Contents
WordPress gives you REST APIs endpoints by default. Hence, it is obvious & crucial to secure your endpoints from external attacks. Many of the endpoints like /users can contain sensitive information. Giving unuthenticated access to such endpoints can lead disaster. Hence, it highly necessary to secure them. So today, we will see the methods to secure them.
Method 1
Application Password
Application Password were introduced in WP Core since version 5.6. You need not install any plugin for using application password if you are having WordPress version 5.6+. No worries if you are belo 5.6!! We have a plugin for you. You can download the plugin from github here.
Why Application Password?
When you want to access authenticated way to access your WordPress API then you need to provide your login password. This is obviously not at all good in terms of security of your account. In such scenario, application password plays crucial role. It is replica of your account password but only for REST APIs. No one can login to your WP site using application password.
How to use Application Password?
You can use simple steps given below for using application password method.
1. Go to edit page of any user for which you want to create the application password.
2. Then see the screen shown below:
3. Then add any application password name. And then click the button “Add New Application Password”. See the image below:
4. Now your application password is generated. You can use this password anywhere in your REST API requests. Basically, you can replace your actual login password with this application password.
Please note about Application Password:
- The application password is separate for each user.
- Once generated, it can not be retrieved. It can either be created newly or revoked the existing one.
- The name of the application password does not have any role in API request. That is just for user’s convinience.
- The application password does not have any expiry. It is valid until it is revoked.
Method 2
JWT Auth Method
JWT stands for JSON Web Token. This is quiet complicated method to use but it has some advantages over Application Password method. This method is not included in WP core by default. It expects you to install a plugin.
Actually, there are plenty of plugins available for JWT auth in WordPress ecosystem but we recommend JWT AUTH – WordPress JSON Web Token Authentication.
Why JWT Auth?
JWT auth provides more security over Application Password. Though it is generated using username and password, but it is not easy to decrypt. It does not contain any username either. It can be set with certain expiry which comes with additional security layer of refreshing.
Configuring JWT Auth in WordPress?
Considering you have installed the above recomended plugin in your WordPress site. If not, refer to our article on How to Quickly Install WordPress Plugin. Now follow the steps given below:
1. First of all, you will need to enable Enable PHP HTTP Authorization Header on your site. For this, you need to add following to your .htaccess file.
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
If you are on WP-Engine, you can let the support chat know that you want to enable HTTP Authorization. Or you can add following line into your .htaccess file in addition to the above lines.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
2. Now you have enabled the HTTP Authorization. It’s time to edit your wp-config.php file with following lines:
define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');
This will configure your JWT AUTH Secret key. It is recommended to use random passwords which is uneasy to guess and tackle. You can use WP Salts generator to generate this key for you. You can pick any of the generated keys.
3. Now add following line to your wp-config.php to enable CORS Support for JWT.
define('JWT_AUTH_CORS_ENABLE', true);
How to use Create Auth Token?
Now you are done with the configuration of JWT auth. You have got 3 endpoints introduced in your default WordPress core REST endpoints. See them below:
Endpoint | Purpose |
---|---|
/wp-json/jwt-auth/v1/token | Genrates the JWT token for the given username and password. See details below in how to use it. |
/wp-json/jwt-auth/v1/token/validate | This endpoint validates the given JWT token. This helps in REST API requests before sending request to validate the existing token. |
/wp-json/jwt-auth/v1/token/refresh | third-party applications that are integrating with your authentication server will not store the user’s username and password. Instead they will store the refresh token in a user-specific storage that is only accessible for the user. The refresh token can be used to re-authenticate as the same user and generate a new access token. |
Now, let’s create a JWT Auth Token for your application. Open postman and see the screenshot below:
The success response of the JWT Auth token is shown below:
{
"success": true,
"statusCode": 200,
"code": "jwt_auth_valid_credential",
"message": "Credential is valid",
"data": {
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcG9pbnRzLmNvdXZlZS5jby5pZCIsImlhdCI6MTU4ODQ5OTE0OSwibmJmIjoxNTg4NDk5MTQ5LCJleHAiOjE1ODkxMDM5NDksImRhdGEiOnsidXNlciI6eyJpZCI6MX19fQ.w3pf5PslhviHohmiGF-JlPZV00XWE9c2MfvBK7Su9Fw",
"id": 1,
"email": "[email protected]",
"nicename": "contact-vyawtech",
"firstName": "VyawTech",
"lastName": "WP Solutions",
"displayName": "vyatech-solutions"
}
}
The token parameter in the above parameter is used as JWT token for your auth in all the API requests. You can use this token as follows:
Hereby we can say we have learnt the 2 most important auth methods in WP REST API.