Ecommerce Shopify WordPress Discussion

WordPress REST API application password authentication in Javascript – risk?

I'm utilizing the WordPress REST API to create posts within my application. Currently, the username and password are stored in a regular JavaScript file. My intention is to restrict this user to only have permissions for post creation. However, I'm concerned about the potential security risks of having these credentials exposed in this manner. Is it considered a significant risk to create posts using this method, given the open visibility of this data? Additionally, are there any recommended best practices or alternative approaches to handle authentication securely in such scenarios? const username = 'creator'; const password = '30LI lgKe S3k2 mLGG yYXt FOiL'; fetch("/wp-json/wp/v2/posts", { method: "POST", headers: { "Authorization": "Basic " + btoa(username + ':' + password), "Content-Type": "application/json" }, body: JSON.stringify({ title: "Title", content: "My Content", status: "draft" }) });
Hard-coding credentials in this manner is clearly not secure. Everyone can steal them. Is your front end application located inside Wordpress? If yes, I suggest you switch to nonces. You create the nonce with PHP: $args = array(); if(is_user_logged_in()){ $args['wp_rest_nonce'] = wp_create_nonce('wp_rest'); } wp_localize_script('your-script-name', 'WPURLS', $args); And send it in the ajax request using the header X-WP-Nonce if(typeof WPURLS.wp_rest_nonce !== 'undefined') { fetch("/wp-json/wp/v2/posts", { method: "POST", headers: { 'X-WP-Nonce' : WPURLS.wp_rest_nonce, "Content-Type": "application/json" }, body: JSON.stringify({ title: "Title", content: "My Content", status: "draft" }) }); } The endpoint will check the user's authentication and capabilities to perform the requested action. Note that nonces are extremely secure because they have a predefined duration, beyond which they expire are local to the user and his session This means that to breach your application, someone would have to get the nonce and steal both your user's credentials (which you don't have to expose) and his session.

February 17, 2024

TurboCommerce make the better internet purchasing globaly

Turbo Multi-language Translator

Make the better internet purchasing globaly

Turbosify SEO Speed Booster

5.0 (7) Free plan available
Get better conversions by improving store loading speed Installed

Turbo Multi-language Chat - AI Customer service in one hand

TurboCommerce make the better internet purchasing globaly
Our products

The help you need, when you need it

App by Turbo Engine

3 apps • 5.0 average rating

Turbosify Speed Booster

5.0 (7)
Get better conversions by optimizing shopify store Google page speed Installed

Turbosify Translator for Wordpress Woocommerce

5.0 (74) Free Wordpress Woocommerce Plugin
Translate your wordpress website to multiple language within 1 click, no configuration needed, no No technical required

Grow your business here

Whether you want to sell products down the street or around the world, we have all the tools you need.