I’m trying to post to a WordPress server on an AWS Lightsail instance using node-wpapi.
However, the server returns a 401 error.
I already have a .htaccess file with RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}] to my .htaccess file and I already use ‘application passwords’ plugin.
How can I use node-wpapi to access the server?
My node-wpapi setting is here.
const wp = new WPAPI({
endpoint: 'http://localhost/wp-json',
username: 'user', //This is a default admin user.
password: '*************************', //This is a password for application passwords plugin
auth: true,
});
My .htaccess file is here.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
The error message is here.
code: 'rest_cannot_create',
message: 'Sorry, you are not allowed to create new posts.',
data: { status: 401 }
My user profile page keeps displaying the following message.
> Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: `Authorization` headers are not being sent to WordPress by the webserver. You can learn more about this problem, and a possible solution, on our GitHub Wiki.
2 Answers
I’ve found a solution.
The WordPress made from AWS Lightsail instance image is bitnami WordPress.
And the bitnami WordPress is disabled Basic Authentication as default. So it needs some modification on /opt/bitnami/apps/WordPress/conf/httpd-app.conf to enable Basic Authentication. This modification is adding 3 lines below.
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
The httpd-app.conf ended up below.
RewriteEngine On
RewriteRule /<none> / [L,R]
<IfDefine USE_PHP_FPM>
<Proxy "unix:/opt/bitnami/php/var/run/wordpress.sock|fcgi://wordpress-fpm" timeout=300>
</Proxy>
</IfDefine>
<Directory "/opt/bitnami/apps/wordpress/htdocs">
Options +MultiViews +FollowSymLinks
AllowOverride None
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfDefine USE_PHP_FPM>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://wordpress-fpm"
</FilesMatch>
</IfDefine>
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
RewriteEngine On
#RewriteBase /wordpress/
RewriteRule ^index\.php$ - [S=1]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
Include "/opt/bitnami/apps/wordpress/conf/banner.conf"
</Directory>
Include "/opt/bitnami/apps/wordpress/conf/htaccess.conf"
Then restart apache or the instance itself.
Then I installed the Application Passwords plugin and I use it as a normal procedure.
The following message of the plugin displayed on the profile page has gone.
Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: `Authorization` headers are not being sent to WordPress by the webserver. You can learn more about this problem, and a possible solution, on our GitHub Wiki.
The HTTP_AUTHORIZATION environment variable in the .htaccess file doesn’t need to be replaced REMOTE_USER.
Just in case, I show my .htaccess file below.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This solution is from this page.
The difference of solution between this solution page and my solution above is I use the Application Passwords plugin but they use the JSON Basic authentication plugin.
