The rest API offers great promise for modernizing and improving WordPress performance. I am a fanatic fan, but if I don’t understand how the API works, I will make mistakes, and the website may have great security vulnerabilities. This is especially true when you are not a developer. In this post, I would like to share some common mistakes so that users who are not familiar with the WordPress rest API can safely maintain the site. If it is the primary school API dear Watson, what is the WordPress rest API? The WordPress rest API has bridging capabilities to connect various applications to WordPress. The
Complex sounds? Using the Gutenberg editor, WordPress has finally begun to see on a large scale what is possible when using rest APIs to run with new technologies. The JSON structure of API is easy for computers and people to understand, so it can be used more easily through programming. Restful architectural style means that various applications can connect to it. You can use the API to search the data on the site and display it in different places in different formats. Alternatively, you can use the API to remotely control the site by sending commands such as create, update, and delete. Together they form the abbreviation crud, which can be used in the following locations: The
After modifying the post, the category tag page comments classification media user post type sets the post status malegutenberg uses the WordPress rest API to create and update the post. The powerful features let you understand why the WordPress rest API is so valuable to hackers. The API that accesses the site can control the entire site almost remotely. The traps that beginners make mistakes and inadvertently start malicious use include: Because the rest API does not know that all data is displayed by default, it uses default authentication on sensitive information display real-time sites instead of using encrypted connections to involuntarily expose its login credentials for authentication. We talk about hackers creating backdoors, but in this case The administrator is unlocked, so it is more similar to you. The
Let’s look at them separately. By default, the WordPress rest API is also active, because the method of using the developer API to build a custom formator plug-in accidentally displays the default posts and pages on the sensitive information display WordPress site. You can view posts, pages, categories, labels, media and other data. To view the JSON data for the WordPress site, enter the site URL in the browser, and then enter WP JSON \/ WP \/ V2 \/ posts. https:\/\/tuts.wpmudev.host\/wp-json\/wp\/v2\/posts after this manner Wpmudev Use the URL instead of the host. Can you see all the data? Anyone can see it. The
There is a tool that makes it easier for you to read this. If you use WordPress posts to store sensitive information, the data will be exposed along with the API. This can also happen if you restrict content to specific users or hide content after payment, so it is important to check the displayed content. May accidentally expose data that violates the company’s privacy policy, HIPAA or gdpr. In short, some themes, plug-ins, and even Gutenberg use the WordPress rest API, so I want to avoid completely disabled plug-ins. The
The 60 best security resources of WordPress ultimate guide basic certification on the site website the purpose of certification is to move
Is lamb real? Answer these questions. Is that who they are talking about? This is my confirmation method. Get user name and password authentication, dual authentication, and ideas. Not all requests to the WordPress rest API require validation. For example, this is not the case with search posts. You can delete users, view comments, and create new posts. If you do not have your own authentication, you cannot delete the post. If you use the WordPress rest API, you can avoid the cookie authentication that comes with WordPress. If external clients (such as other WordPress sites or custom applications) use the WordPress rest API, you must set up different forms of authentication. The
There are several options to use OAuth, JSON network token, or default authentication. Default authentication is an authentication that needs attention because it is not suitable for all situations. For default authentication, the user name and password are sent with all requests in the header so that all users can see them. If that sounds unwise, you are absolutely right. A complete guide to WordPress password security. Site sites should not use default authentication. There is a risk that administrator login credentials are exposed. Use default authentication only in a protected environment, as you would for a local site. The
Sending requests without encryption 2018 is the year Google started marking all sites without SSL certificates. I’ll assume you already have it. But if you’re not here, what are you waiting for?!? Most management hosts can now obtain SSL certificates for free. Wpmu dev hosting also provides free SSL for multiple sites with multiple domains. Please use it for free. The WordPress rest API acts as a bridge, so it tries to protect the connection from man-in-the-middle attacks. To do this, a WordPress site must have not only an SSL certificate, but also an external client (if in use). The
The ultimate guide to WordPress security by default, connections must be protected at both ends to encrypt all communications. In addition, all authentication is sent through HTTPS protocol, so that all recipients can only see the encrypted data. This is important because the authentication process involves sending and receiving login credentials. As we have seen in the third API blind spot, the WordPress rest API has been considerably enhanced when used as designed. Is the text printer safe? Wprest API has been a part of the core of word press since version 4.4. Except for one instance, wprest API has no other security problems. Knock on the tree. The
When the API is added to the kernel, I think you will see something even better built with the word press API. Did you do it. I still think it is one of the least utilized components in WordPress. Moreover, I hope that all those who think Gutenberg can not meet their own needs challenge to create their own administrators. A mobile friendly front-end editor will be excellent.;) Please review the wprest API again. Even if you are not a developer, you know what you shouldn’t do. Now I suggest you check the wprest API manual carefully. If you have problems with your site, you can get support year-round. If you are not a member, please start free. The
Are there any tips for using the WordPress rest API? Label: rest API security text imprint remaining API WP remaining API
