Instructions on how to install and use the WordPress REST API


How to install and use the WordPress REST APIIn previous articles of this series, I mentioned introducing the WordPress REST API and the Fetch Post in the WordPress REST API.

In this part of the series on the WordPress REST API, I will discuss how to install the basic authentication protocol on the server so that the REST API is installed and maintains secure communication with various same-channel entities.

However, I will start this tutorial with some theoretical discussion on the definition of authentication.

What is authentication?

In the context of Information and Communications Technology (ICT), authentication is the idea and process of verifying the login information of a person or organization requesting access to a specific system.

It is important that you understand authentication other than authorization. When a person is authenticated on a specific WordPress web server, they are granted general access to the system. In contrast, when a person is authorized, they can access and utilize part or all of system resources. In other words, authentication verifies identity while authorizing identifying and granting access to system resources.

In a specific context with the WordPress REST API, authenticated users are allowed to perform CRUD tasks. However, users must prove their authentication privileges at every step.

Authentication with WordPress REST API

The WordPress REST API provides several options for authentication, including:

  • Basic authentication

  • OAuth authentication

  • Validate cookies

Currently, the original way of authenticating WordPress to users and their activities is by cookie verification.

To take advantage of OAuth authentication and Basic authentication with the WordPress REST API, you need to install the specific plugins available on the GitHub REST API group. I hope that these two methods will get their own support in the next releases of REST API from WordPress.

Basic authentication

Basic authentication refers to the basic HTTP authentication type in which login information is sent along with the headers.

  • How does basic authentication work?

In Basic Authentication, the client requires a verification request URL. The server, in turn, requires the client to identify themselves by sending an unauthorized 401 code. In response, the customer sends the same request with the login information added as a base64 encoded string. This string is sent in the authorization header field as follows:

Authorization: Basic b3dhaXMuYWxhbUBjbG91ZHdheXMuY29tOmVKNWtuU24zNVc =

Because base64 strings can be decoded without much effort, this authentication method is not very secure. Therefore, these methods should only be used in situations where there is absolute trust between the server and the client. Another important application from this method is troubleshooting in a secure system.

  • Install the WordPress REST API Plugin

The WordPress REST API plugin lets you add Basic Authentication to your WordPress website.

Note: “This plugin requires username and password for all requests, and should only be used on secure SSL connections or for development and testing at. Without SSL, we strongly recommend using OAuth 1.0a authentication handler on the websites being tested.

The WordPress REST API plugin is available from the GitHub WordPress REST API team. To use the plugin, simply copy it in the WordPress Plugin folder and activate it through the WordPress administrator.

  • Submit authentication request by Postman

To start sending authentication requests, install the Chrome Postman Extension. It makes API development easier, faster, smarter and better. For Firefox users, installing the REST Easy Add-On provides a fully featured REST application in the browser.

Like most HTTP applications, Postman for Chrome supports sending requests with basic authentication.

To submit a validated request, go to the Authorization tab below the address bar:


Now select Basic Auth from the dropdown menu. You will be asked to enter your username and password. Next, click the Update request button.


After updating the authentication option, you will see a change in the Title tab. The tab will now include a title field for the encrypted username / password string:


The basic authentication installation with Postman is complete. Now, send a test request (try deleting a post) requesting authentication:

For example: DELETE

Which can be replaced by the path of your server.

If all goes well, the server will return a status of 200 OK, indicating that the post with id 50 has been deleted:


  • Submit authentication request using JavaScript

JavaScript is a high-level programming language and that's why, today, JavaScript is easy to find everywhere. Therefore, it is easy to see JavaScript frameworks interacting with WordPress. A common problem is leveraging jQuery interacting with the WordPress API. In such cases, the authorization header may send an AJAX request.

Consider the following DELETION request sent via the jQuery.ajax () method:

jQuery.ajax ({

url: ‘’,

method: ‘DELETE’,

crossDomain: true,

beforeSend: function (xhr) {

xhr.setRequestHeader (‘Authorization’, ‘Basic‘ + Base64.encode (‘username: password’));


success: function (data, txtStatus, xhr) {

console.log (data);

console.log (xhr.status);


Where Base64 is an object used to encode and decode base64 strings. This is defined as follows, just above the call to the jQuery.ajax () method:


In the above request, I titled the Authorization using setRequestHeader () for the xhr object passed as an argument to the beforeSend () method.

In addition to the above, the Access-Control-Allow-Headers headers should allow the Authorization field on the server. This can be enabled by adding the following line to WordPress .htaccess file:

Header always set Access-Control-Allow-Headers Authorization Header always set

The above request, when completed, will repeat the response in the browser control panel

The 200 status response codes returned by the server program that post with id of 52 have been successfully deleted.


See more: How to create a Landing Page

  • Submit authentication request using the WordPress HTTP API

If you remotely connect to another WordPress website, the best approach is to send HTTP requests through the HTTP API from WordPress.

Consider the following code that sends a REMOVE request to another WordPress installation with the WordPress REST API and enable basic authentication:


Here, I used wp_remote_Vquest () to accept two arguments; $ url (request URL) and $ args (array containing additional arguments passed).

The $ method defined in the $ args array is DELETE. The $ header array contains all header fields to be passed to the request. I passed the authorization key with the base64 encoded username and password string.

The response is stored in the $ wp_delete_post_response variable, which can be used with the wp_remote_retrieve_response_code () and wp_remote_retrieve_response_message () functions. These two functions are helper functions in WordPress's HTTP API, and they extract status codes and status messages from corresponding responses.

If the post was successfully deleted via the above request, the following text will be repeated:

200 OK

Validate cookies

Cookie authentication is the basic authentication method available in WordPress. At the time of logging into the WordPress dashboard, the correct cookies were set. Therefore, the developer only has to login to authenticate.

However, the REST API incorporates a method called nonces to handle the CSRF problem. This ensures that all activity on the web remains separate. However, this also requires careful handling of the API.

This is the specified approach to leveraging APIs for plugins and themes. Custom data models can extend wp.api.models.Base to ensure this is submitted correctly for any custom requests.

Many developers making AJAX calls manually must pass nonce with every request. API takes advantage of nonces with activity set to wp_rest.

Note: Until recently, many software had poorly supported REMOVE requests. For example, PHP does not convert the request body of a DELETED request into a superclass. As such, providing nonce as the title is the most reliable approach in this scenario.

It is important to remember that this validation strategy depends on WordPress cookies. Therefore, this method is only suitable when the REST API is used in WordPress and the current user is logged in. In addition, existing users must have appropriate authorization for the activity being performed.

For example, here's how the built-in JavaScript client creates nonce:

wp_localize_script (‘wp-api ',‘ wpApiSettings ’, array (‘ root' = = esc_url_raw (rest_url ()), ‘nonce’ => wp_create_nonce (‘wp_rest’)));

Here is an example of editing the post's title using jQuery AJAX:


The WordPress REST API is the most popular and widely used REST API in the world. It is available to all WordPress users for online stores and web applications.

I hope you have understood whatever I wrote in this tutorial. If you still have questions or would like to contribute to us write, please leave a comment below.

Download the beautiful interface templates here: