:password@123’) will results into ‘eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RV FNLZw==’ as output.
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
Code samples in programming languages
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AlwaysMultipartFormData = true;
request.AddParameter("title", "Sample Post");
request.AddParameter("status", "publish");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
.addFormDataPart("title","Sample Post")
.addFormDataPart("status", "publish")
.build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("POST", body)
.build();
Response responseclient.newCall(request).execute();
var form = new FormData();
form.append("title","Sample Post");
form.append("status", "publish");
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "POST",
"timeout": 0,
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => array('title' => 'Sample Post','status' => 'publish'),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
import mimetypes
from codecs import encode
conn = http.client.HTTPSConnection("<wp_base_url>")
dataList= []
boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=title;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("Sample Post"))
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=status;'))
dataList.append('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("publish"))
dataList.append(encode('--'+boundary+'--'))
dataList.append(encode(''))
body = b'\r\n'.join(dataList)
payload= body
headers = {
'Content-type': 'multipart/form-data; boundary={}'.format(boundary)
}
conn.request("POST", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
Postman Samples:
- Click on the Postman Samples tab in the plugin.
- Now, hover over the Basic Authentication Postman Samples card.
- Import the downloaded JSON file into the Postman Application as shown below.
- Once you import the json file, click on the REST API request under the Collections as shown in the last figure. Replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the base64encoded <username:password> in the header with the base encoded value.
- Import the downloaded JSON file into the Postman Application as shown below.
- Once you import the json file, click on the REST API request under the Collections as shown in the last figure. Now replace the <wp_base_url> with your Wordpress domain in the http://<wp_base_url>/wp-json/wp/v2/posts and replace the base64encoded <clientid:clientsecret> in the header with the base encoded value.
Follow the steps below to make REST API request using Postman:
a) For Username-Password
Example:
For Username: testuser and password: password@123 the base64 encoded value will be ‘dGVzdHVzZXI6cGFzc3dvcmRAMTIz’
b) For Client ID and Client Secret
Feature Description
- First, go to the plugin ‘Advanced Settings’ tab.
- Then, in the Role based Restriction section, all the roles by default will be allowed to access the APIs. You can enable the checkbox of the roles for which you want to restrict access.
- In the above screenshot, the subscriber role checkbox is enabled. So whenever an API request is made by the user with his role as subscriber then that user won’t be allowed to access the requested resource.
- First, go to the plugin ‘Advanced Settings’ tab.
- Then in the ‘Custom Header’ section, you can edit the textbox to enter the custom name you want.
- First, go to the plugin ‘Advanced Settings’ tab.
- Then in the ‘Exclude REST APIs’, you can enter your APIs in the prescribed format which needs to be whitelisted for public access.
- Example: Suppose if you want to exclude the REST API ‘<your domain>/wp-json/wp/v2/posts’ then you have to enter ‘/wp/v2/posts’ in the textbox.
1. Role Based REST API restriction:
This feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.
How to configure it?
Note: The Role based restriction feature is valid for Basic authentication(Username: password), JWT method, and OAuth 2.0 (Password grant).
2. Custom Header:
This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.
It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.
How to configure it?
3. Exclude REST APIs:
This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.
How to configure it?
4. Enable Advanced Encryption for the tokens using HMAC
This feature is available with the Basic Authentication method in which by default the token is encrypted using Base64 encoding technique but with the advanced feature, the token can be encrypted with highly secure HMAC encryption which is
very secure.
Need Help?
Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
