1. mark k.

    George Stephanis is totally right in that in security the only thing that actually matters is your weakest link, and there is no point in trying to secure any sub system when you know in advance that other part remain less secure. Going with HTTPS as a requirement for the feature is the best way to go and than it will be possible to use the probably more simple oauth2.

    Not that there is any sane reason to have that monster in core, but if you are going to do it, better follow industry standards instead of inventing your own.


  2. Mike

    Yeah! I like how WordPress moves on to a full CMS.

    But there are some flaws too. The REST-API does not deliver all (hidden) meta-fields and the query args are completely different from those of WP. It is a neat step forward but sometimes it really bothers me how it is done.


    • Matt

      At least on Oct 7th 2016, Beta 15 of the plugin was updated to include support for Post Meta, etc. However, it’s not automatic and requires a register_meta() call.

      Third party protected meta can that was prefixed with an underscore and can be unprotected to be registered but isn’t straightforward as it could be perhaps.

      For my many of my own custom fields, I often choose not to prefix them. Instead, I use the is_protected_meta() filter as it eliminates many issues I’ve learned.


  3. Eugene Kopich

    The Web is actively moving to HTTPS so should WordPress.
    Wanna use REST API? – Install SSL-certificate. It’s not that hard nowadays…


Comments are closed.

%d bloggers like this: