Key Concepts of REST API in WordPress
WordPress provides a built-in REST API that allows developers to interact with WordPress data using JSON-based requests. This API makes it easier to integrate WordPress with external applications, mobile apps, and other web services.
1. RESTful Architecture in WordPress
WordPress REST API follows RESTful principles, meaning:
- Stateless: Each request is independent; WordPress does not store client session data.
- Client-Server: The API acts as a bridge between the front end (client) and the WordPress database (server).
- Uniform Interface: Uses standard HTTP methods like
GET,POST,PUT, andDELETE. - JSON Format: All responses are in JSON (JavaScript Object Notation).
2. WordPress REST API Endpoints
Default WordPress Endpoints
WordPress provides built-in API endpoints that allow access to various data.
| Endpoint | Method | Description |
|---|---|---|
/wp-json/wp/v2/posts | GET | Fetch all posts |
/wp-json/wp/v2/posts/12 | GET | Fetch post with ID 12 |
/wp-json/wp/v2/pages | GET | Fetch all pages |
/wp-json/wp/v2/comments | GET | Fetch all comments |
/wp-json/wp/v2/users | GET | Fetch all users (requires authentication) |
Example API request:
shCopyEditGET https://example.com/wp-json/wp/v2/posts
Response (JSON format):
jsonCopyEdit[
{
"id": 12,
"title": {
"rendered": "Hello World"
},
"content": {
"rendered": "<p>This is my first post!</p>"
}
}
]
3. HTTP Methods in WordPress REST API
| HTTP Method | Usage in WordPress API |
|---|---|
| GET | Fetch data (e.g., posts, pages, users) |
| POST | Create new content (requires authentication) |
| PUT/PATCH | Update existing content (requires authentication) |
| DELETE | Remove content (requires authentication) |
Example: Create a new post (with authentication)
shCopyEditPOST https://example.com/wp-json/wp/v2/posts
Headers:
Authorization: Bearer YOUR_ACCESS_TOKEN
Body (JSON):
{
"title": "My New Post",
"content": "This is a test post.",
"status": "publish"
}
4. Customizing WordPress REST API
You can extend the WordPress REST API to add custom endpoints using PHP.
Creating a Custom API Endpoint
Add this code to functions.php or a custom plugin:
phpCopyEditfunction my_custom_endpoint() {
return new WP_REST_Response(array(
'message' => 'Hello, this is a custom API endpoint!',
'status' => 200
));
}
add_action('rest_api_init', function () {
register_rest_route('myplugin/v1', '/message', array(
'methods' => 'GET',
'callback' => 'my_custom_endpoint'
));
});
Now, access the custom API at:
bashCopyEditGET https://example.com/wp-json/myplugin/v1/message
Response:
jsonCopyEdit{
"message": "Hello, this is a custom API endpoint!",
"status": 200
}
5. Authentication in WordPress REST API
Methods for Securing API Requests
- Basic Authentication – Simple but not secure for production.
- OAuth 2.0 – Secure and widely used.
- JWT (JSON Web Token) – Common for mobile and external applications.
- Application Passwords – A built-in method in WordPress.
Using JWT Authentication
Install JWT authentication plugin:
shCopyEditcomposer require firebase/php-jwt
Then, send requests with a JWT Token:
shCopyEditAuthorization: Bearer YOUR_JWT_TOKEN
6. Filtering and Querying Data
You can filter results by adding query parameters.
Get posts from a specific category
shCopyEditGET https://example.com/wp-json/wp/v2/posts?categories=5
Get posts from a particular author
shCopyEditGET https://example.com/wp-json/wp/v2/posts?author=2
Get posts sorted by date
shCopyEditGET https://example.com/wp-json/wp/v2/posts?orderby=date&order=desc
7. Disabling or Restricting the WordPress REST API
To disable the REST API for unauthenticated users, add this to functions.php:
phpCopyEditfunction disable_wp_rest_api_for_guests($access) {
if (!is_user_logged_in()) {
return new WP_Error('rest_cannot_access', 'REST API restricted to authenticated users', array('status' => 403));
}
return $access;
}
add_filter('rest_authentication_errors', 'disable_wp_rest_api_for_guests');
