Zsolt brought up the question of security around using WordPress for private journaling considering the WP REST API relies on username & password.

You could look at JSON web tokens (JWT) but would still need to initially send your username and password to get the token.

Or maybe OAuth 2 but that could be tricky based on how you're connecting (Drafts doesn't have support for authentication via OAuth. Yet. Fingers crossed.)

I presume he asks because his blog is http rather than https.

This is why I said that my Drafts 5 action and basic authentication should never be used over http.

The way I connect passes an encoded version of my username and password as part of the query. If this was done over http it would be easy to grab and decode those details but because I use https it cannot be intercepted by a "man in the middle" style attack.

Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.

    1. Nitin says: #
      definitely have thought about it many times. Thanks for the link and the work on the script! (Ugh. Ruby!)
  1. colinwalker says: #
    I’m going to do a full write-up of what I’ve been doing but one option is to register a custom post type and not include support for the Rest API.