Don’t hesitate to contact us if you have any feedback.

WordPress – Enhance Rest API security with Nonce

by

Victor

in

The WordPress REST API opens up a world of possibilities for developers by allowing programmatic interaction with site data. However, with this power comes the need for heightened security to ensure that only authorized requests are processed. The following PHP snippet demonstrates how to secure REST API access using a nonce—a unique number used to verify the origin and intent of the request.

The Code

First, a nonce is created with wp_create_nonce('wp_rest'), which will be used to validate requests to the REST API.

<?php

// Create a nonce
wp_create_nonce('wp_rest')

Then, the REST API access is conditioned with the rest_authentication_errors filter hook to verify the nonce.

<?php

add_filter('rest_authentication_errors', function ($errors) {
    $route = $GLOBALS['wp']->query_vars['rest_route'];

    // Check if the request is for the REST API
    if (str_contains($route, '/wp/v2/')) {
        // Only proceed if the user is not logged in
        if (!is_user_logged_in()) {
            // Ensure the nonce parameter is present
            if (!isset($_REQUEST['nonce'])) {
                return new WP_Error(
                    'rest_not_logged_in',
                    __('Nonce parameter missing in the request'),
                    ['status' => 401]
                );
            } else {
                // Verify the nonce value
                if (!wp_verify_nonce($_REQUEST['nonce'], 'wp_rest')) {
                    return new WP_Error(
                        'rest_not_logged_in',
                        __('Incorrect nonce parameter in the request'),
                        ['status' => 401]
                    );
                }
            }
        }
    }

    return $errors;
});

How It Works

  • The filter rest_authentication_errors allows you to intercept REST API requests and perform additional authentication checks.
  • The snippet checks if the request targets the REST API and if the user is not logged in.
  • It then looks for a nonce parameter in the request. If the nonce is missing or fails verification, a WP_Error with a 401 status code is returned, effectively blocking the request.

Implementation

To employ this security measure, add the code snippet to your theme’s functions.php file or a custom functionality plugin. This will ensure that all REST API requests are checked for a valid nonce before being executed.

Benefits

  • Security: Using a nonce helps protect against CSRF attacks by ensuring that the request is intentional and originated from the correct source.
  • Control: This method allows for finer control over who can access the REST API, particularly for read-write operations that affect site data.

Conclusion

Securing the WordPress REST API with nonce verification is a smart strategy to safeguard your website. By validating each request with a nonce, you can significantly reduce the risk of unauthorized access and maintain the integrity of your site’s operations.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *