WordPress REST API | What is it and How to Secure WP REST APIs

WordPress REST API | What is it and How to Secure WP REST APIs


What is REST API?

Rest API also known as RESTful API is a style for writing Application Programming Interfaces constrained by the rules set but REST architectural style and allows communication between REST endpoints. The communication between API must be protected by a security method such that access is secure and protected. This article will introduce REST API and related terminologies and methods to secure wordpress REST API. We will also go through miniOrange WordPress REST API Authentication plugin and it’s features to protect and secure wordpress REST API.

What is REST?

REST or Representational State Transfer, is basically the collection of JSON endpoints (URLs) which contain the information regarding your posts, pages, etc. You can simply make a GET request to your WordPress endpoint and read your WordPress website content in JSON format from outside the WordPress installation. This makes WordPress REST API available for CRUD operations allowing you to conveniently Create, Read, Update and Delete content on your site from outside the WordPress installation. We will talk about protecting the endpoints in later part of article.

What is API?

WordPress Rest API
API or Application Programming Interface allows two applications to communicate with each other. Each time a user sends a request to the server. The server responds to that request with a resource fetched from the server called response. The API is created on the server and the user is allowed to talk to it. This provides an interface for the computer systems on the web, making it easier for client and server to interact with each other and share data in limited, clearly defined ways. API allows the user to send or receive data by making a particular "call" or "request." JSON is a programming language that is used for this communication. API can be used to make four different types of requests:
1. GET (Retrieve) : This function allows you to fetch data from the server via the api call.
2. POST (Create) : This function lets you write new information on the server.
3. PUT (Update) : This function lets you update the already available content on the server.
4. DELETE (Remove) : This function allows you to delete data from the server.

Everyday Examples of API:

      1. Weather Forecast : Weather APIs are Application Programming Interfaces that allows you to fetch weather information from the large databases of weather forecasts. This is done by the means of an API, which delivers the response back to you.

      2. Google Map : Google Maps API is useful in providing the data like Geo locations, Latitudes, Longitudes, etc from the Google map database.

      3. Login using XYZ : You might have seen on various websites the option of login with google, facebook, etc. Instead of using the user credentials, the application makes an API call to Google, Facebook, etc asking for user authentication to let the user into the website.

What is WordPress REST API?

What is WordPress Rest API
The WordPress REST API (Representational State Transfer Application Programming Interface) provides an interface for applications (Like Android, IOS, React, Angular) to interact with your WordPress website by sending and receiving data as JSON (JavaScript Object Notation) objects. Here, we use JavaScript to visit the WordPress REST API so as to load content from the WordPress database into our webpage.

Example: The below REST endpoint is used to fetch all the WordPress posts and pages.
  • GET /posts - https://www.example.com/wp-json/wp/v2/posts
  • GET /pages - https://www.example.com/wp-json/wp/v2/pages

WordPress REST API key terms

Before we dive more into the WordPress REST API and what it means to developers, let’s take a brief moment to get familiar with basic terminologies related to WP REST API:

      1. Route : It is a url which can be mapped to different HTTP methods. Example: /wp-json/

      2. Endpoint : It is a connection between an individual HTTP method and route.

      3. Request : It is an instance of WP_REST_Request which can be used to retrieve information for current requests.

      4. Response : It provides the data requested or it displays an error to show what went wrong during the execution/call.

      5. Schema : It lets you understand what all input parameters and properties can be sent and received through the REST API.

      6. Controller classes : It is where you handle/manage REST API requests.

How is WordPress REST API Useful?

  • The WordPress REST API makes CRUD (Create, Read, Update & Delete) operations available from anywhere instead of being limited to just the admin dashboard on WordPress. It provides the lightweight form of communication between the client and the server making it a great solution for exchanging data.
  • It can be used to create iOS/Android,etc native apps. We can use any language we want as long as the language has the ability to make HTTP requests and interpret JSON such as Node,js, Express.js, Ruby, Python etc.
  • It will allow you to have a mobile application for your WooCommerce ecom website. You will be able to synchronize your users, inventory and all other data between your wordpress site and mobile application. Your customers will be able to checkout faster on your mobile application and hence, increase your sales and profits.
  • WordPress REST API will allow you to extend the functionality of an ecommerce (WooCommerce) website beyond the basic functionality provided by Woocommerce. It will help you to connect to external APIs (more functions) to provide more facilities in your WooCommerce store securely.

We know that WordPress REST API opens the door to a lot of opportunities but we have to be aware to protect and secure our endpoints. Our plugin for WordPress has a lot of security features to protect the wordpress sites (WooCommerce, Learndash, Zoho, etc).

How do WordPress REST APIs Work?

There is a huge amount of data available through WordPress REST API and it is accessible by everyone that will ask for it like posts, pages, comments, etc. Cookie authentication is the standard authentication method included with WordPress to protect your data. When you log in to your dashboard, this sets up the cookies correctly for you, so plugin and theme developers need only to have a logged-in user. However, the REST API includes a technique called nonces to avoid CSRF issues. This prevents other sites from forcing you to perform actions without explicitly intending to do so. This requires slightly special handling for the API. It is a more secure method to protect your WordPress site. REST API is sent through HTTP (HyperText Transfer Protocol) endpoints, using JSON (JavaScript Object Notation) formatting. These endpoints may represent the posts, pages, and other WordPress data types or any other custom created endpoints. It manipulates data from client and server without having actual access to the database and therefore the database remains safe.

WordPress REST API endpoints are open by default and hence prove to be a loophole in your website. Apart from data theft and phishing that can be initiated through these WordPress endpoints, there is a bigger threat for the user data which Wordpress provides to anyone asking for it.

  • Example:https://example.com/wp-json/wp/v2/users/

If you try to access these endpoints, by default WordPress REST API will display all the data related to your users which can lead to a major security breach.

So having open WP endpoints on your wordpress sites like woocommerce, it’s easy for scrapers and content stealers to steal from your WordPress site as they are tech savvy enough to take advantage of your mistake and carelessness. This can lead to potential privacy risk as the user data like name, user addresses can be accessed by these bad people.

The risk also arises when the bad actors have your username and now they can bruteforce into your website as WordPress REST API has allowed access to your website from where they got the usernames. In order to be safe, you may disable the REST API on your website (WooCommerce, elearning, etc) completely but that will hold you back from using this feature to flourish your business and opportunities as you can integrate your wordpress website with other endpoints, like central inventory, mobile apps etc. Rather than banning the rest api completely you must find a way to secure them and do use the Wordpress REST API for what it is meant for.

How WordPress REST API benefits

Wordpress REST API opens a big door of opportunities for developers to explore and implement functions that will make their hectic data handling an easy task. It’s because of the JSON formatting of data, that WordPress can exchange data with other websites and softwares using WordPress REST API regardless of the language in which the app/software/website is written. You just need to take care of protecting the endpoints by putting in secure methods like we provide in our plugin WordPress REST API Authentication. This will help to secure your wordpress and also give more functionalities to your site which you can utilize for growth.

Use Case for WordPress REST API

There are various use cases available for WordPress REST APIs and some of the main use-cases are listed below:

    Data Sync via Rest API
  • Suppose you want to develop an Android and IOS application for blogging purposes, where users can see the blogs and post blogs using their mobile application itself. Now in that case you want to create, retrieve, update and delete the posts from the mobile application too which could be done easily with the help of WordPress securely.
  • Woocommerce data sync
  • Suppose you have an ecommerce site which is developed with help of WooCommerce plugin and WordPress and you are looking to develop native applications using the React framework. Now, you don’t want to create another database for the native application and upload all the products, customer and order details as it won’t be efficient and well maintained according to the case of WordPress. You can easily access the WooCommerce REST APIs with security and protection into your native application even with the functionality of login of the user with WordPress credentials and even with the social login. You can easily authenticate and access the WooCommerce REST APIs if you have logged in using the social login platform into your application.

miniOrange WORDPRESS REST API AUTHENTICATION PLUGIN to protect your REST endpoints.

WordPress-miniorange data synchronize via Rest API

I would suggest you download the WP REST API Authentication plugin for wordpress which will make it a lot easier to access the WordPress REST APIs with industry standard security and protection of data, according to your use-case or requirements.

It supports a lot of authentication methods like API Key Authentication,Basic Authentication,JWT Authentication,OAuth 2.0 Authentication and Third Party OAuth 2.0 Provider Authentication method etc. to protect and secure your WordPress site. These are also compatible with all the below HTTP methods:

      1. GET (Retrieve) : This function allows you to fetch data from the server via the api call.

      2. POST (Create) : This function lets you write new information on the server.

      3. PUT (Update) : This function lets you update the already available content on the server.

      4. DELETE (Remove) : This function allows you to delete data from the server.

Installing WordPress REST API Authentication Plugin

There are multiple ways to install and set up our WordPress REST API plugin for the security of your WordPress site.

      1. You can download the zip package of plugin from miniOrange marketplace or directly from WordPress marketplace. After you download the zip, you have to extract the contents of the downloaded folder into `/wp-content/plugins/` directory on your system and then simply activate the plugin from the wordpress plugins page on your wordpress site.

      2. Another method to install and benefit from our plugin is to download it from the “add new” option in your plugins page.

      Either of the two simple steps will let you protect and secure your wordpress sites like WooCommerce, Learndash, etc. For detailed explanation and step by step guide to setup the plugin, please visit here.

Standard And Custom/ Third Party Plugins’ Rest Api Endpoints:

WordPress provides some standard REST endpoints to get the data from and into the wordpress website. Some of these endpoints are as under:

      1. Posts

      2. Pages

      3. Media

      4. Post Meta

      5. Comments

      6. Users

      7. Terms

But the question arises that if you have a need to create default REST api endpoints, how can you achieve that? What if you want to get your custom data from the database using REST APIs with security?

In that case you need to create custom WordPress REST APIs to handle the functionality or you can use our another plugin named as CUSTOM API for WP to make custom WordPress REST APIs. You will be able to connect to APIs of Learndash, Gravity Forms, WooCommerce, Google Merchant, etc. You can simply put the API name and the HTTP method you want to use. After that, you need to select the database table from which you want to retrieve the data. You can also select the columns and make the condition to get it without even coding a single line.

Customisation For Any Kind Of Api Integration/ Authentication In Wordpress:

If you are thinking that you will need some customisations in our WordPress REST API or Custom API plugin, then let me give you a good news that we do provide customisations to customers according to their use case so that they don't have to compromise on anything and enjoy our services and support with our REST API plugins.

WordPress REST API Authentication Methods in our WordPress plugin

These are the authentication methods provided in our WordPress REST API plugin. In order to read more and get familiar the postman samples, click on the links given below:

  • Basic Authentication : It is the basic method of authentication to protect and secure wordpress endpoints, where users can be authenticated by following two methods:

    1. Username:Password :- In this type of basic authentication, user credentials like username and password are required to approve the user to the system.
    2. Client-ID:Client-Secret:- In this type of basic authentication, client credentials are provided by the plugin in the authorization header with the form of base64 encoded or highly secure HMAC encryption.

  • API Key Authentication : This method of security lets you to secure wordpress endpoints without revealing user credentials as the plugin generates an API key for accessing any resource which can also be regenerated in the plugin or expired by the wish of admin.
  • JWT Authentication : This method uses the plugin issued JWT token and works as an API Authenticator to protect your REST APIs. The plugin itself provides the REST API endpoint through which you can generate the JWT token very easily by passing the valid WordPress user credentials.
  • OAuth 2.0 Authentication : This is the most secure method to authenticate and protect the REST APIs. In case you don’t have a third-party identity provider, then WordPress REST API Authentication works as both OAuth Server(Provider) and API Authenticator to protect your REST APIs.

    1. Password Grant :- This method is used when user specific data is needed.
    2. Client Credentials Grant :- This method is used to authenticate API calls without having a specific user.

  • Third Party Provider Authentication : This method is used when you already have an external OAuth/OpenID Connect (Identity provider) which provides you with an access token/id token or a JWT token, which can be used to authenticate the WordPress REST APIs and the plugin will validate the token directly from these token providers and only on successful validation, API endpoints are allowed to access.

Which security method to use where?

  • Basic Authentication: If you want to protect your WP REST APIs (eg. post, pages and other REST APIs) with users wordpress login credentials or client-id:client-secret provided by the plugin itself, then you can opt for this method. It is recommended that you should use this method on HTTPS or secure socket layer.
  • API Key Authentication: If you want to protect your WP REST APIs (eg. post, pages and other REST APIs) from unauthenticated users but you don’t want to share users login credentials or client id, secret to authenticate the REST API, then you can use API Key authentication, which will generate a random authentication key for you. Using this key, you can authenticate any REST API on your site. This method also provides a feature to generate user specific api key to access and authenticate the APIs which involve user permissions, the key generated will be in encrypted format and hence, there will be no breach to security and no possible data leakage.
  • JWT Authentication: If you are looking to protect your REST APIs using the JWT token and if you do not have any third party provider/identity provider that issues the JWT token, then you should go for the JWT Authentication method. In this case, our WordPress REST API Authentication itself issues the JWT token and works as an API Authenticator to protect your REST APIs.
  • OAuth 2.0 Authentication (MOST SECURE and MOST RECOMMENDED): If you are looking to protect your REST APIs using the access-token or id-token (JWT token) and at the same time you do not have any third party provider/identity provider, then you should go for OAuth 2.0 Authentication method. In this scenario, our WordPress REST API Authentication works as both OAuth Server and API Authenticator to protect your REST APIs.
  • Third Party Provider Authentication: If you are looking for protecting/restricting access to your WP REST APIs using external OAuth Provider/ Identity provider like Azure, Amazon Cognito, KeyCloak, Okta, ADFS, Google, Facebook, etc and Firebase, then you should go for the Third Party Provider Authentication method. Here, you just need to configure the plugin with Introspection Endpoint/User Info Endpoint provided by your Identity Provider and you will be able to authenticate the API Request using the token provided by your provider application.

Related Readings

Recommended Plugins

WordPress REST API Authentication plugin provides the security for unauthorized access to your WordPress REST APIs. It provides you with a variety of authentication methods like Basic Authentication, API Key Authentication, OAuth 2.0 Authentication, JWT Authentication.

 Tested with 5.9.2

This plugin allows you to create custom endpoints/REST routes to fetch/modify/create/delete data with an easy-to-use graphical interface and with the custom SQL queries as well. Also, the plugin provides the feature to integrate external API into your WordPress site with third-party platforms.

 Tested with 5.9.2
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com