Zsolt brought up the question of security around using WordPress for private journaling considering the WP REST API relies on username & password.

You could look at JSON web tokens (JWT) but would still need to initially send your username and password to get the token.

Or maybe OAuth 2 but that could be tricky based on how you're connecting (Drafts doesn't have support for authentication via OAuth. Yet. Fingers crossed.)

I presume he asks because his blog is http rather than https.

This is why I said that my Drafts 5 action and basic authentication should never be used over http.

The way I connect passes an encoded version of my username and password as part of the query. If this was done over http it would be easy to grab and decode those details but because I use https it cannot be intercepted by a "man in the middle" style attack.

Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.

  1. zsbenke says: #
    @colinwalker

    Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.

    That’s what concerns me. No additional security other than a username/password can be used with the REST API to retrieve private posts, and I had a blog hacked once using a security error in WordPress. There should be a stronger authentication (maybe two factor) for the REST API too. Sure, I could disable it altogether, but that’s also annoying.

    I’m just not comfortable storing private stuff on WordPress I think.

    →†’
    1. Nitin says: #
      definitely have thought about it many times. Thanks for the link and the work on the script! (Ugh. Ruby!)
      →†’
  2. colinwalker says: #
    @zsbenke I’m going to do a full write-up of what I’ve been doing but one option is to register a custom post type and not include support for the Rest API.
    →†’