dptj13337 2017-11-06 20:10
浏览 754
已采纳

Wordpress插件和访问wp-json API

Wondering if someone can provide some direction.

I'm creating a Wordpress plugin that will be publicly available (free). The plugin is meant to allow bloggers to include a definition widget using bootstrap's data-toggle.

Since I don't want people stealing the content without attribution, the hyperlink will be pulled out from a private API.

Here's how I think this should flow, but I know that there are things that are inefficient:

  • Create a private API that houses all of the data. It might be as 3 branches of data:

    id -- name -- definition

  • Have the plugin authenticate somehow with the server

  • Plugin creates a shortcode in Wordpress ie. [define="term"]anchor[/define]

  • When the shortcode is called, it pings the server and stores something locally in their sql db.

Additional Notes/Concerns

I understand that there is nothing such as being hack-free or altered free. But I want to get as close as possible.

A couple exploits I can see happening is if people change the cached info in the SQL DB. Is there a way to potentially kill the data-toggle content if this happens?

Also, I don't want people to be able to create their own calls to our API creating their own programs. That's not the intended use of this.

I apologize if my thoughts seem cluttered, but I can't seem to figure out a solid workflow in where I should get started with this.

If anyone can help bring clarity, I would greatly appreciate it.

  • 写回答

1条回答 默认 最新

  • douzhuiqiu4923 2017-11-06 20:39
    关注

    I would be inclined to do the following:

    • Give every user a unique API token or other credentials
    • Link every token to a single IP address and reject any requests where the token doesn't match the IP address.

    That way if you become aware of someone misusing the content you need only delete their token to prevent access, and can be reasonably sure that it's not being used on another server. Users can enter the API credentials in the plugin admin.

    I think OAuth2 will probably be the way to go to authenticate clients - it's made for granting access to client applications and there are plenty of implementations available. You'd need to add the ability to verify that the user matches the IP, but that shouldn't be difficult.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 请把下列每一行代码完整地读懂并注释出来
  • ¥15 pycharm运行main文件,显示没有conda环境
  • ¥15 易优eyoucms关于二级栏目调用的问题
  • ¥15 寻找公式识别开发,自动识别整页文档、图像公式的软件
  • ¥15 为什么eclipse不能再下载了?
  • ¥15 编辑cmake lists 明明写了project项目名,但是还是报错怎么回事
  • ¥15 关于#计算机视觉#的问题:求一份高质量桥梁多病害数据集
  • ¥15 特定网页无法访问,已排除网页问题
  • ¥50 如何将脑的图像投影到颅骨上
  • ¥15 提问一个关于vscode相关的环境配置问题,就是输入中文但是显示不出来,代码在idea可以显示中文,但在vscode不行,不知道怎么配置环境