Support » Fixing WordPress » Secure WP REST API Calls

  • Hi.

    So, I have been looking into WordPress’s rest api, and it’s dawned on me that anyone could grab my recent posts and scrape the site easily.

    Or for any other missdeeds.

    Is there a way securely handle API requests, so any requests outside of the site itself does not work without a certain key or token?

    Thanks, J.

Viewing 1 replies (of 1 total)
  • Moderator bcworkz


    Well, content normally publicly accessible can be grabbed. Privileged data still requires authentication. I suppose scraping JSON is somewhat easier than HTML, but to a scraping script, the difference is trivial.

    In any case, you can use the ‘rest_pre_serve_request’ to blank out the normal response if certain additional criteria is not met. Your callback is provided with the response, the original request object, and the WP_REST_Server object, so within that data (and PHP super globals), there should be enough information to decide whether to send out data or not.

Viewing 1 replies (of 1 total)
  • The topic ‘Secure WP REST API Calls’ is closed to new replies.