JSON Encoding and SSL for api.wordpress.org Communication in WordPress 3.7

There are two changes to the way WordPress communicates with api.wordpress.org in 3.7: JSON encoding and SSL.

JSON Encoding

In versions prior to WordPress 3.7, data that WordPress sends to (and receives from) api.wordpress.org is serialized using PHP’s native serialization functions. PHP-serialization has two main problems:

  • Security: It has the potential to lead to security exploits via PHP object injection.
  • Portability: It’s hard to unserialize these strings in other languages besides PHP.

In WordPress 3.7, most API calls have now changed so they send and receive JSON encoded data instead. The three major ones are:

  • Core update checks
  • Plugin update checks
  • Theme update checks

The following calls have also changed, but you’re probably not so interested in these:

  • Importers list
  • Credits list
  • Browse Happy (the browser version check)

How might this affect plugin or theme developers?

In general this won’t affect developers at all. If your plugin or theme just consumes the API then you don’t have to make any changes. The API calls that send and received JSON encoded data have all had their version numbers bumped from 1.0 to 1.1 (for example, api.wordpress.org/plugins/update-check/1.1/. If you are consuming the version 1.0 endpoints you’ll continue to get PHP-serialized data. If you want JSON encoded data, you can switch to using the version 1.1 endpoints.

There is one situation that developers may need to account for. If your plugin or theme hooks into the update API requests in order to remove certain plugins or themes from the update checks, your code may need updating.

A common method for removing a plugin or theme from the update checks is to hook into http_request_args, unserialize the data being sent to the API, remove the given theme or plugin from the data, and serialize it again. This will no longer work in WordPress 3.7 and your code will need to be updated so it decodes and encodes the data as JSON instead.

An example of a plugin which has been updated to handle JSON encoding along with fallback support for PHP-serialization (depending on the version number in the API call) can be seen here: https://github.com/cftp/external-update-api/compare/f4d58e2…281a0ef

Note that there are two API calls which have not yet changed to using JSON encoding:

  • Plugin info
  • Theme info

These two calls will most likely be updated to use JSON encoding in WordPress 3.8.

SSL Communication

As part of the hardening process of this release, WordPress 3.7 will only communicate with api.wordpress.org using SSL (HTTPS) when the server supports it. This is an especially important security enhancement, given that automatic background updates are now a part of WordPress. Indeed, automatic background updates are disabled if the server cannot communicate securely with the api.wordpress.org.

How might this affect plugin or theme developers?

Again, this won’t affect developers in general. If your plugin or theme hooks into API calls you may need to update your code to it handles calls to https://api.wordpress.org/ in addition to http://api.wordpress.org/.

JSON encoding and support for SSL means the WordPress.org APIs are in a much better position going forward.