2

I'm thinking of making a frontend application based on Wordpress and the Wordpress REST API and I'm not a security expert. I noticed that by default I can fetch the content without having an auth key for the application, so basically everyone can get the content without being authorized (and I am giving for granted that at least I cannot post anything if I am not logged in). Is that normal?

Does anyone know how I can restrict this behaviour by creating a key?

Thank you very much

Improve this question
1

2 Answers 2

Reset to default
2

To do what you're attempting you'll need a healthy understanding of JSON Web Tokens and two plugins.

The first plugin is My Private Site. This plugin will prevent users from viewing any content on the website front end. Turning Wordpress into a content editor with only a REST API available to access content.

The second plugin you'll want is Advanced Access Manager. This will allow you to require JWT authentication anytime a user requests data from the RestApi. Here's an article from AAM on how to set up JWT in Wordpress.

I hope this helps :D

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

Just enable CORS in the header.php Enable CORS on JSON API Wordpress

The following can be a useful consideration even though:

By keeping to what it is stated here https://www.wpwhitesecurity.com/wordpress-security/wordpress-rest-api-and-the-security-worries/:

the information that is available via the WordPress REST API is already available to the public via other > means, such as the website itself and RSS. The only difference between the front-end of the website, RSS and the REST API is the way the data is presented.

One one the questions at the bottom of this article is about DoS attacks and the answer is the following:

As explained in the post the data available through REST API is already publicly available, so as much as an attacker can create a DoS-type attack on the REST API he can do the same on the website. Actually, requesting something from the REST API is more efficient than when requesting it from the interface since the request and response contain much less data (the interface itself) so in a way, it is more efficient.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.