I set up an OAuth client for WP-API following the instructions for WP-API/OAuth1 on github.
I was disappointed to realise afterwards that all of the site’s content remains available over the API, including all sorts of not-really-public metadata like user registration dates. I don’t want this.
How do I restrict the JSON API to allow OAuth clients only?
2 Answers
This is how I did it, but I feel it could be better. For one thing, this results in HTTP 500… 403 would be preferable
add_filter( 'json_authentication_errors', function( $authenticated ) {
if( !$authenticated ) {
return new WP_Error('Access Denied');
}
}, 99 );
(I understand this’ll work for Basic Auth too)