WordPress Authentication (over) Concerns: A Quick Case Study

One thought on “WordPress Authentication (over) Concerns: A Quick Case Study”

  1. About “What About admin-ajax?”… I don’t think anyone has done a good job explaining what the advantages are of using the REST API in cases where you might have used ajax and I don’t think you’ve put a strong case for it here either, which is strange!

    Someone who writes insecure ajax logic is just as easily going to write poor REST logic. You mention not having to worry about authentication, authorization or cross-site forgery, but that’s not a good thing. Case in point, you can run into scenarios where you think a request is properly authenticated when it’s not. The fact that the REST classes handle so much is both a good thing and a bad thing, because unless you know what’s going on internally, you don’t actually know if you have the luxury of not worrying about the things you mentioned.

    AJAX is not hard to write either, in fact I think there’s more gotchas with the REST API. Using the REST API over ajax does give you perks: more structure, handy methods, better performance in most cases, discoverability, and the benefit of having a common standard for other application code to work with. But I’m still finding cases where ajax logic is quicker and simpler to implement. I just don’t agree particularly with the ‘you don’t have to think about x, y, z’ when x, y, z should be front of mind when writing any bit of code.

Leave a Reply

Your email address will not be published. Required fields are marked *