How To Secure Your WordPress JSON API with App Passwords

Here is how to protect your WordPress JSON API from unauthorized access with app passwords.

Key Takeaways

  • Implement app password authentication to secure your WordPress JSON API
  • Store app passwords securely using environment variables or WordPress salts
  • Use Basic Authentication and HTTPS for secure connections in your Python script

Why Secure Your JSON API with App Passwords?

App passwords add an extra layer of security to your WordPress JSON API by restricting access to only authorized applications.

Unauthorized access to your JSON API can lead to data leaks or malicious content being posted to your site.

Implementing app password authentication helps mitigate these risks and ensures that only trusted applications can access your API.

Implementing App Password Authentication in WordPress

To implement app password authentication for your WordPress JSON API, you can use the rest_authentication_errors filter.

This filter allows you to add custom authentication requirements to the WordPress REST API. In the following example, we’ll check for the presence of a valid app password in the request headers:

function restrict_json_api_access( $errors ) {
    if ( ! empty( $errors ) ) {
        return $errors;
    }

    // Get the request headers
    $headers = getallheaders();

    // Check if the 'Authorization' header is present
    if ( ! isset( $headers['Authorization'] ) ) {
        return new WP_Error(
            'rest_forbidden',
            'Access to the JSON API is restricted to valid app passwords.',
            array( 'status' => 403 )
        );
    }

    // Extract the encoded credentials from the Authorization header
    $encoded_credentials = str_replace( 'Basic ', '', $headers['Authorization'] );
    $decoded_credentials = base64_decode( $encoded_credentials );
    list( $username, $password ) = explode( ':', $decoded_credentials, 2 );

    // Check if the provided credentials match the expected user and app password
    // Make sure to change 'email' to 'login' if needed
    $user = get_user_by( 'email', $username );
    $app_password = MY_APP_PASSWORD;

    if ( ! $user || $password !== $app_password ) {
        return new WP_Error(
            'rest_forbidden',
            'Access to the JSON API is restricted to valid app passwords.',
            array( 'status' => 403 )
        );
    }

    // If the credentials are valid, allow access
    return $errors;
}

add_filter( 'rest_authentication_errors', 'restrict_json_api_access' );

Storing App Passwords Securely

It is essential to store your app password securely to prevent unauthorized access. One secure way to store your app password is by using WordPress salts in the wp-config.php file. Here’s how you can do that:

  1. Open your wp-config.php file, which is located in the root directory of your WordPress installation.
  2. Add the following line with your app password: define( 'MY_APP_PASSWORD', 'your_secure_app_password' );
  3. Save and close the wp-config.php file.
  4. Update the restrict_json_api_access function in your theme’s functions.php file or custom plugin to use the defined constant instead of a hardcoded password.

Conclusion

By implementing app password authentication, storing passwords securely, and using secure connections in your scripts, you can ensure that only trusted applications can access your API.