Today I tested Basic Auth for the WordPress REST API and it worked perfectly. However, I heard this was a dangerous way of authentication. This is understandable, since people can look into JS files etc.
However, I have an external app in which I want the user to fill in their credentials in a form (just like on a normal WordPress site). Then the user gets logged into the app and is able to post comments under their username. I’m not planning to expose any sensitive data. Furthermore I just want to show the username and avatar of the user when they’re logged into the app. Admins may be able to update/delete posts, but the most important thing is that users/subscribers can comment under their username by being logged in through the REST API.
My question is: is Basic Auth an acceptable way of doing this? I can imagine that in some situations this could be dangerous, but no sensitive data is exposed at all and the user’s password is not displayed anywhere.
Please let me know what you think.
Thanks in advance.
1 Answer
Basic auth is a very common username/password authentication method and it’s as strong as the username-password combination and the encryption of the protocol you’re using.
The weakness of basic auth is that if you use it with plain http instead of https then the username and password is susceptible to a man-in-the-middle attack.
You can use basic auth, but make sure you are using SSL-encryption/https.