A Beginner’s Guide to WordPress API Basics

Today, no application exists in a vacuum. Applications, especially web-based ones, constantly talk to each other, exchange information, delegate tasks, etc. As a website owner, you probably encountered a situation or two when you desperately needed to display the information from another resource or, on a contrary, send data, such as a form submission, to a different application.

APIs make all of this possible! In this article, we’ll try to explain what an API is in plain English and what you should know to take leverage of WordPress API. This material is aimed at a broad audience. Even if you are not a developer and not interested in working with your website’s API yourself, this article will give you a great overview of how it works and what’s possible.

What is an API?

Today, APIs are essential to running any kind of business. The need for something like an API arose when the number of web programs started to grow rapidly. From messengers to CRMs, any business now uses dozens of different applications, both web-based and local, to get the job done. People needed a way to exchange that data between applications and APIs solved that problem.

WordPress, just like many other big platforms, has a powerful, easy-to-use API that can be used to get the data from your website and send it somewhere else. This opens a world of possibilities, or better say integrations, that can save you hours of manual labor.

API is the acronym for Application Programming Interface. But to put it simply, it’s something that allows two applications to talk to each other. Thanks to APIs, applications can exchange information with each other. The information can flow in any direction and to make things easier, most modern APIs are structured in the same way. REST is one of the most popular ways to structure data.

Since 2016, WordPress offers a flexible REST API as a built-in feature available to any website owner. Before that, WordPress offered its API as a plugin but today, you don’t have to install or enable anything to access your website’s data. However, there are a few things unique to a WordPress platform that you should be aware of before starting.

WordPress API Overview

At first sight, WordPress API is just like any other REST API. It follows the common REST principles, making it relatively easy to work with, especially if you’ve worked with other APIs before. The easiest way to confirm that your website has a working API is to open your website in a browser and then add “/wp-json/wp/v2/” to the website URL. Hit enter.

Immediately, you’ll see a bunch of data on the screen. Congratulations, you made your first API call! However, we are not going to use a browser for our calls. There is free software we can use to make API calls easily.

Let’s get back to our browser: right now, it shows that your website has an API enabled and what endpoints, as well as HTTP verbs, you can use. If endpoints point to the types of data you can request (be it users, posts, or something else), verbs explain the actions you can do with this data (create a new record, update an existing one, or delete).

Pretty straightforward, right? Don’t worry if it’s still doesn’t make sense yet. We are just getting started! And before we can move on, let’s make another quick call right in our browser. Go back to that window and add “users” at the end so you’ll have the following address:

{yourwebsite.com}/wp-json/wp/v2/users

Ready? Let’s hit enter again and take a look at the result: now, your browser shows your users. But wait, why doesn’t it show all of them? This leads us to our next topic – API authentication.

WP API Authentication

Before we dive in, it’s worth mentioning that Authentication and Authorization are two different things:

• The goal of Authentication is to prove that you are who you say you are. This is just like showing your driving license to a police officer or your passport at the airport.
• Authorization, on the other hand, determines what you have access to. Think of it like a card key that opens only some doors but not all of them.
  

It’s a common practice to protect the API endpoints so random people can’t see personal data. This is called authentication. Imagine if anyone could see the emails of all your users on the website. Not cool, right? Here’s where the different authentication methods come into play.

There are various ways to protect an API. The most popular methods are:

• HTTP Basic authentication (should be used for testing only but not in production)
• Bearer Authentication (requires a bearer token)
• API keys
• OAuth 1.0 and 2.0

So, what type of authentication does WordPress uses to protect sensitive information? Unfortunately, none of the above. By default, WordPress supports only cookie authentication, meaning you have to be authorized in a browser in order to see the protected data. This way, you have a WordPress cookie stored in your local storage and WordPress knows what you are allowed to see.

It’s all great if we do the calls straight from the browser and we are always logged in, but what if you want to call your website from another remote application? In this case, you need to install a plugin to enable one of the methods outlined above.

In addition to installing a plugin, you’ll have to do a few updates on your server, but they are pretty straightforward. Some hosting providers even offer their help and recommend their own plugins. But if you are confident in your WP skills, here are a few plugins to consider:

• OAuth 1.0a Server
• Application Passwords
• JSON Web Tokens

Once you have the plugin installed and working, you can send your API requests from any device. The most popular way to test a call is to use a platform like Postman or Insomnia. Once you have a third-party API plugin installed, read their documentation to learn how to authenticate your call.

Whether you decide to use a JWT token or basic authentication, you should be able to make authorized calls to your website. The best resource to learn more available endpoints and verbs is, of course, the official WP documentation, also known as the REST API Handbook.

It’s worth noting that there are other ways to access WP-REST. One of them is WP-CLI – the WordPress Command Line Interface that can be accessed both from a local machine (where your website is hosted) or a remote one (you’ll need to SSH to your server first). 

Of course, this is a very broad overview but it gives you an idea about what integrations with your website are possible. And the truth is, almost all of them are! You can manage your WordPress users from another program, publish posts, add new images, and so much more.

Popular plugins like Gravity Forms or Woo Commerce offer their own API endpoints and even authorization, so you can display the form submissions somewhere else or post products from another resource. To use their API, you don’t even have to install anything; in most cases, all you need to do is to enable the API in settings.

To learn more about how to work with an API offered by a specific plugin, check out the plugin’s documentation. Soon, you’ll discover that WordPress API is an indispensable tool that can make your life so much easier!

---

Exceptional WordPress Development Services from GetDevDone

Want to leverage the power of WordPress API to the maximum? Talk to our expert WordPress developers. With 16+ years of industry experience and thousands of successfully completed WP projects, we know everything about the world’s most popular CMS.

Moreover, we specialize in harnessing the capabilities of headless WordPress development, leveraging the robustness of WordPress API and REST API. Whether you’re looking to create a seamless user experience across multiple platforms or implement cutting-edge features with modern technologies like React.js, our team has the expertise to bring your vision to life.

Contact us with any WordPress-related request, from building a custom theme or tweaking your current one to meet your specific requirements to Core Web Vitals optimization and plugin development.