Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Abusing the WordPress REST API

Earlier, I was playing around with the WordPress REST API and I was struggling to figure out why the WordPress function is_user_logged_in() was not working with my custom endpoint. The function returns false regardless of whether the user is logged in or not. Turns out, this is by design and I needed to send a nonce within my endpoint request. Doh.

Anyhow, before I figured this out (RTFM, Philip), I came up with a rather fugly workaround. The hack was to add an action to the rest_api_init hook, call the is_user_logged_in() function and set a global variable, which could then be accessed from within the endpoint. Now, I’m not sure I would recommend using this hack, but it did occur to me that there could be a scenario where it’s not possible to send a nonse with the request, in which case the only way to test if the user is logged-in would be within the endpoint’s code.

How bad am I?


  1. Craig says:

    Here is a way to disable the nonce requirement:

    add_filter('rest_authentication_errors', 'rest_authentication_errors', 99, 1);
    function rest_authentication_errors($error) {
        return strcasecmp($_REQUEST['_wpnonce'], 'disabled') == 0 ? true : $error;
  2. corenominal says:

    @Craig, nifty, I’ll give that a try. Thank you.

Leave a comment

Your email address will not be published. Required fields are marked *