Files
2026-07-02 15:54:39 -06:00

627 B

Authentication (summary)

  • Standard for wp-admin and theme/plugin JS.
  • Requires a REST nonce (wp_rest) sent as X-WP-Nonce header or _wpnonce param.
  • If the nonce is missing, the request is treated as unauthenticated even if cookies exist.

Application Passwords (external clients)

  • Available in WordPress 5.6+.
  • Use HTTPS + Basic Auth with the application password.
  • Recommended over the legacy Basic Auth plugin.

Auth plugins

  • OAuth 1.0a or JWT plugins are common for external apps.
  • Use only if required; follow plugin docs and security guidance.