REST API – Create, Update or Delete posts using Basic Auth and HTTP API

About Basic Authentication

First of all, basic authentication won’t work until you install a special plugin, what plugin – depends on a way you choose. I will show you two of them.

Using username and password

This method isn’t recommended in WordPress Codex, because in each API call you have to send actual usernames and passwords, but you can use this method for test purposes.

To begin using it, you have to download a special plugin from github (I use the link from the official WordPress documentation page).

Basic Authentication plugin for WordPress REST API

There is no way to perform Basic Auth in WordPress Rest API without this plugin installed. Once the plugin is activated on your website (I mean the website you want to interact with API), we can try examples below.

Using application passwords

Ok, this method is much better. You have to install Application Passwords plugin, it is available from WordPress plugins repository, so you can find it in your website admin area on the Plugins > Add New page.

Application Passwords plugin for WordPress REST API

Once you installed this plugin, make sure, that your REST API is not turned off, then go to the very bottom of a user profile page and generate an app password there.

Generate application passwords for REST API

No needs to use user’s actual passwords anymore.

Create a Post

Where to insert all the code from this post? I hope you know this but just in case.

First of all I want to remind you that we have 2 websites.

You can see wp_remote_post() function in the code – it is a WordPress function, so you have to insert in somewhere inside WP environment. For my test purposes I just created a randomly named PHP file just in WordPress root directory and added at the beginning of the file require('wp-load.php');. When I try to access this file in browser, it does the work.

LOGIN:PASSWORD on line 3 is the pair of username and password of a website user (the first website, and if you’ve installed Application Passwords, you have to use the generated token instead), that have the capabilities to create, update and delete posts.

$api_response = wp_remote_post( 'https://WEBSITE/wp-json/wp/v2/posts', array(
 	'headers' => array(
		'Authorization' => 'Basic ' . base64_encode( 'LOGIN:PASSWORD' )
	),
	'body' => array(
    		'title'   => 'My test',
		'status'  => 'draft', // ok, we do not want to publish it immediately
		'content' => 'lalala',
		'categories' => 5, // category ID
		'tags' => '1,4,23' // string, comma separated
		'date' => '2015-05-05T10:00:00', // YYYY-MM-DDTHH:MM:SS
		'excerpt' => 'Read this awesome post',
		'password' => '12$45',
		'slug' => 'new-test-post' // part of the URL usually
		// more body params are here:
		// developer.wordpress.org/rest-api/reference/posts/#create-a-post
	)
) );
 
$body = json_decode( $api_response['body'] );
 
// you can always print_r to look what is inside
// print_r( $body ); // or print_r( $api_response );
 
if( wp_remote_retrieve_response_message( $api_response ) === 'Created' ) {
	echo 'The post ' . $body->title->rendered . ' has been created successfully';
}

How to Update a WordPress Post with REST API

Let’s just update the title of the created post. Replace {POST_ID} with the ID of the post you would like to update. If you still not sure where to get it, read this tutorial.

$api_response = wp_remote_post( 'https://WEBSITE/wp-json/wp/v2/posts/{POST_ID}/', array(
 	'headers' => array(
		'Authorization' => 'Basic ' . base64_encode( 'LOGIN:PASSWORD' )
	),
	'body' => array(
    		'title' => 'My test 1'
	)
) );
 
$body = json_decode( $api_response['body'] );
 
 
if( wp_remote_retrieve_response_message( $api_response ) === 'OK' ) {
	echo 'The post ' . $body->title->rendered . ' has been updated successfully';
}

Delete a Post

If you add ?force=true at the end of the request URI, the post will be removed permanently without moving to trash.

$api_response = wp_remote_request( 'https://WEBSITE/wp-json/wp/v2/posts/{POST_ID}', array(  // ?force=true to skip trash
	'method'    => 'DELETE',
	'headers'   => array(
	    'Authorization' => 'Basic ' . base64_encode( 'LOGIN:PASSWORD' )
	)
));
 
$body = json_decode( $api_response['body'] );
 
 
if( wp_remote_retrieve_response_message( $api_response ) === 'OK' ) {
	if( $body->deleted == true ) {
		echo 'The post ' . $body->previous->title->rendered . ' has been completely deleted';
	} else {
		echo 'The post ' . $body->title->rendered . ' has been moved to trash';
	}
}

This was small introduction into Basic Authentication in WordPress REST API.

Related Posts

Misha Rudrastyh

Misha Rudrastyh

I love WordPress, WooCommerce and Gutenberg so much. 11 yrs of experience.

Need some custom developer help? Get in touch