How to Access and Secure WordPress REST APIs

How to Access and Secure WordPress REST APIs

What is WordPress REST APIs?

The WordPress REST API provides an interface for applications (Like Android, IOS, React, Angular) to interact with your WordPress site by sending and receiving data as JSON (JavaScript Object Notation) objects.

REST, or REpresentational State Transfer, means an architectural style for providing standards between computer systems on the web, making it easier for systems to communicate with each other.

Example: The below REST endpoint is use to fetch all the WordPress posts and pages.

GET /posts - https://<domain.com>/wp-json/wp/v2/posts

GET /pages - https://<domain.com>/wp-json/wp/v2/pages

Why do you need to protect/secure your REST APIs?

Open access APIs/Public APIs - WordPress REST APIs are by default open and it’s accessible without any authentication method. In which If someone tries to access the users API then he can easily access the WordPress admin user.

Example: You can try the below endpoint in the browser:

https://<domain.com>/wp-json/wp/v2/users

    Secure WP REST API protect REST API

How to protect/secure your WordPress REST APIs?

You can secure your WordPress REST APIs using WordPress REST API Authentication plugin. It provides a feature called Protected REST APIs which you can configure to protect your REST APIs.

    Secure WP REST API restrict public access to REST API

Use cases for WordPress REST APIs

There are many different use cases available for WordPress REST APIs and some of the main use-cases of it are listed below.

  1. Suppose you want to develop a Android and IOS application and It’s a simple Blog application where users can see the blogs and post the blogs using the mobile application itself. Now in that case you want to create, retrieve, update and delete the posts from the mobile application too. Which could be done easily with the help of WordPress REST APIs.

  2. Secure WP REST API client server

  3. Suppose you already have an ecommerce site which is developed with help of WooCommerce plugin and WordPress and you are looking for developing the native applications using the React framework.

    Now, you don’t want to go with creating another database for the native application and upload all the products, customer and order details approach as it won’t be efficient and well maintained according to the case of WordPress.

    You can easily access the WooCommerce REST APIs into your native application even with the functionality of login of the user with WordPress credentials and even if with the social login.

    You can easily authenticate and access the WooCommerce REST APIs If you have logged in using the social login platform into your application.

  4. Secure WP REST API native app

How the WordPress REST APIs Works?

Cookie authentication is the standard authentication method included with WordPress. When you log in to your dashboard, this sets up the cookies correctly for you, so plugin and theme developers need only to have a logged-in user.

However, the REST API includes a technique called nonces to avoid CSRF issues. This prevents other sites from forcing you to perform actions without explicitly intending to do so. This requires slightly special handling for the API.

Suggestion would be to download the WP REST API Authentication plugin which will make it a lot easier to access the WordPress REST APIs according to your use-case or requirements.


Secure WP REST API plugin download

It supports a lot of authentication methods like API Key Authentication, Basic Authentication, JWT Authentication, OAuth 2.0 Authentication and Third Party OAuth 2.0 Provider Authentication method etc. Which is compatible with all the below HTTP methods:

  • GET (Retrieve)
  • POST (Create)
  • PUT (Update)
  • DELETE (Remove)

Once you installed the plugin you can enable the API Key Authentication method as in the below screenshot.

Secure WP REST API enable API key

After that you would be able to access the WordPress REST APIs with the given API key from the plugin.

How to test WordPress REST APIs?

You can use ready made tools to access the WordPress REST APIs like Postman, Rested (Chrome extension) and Curl commands method etc. Which is compatible with all the below HTTP methods.

So, you can run the below curl command to retrieve the posts from the WordPress.

Curl -H ‘Authorization: Bearer ’ -X GET https:///wp-json/wp/v2/posts. You just need to replace the API-key and the domain for your WordPress site and you will retrieve all the posts in the response.

Access WordPress REST APIs using postman:

Postman is a software development tool. It enables people to test calls to APIs. You can access the WordPress posts using the postman as below step.

  • Select the GET method and enter your domain in the url field. After that go to Headers tab and add Authorization header and it’s value Bearer . Once you enter all the details click on the Send button just like below screenshot.
  • Secure WP REST API enable API key

Similarly you can make all the HTTP method requests like POST, PUT and DELETE using postman. This plugin provides developer documentation as well where you can get all the curl command and postman samples for accessing the WordPress REST APIs with all the authentication methods it supports. You just need to run it. You can refer to this documentation: API Key Authentication

Create your Own WordPress REST APIs:

WordPress provides some by default REST endpoints to get the resources. Some of the below objects are:

  • Posts
  • Pages
  • Media
  • Post meta
  • Comments
  • Users
  • Terms

What if you want to get your custom data from the database using REST APIs?

In this case you need to create custom WordPress REST APIs to handle the functionality or you can use the below plugin to make custom WordPress REST APIs.


Secure WP REST API custom API plugin

You can simply put the API name and the HTTP method you want to use. After that, you need to select the database table from which you want to retrieve the data. You can also select the columns and make the condition to get it without even coding a single line.


Secure WP REST API custom API plugin configuration

miniorange img  Recommended for WordPress REST API

miniorange img  Recommended for WordPress Custom API