Baseline Support for self hosted Wordpress

Are you using Wordpress as your content platform of choice? With the Baseline for self hosted Wordpress integration you can easily review who has access to your Wordpress platform.

Getting started

Selfhosted Wordpress does not offer an API by default which you can connect to with API tokens like JWT tokens. This means that Baseline would not be able to connect to Wordpress unless you install a custom plugin or enable API auth support in some other way. When you use the self hosted Wordpress integration, we require you to provide two parameters:

Parameter Description
wordpressUrl URL to your Wordpress instance.
jwtToken Authentication token which we pass to your Wordpress API

We are making the following call to your Wordpress API:

curl \
-H 'Content-Type: application/json' \
-H 'Cache-Control: no-cache' \
-H 'Authentication: Bearer YOUR_TOKEN' \
-H 'Authorization: Bearer YOUR_TOKEN' \
'YOUR_WORDPRESS_URL/wp-json/wp/v2/users/?context=edit'

Using the Advanced Access Manager plugin

You can use the Advanced Access Manager plugin to easily create an expiring JWT token. To do this, follow these steps:

Step 1. Go to your Wordpress plugin section and search for Advanced Access Manager.

Step 2. Install and activate the plugin.

Step 3. Go to the plugin settings and select a user with Admin privileges. Note that you can create a custom role and scoped down access. We recommend this for the Baseline integration.

Step 4. Now create a new JWT token. You need to set an expiration date. Pick one which you are comfortable with.

Wordpress AAM JWT tokens.

Step 5. Paste the JWT token and your Wordpress URL into the baseline authentication screen.

Step 6. Profit 🎉.

Wordpress security

We have seen cases where certain managed Wordpress providers would apply very aggressive caching to the Wordpress instances. These providers would even ignore Cache-Control headers. This could result that responses to requests to admin APIs are cached. Users without admin access could then query the cached API endpoint without having to use an authentication token:

curl \
-H 'Content-Type: application/json' \
-H 'Cache-Control: no-cache' \
-H 'Authorization: Bearer YOUR_TOKEN' \
'YOUR_WORDPRESS_URL/wp-json/wp/v2/users/?context=edit'

This request would correctly authenticate and return your results.

curl \
-H 'Content-Type: application/json' \
-H 'Cache-Control: no-cache' \
'YOUR_WORDPRESS_URL/wp-json/wp/v2/users/?context=edit'

Now after calling this endpoint without the credentials, you still get the authenticated response. This is very bad!

We got your back 🙌

When you provide your Wordpress credentials to Baseline, we check if this behaviour is seen with your instance. If we detect that the API response gets cached, we will not allow you to store your credentials and ask you to first address this issue.

Required access to API endpoint

Baseline relies on the following APIs to audit your Wordpress instance. Use this information if you want to scope down access to just these endpoints.

METHOD API endpoint
GET /wp-json/wp/v2/users/?context=edit