Title: Ryan McCue – Make WordPress Core

---

#  Author Archives: 󠀁[Ryan McCue](https://profiles.wordpress.org/rmccue/)󠁿

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
3:15 am _on_ August 23, 2017     
Tags: [rest-api ( 107 )](https://make.wordpress.org/core/tag/rest-api/),
[roadmap ( 9 )](https://make.wordpress.org/core/tag/roadmap/)   

# 󠀁[REST API Roadmap](https://make.wordpress.org/core/2017/08/23/rest-api-roadmap/)󠁿

If you’ve been following WordPress development this year, you may be wondering “
what’s been happening with the REST APIREST API The REST API is an acronym for the
RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT,
POST and DELETE data. It is how the front end of an application (think “phone app”
or “website”) can communicate with the data store (think “database” or “file system”)
[https://developer.wordpress.org/rest-api/](https://developer.wordpress.org/rest-api/)
focus?” We’ve been a little under-the-radar for most of the year so far, so we thought
publishing an update and roadmap might be a good idea.

For new contributors looking to get involved with the REST API focus or WordPress
generally, there’s never been a better time, and we’d love to have your help on 
our projects. Read on to see what we’ve been doing, where we’re going, and how you
can get involved.

## Since 4.7

Since the REST API was merged into coreCore Core is the set of software required
to run WordPress. The Core Development Team builds WordPress. in WordPress 4.7, 
development activity has unfortunately been light. The merge into core was a huge
effort, and after shipping in 4.7 we saw a drop-off in contribution and overall 
momentum as many APIAPI An API or Application Programming Interface is a software
intermediary that allows programs to interact with each other and share data in 
limited, clearly defined ways. contributors took a break to recover from the stress
of the merge. These contributions have not returned to previous levels, and there’s
a few factors behind this: the move to TracTrac An open source project by Edgewall
Software that serves as a bug tracker and project management tool for WordPress.,
lack of a forward roadmap, and overall fatigue have hampered our ability to move
forward quickly.

The core REST API focus goal is to utilise the REST API within the WordPress adminadmin(
and super admin). Defining the scope of this project has involved [auditing all admin-ajax calls](https://docs.google.com/spreadsheets/d/1gCK33SM_c2eGQr3oRe7ybkvCW6xYNz190sZGR4J8f9Q/edit?usp=sharing),
as well as the filters used inside these calls, and where they are used. In addition,
we’ve been working on the low-level JavaScriptJavaScript JavaScript or JS is an 
object-oriented computer programming language commonly used to create interactive
effects within web browsers. WordPress makes extensive use of JS for a better user
experience. While PHP is executed on the server, JS executes within a user’s browser.
[https://www.javascript.com](https://www.javascript.com/) utilities we need to offer
conceptual compatibility: while we can deprecate and remove old PHPPHP The web scripting
language in which WordPress is primarily architected. WordPress requires PHP 7.4
or higher filters, we need to offer new JSJS JavaScript, a web scripting language
typically executed in the browser. Often used for advanced user interfaces and behaviors.-
based filters to replace them.

The admin-ajax audit revealed that the majority of ajax requests can be grouped 
into four categories: Media, Themes, the Editor, and List Tables. The code for both
Media and the Editor will gradually switch to the REST API moving forward with development
around GutenbergGutenberg The Gutenberg project is the new Editor Interface for 
WordPress. The editor improves the process and experience of creating new content,
making writing rich content much simpler. It uses ‘blocks’ to add richness rather
than shortcodes, custom HTML etc. [https://wordpress.org/gutenberg/](https://wordpress.org/gutenberg/),
and likewise endpoints for better managing Themes are expected to be incorporated
into CustomizerCustomizer Tool built into WordPress core that hooks into most modern
themes. You can use it to preview and modify many of your site’s appearance settings.
work.

Rather than simply refactor the existing code for the other actions in a piecemeal
fashion, we’ve been working on prototyping bigger groups of related changes and 
features, starting with the [New List Tables](https://github.com/WP-API/new-list-tables)
and [Live Settings](https://github.com/WP-API/live-settings).

A significant portion of existing admin-ajax code is for handling list table actions.
The existing JS code for these actions is particularly difficult to work with, and
the existing list table actions user experience is frustratingly inconsistent (for
example, deleting a comment happens inline, whereas deleting a post causes a page
refresh). A reworking of the code has the potential to improve UXUX User experience
significantly. [New List Tables](https://github.com/WP-API/new-list-tables) allows
us to explore ideas around how we can improve the content organisation and management
experience in the admin. This is a prototyping pluginPlugin A plugin is a piece 
of software containing a group of functions that can be added to a WordPress website.
They can extend functionality or add new features to your WordPress websites. WordPress
plugins are written in the PHP programming language and integrate seamlessly with
WordPress. These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party. where we’ve been exploring backwards
compatibility techniques, and thinking about how a theoretical new management interface
would look.

The [Live Settings](https://github.com/WP-API/live-settings) prototype uses the 
REST API settings endpoints to add live saving to the Settings screens. This dovetails
with [the work underway by the Accessibility team to switch to the Settings API](https://github.com/wpaccessibility/settings-api-enhanced),
and the two projects will be able to work together in the future.

In addition to these API team projects, work has continued on REST API-related pieces
on other teams, notably the Customizer and Multisitemultisite Used to describe a
WordPress installation with a network of multiple blogs, grouped by sites. This 
installation type has shared users tables, and creates separate database tables 
for each blog (wp_posts becomes wp_0_posts). See also **network**, **blog**, **site**
teams, who are working on API endpoints in their respective components.

## Renewing our focus

Moving forward with the REST API, there’s a few key items we’re going to be focussing
on. These items will have their own dedicated subteams and development cycles, and
will work in parallel. The two broad goals are to use the API in the admin, and 
to solve authentication for external applications.

### API in the Admin

Getting the API used in the WordPress admin is our primary focus. While it is technically
possible to directly switch from admin-ajax calls to REST API calls, this is essentially
refactoring with no real user benefit. Instead, we want to focus on changes that
can improve the user experience.

For the feature prototypes ([New List Tables](https://github.com/WP-API/new-list-tables),
and [Live Settings](https://github.com/WP-API/live-settings)), we’re engaging members
of the Design team to lead these features from a UX perspective. So far, these prototypes
have been primarily about proving out the features and ensuring it’s actually technically
possible to migrate these features to use the REST API; with the initial success
on the technical side, we need to switch focus to delivering compelling user experiences.

New List Tables will be working with the goal of **prototyping improved content 
management**, using the REST API. This includes unifying and standardising existing
interactions, and improving the perceived performance. This is a ReactReact React
is a JavaScript library that makes it easy to reason about, construct, and maintain
stateless and stateful user interfaces. [https://reactjs.org](https://reactjs.org/)-
based prototype, and uses the existing REST API endpoints.

Live Settings will be working with the goal of **making settings changes seamless**.
We’ve seen huge strides forward with the Customizer for updating your site, and 
the backend settings deserve a better experience to match. Live Settings touches
on similar areas as the Settings API Enhanced project spearheaded by the AccessibilityAccessibility
Accessibility (commonly shortened to a11y) refers to the design of products, devices,
services, or environments for people with disabilities. The concept of accessible
design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning
compatibility with a person’s assistive technology (for example, computer screen
readers). (https://en.wikipedia.org/wiki/Accessibility) team; we plan to continue
working independently to avoid blocking each other, while keeping in touch about
the respective projects.

Work on converting existing admin-ajax code to use the REST API will continue, however
this won’t be a priority, as it generally doesn’t provide a strong benefit to end
users. Most admin-ajax actions will naturally be deprecated as part of progress 
by other focuses, including Gutenberg and plans around the Media Library. We’ll 
continue working with other teams and focuses on their efforts here.

### Authentication

External authentication is an unsolved problem, and one that’s crucial to API use
outside of WordPress core itself, including the official WordPress apps.

There are two key problems to solve here: how do apps act on behalf of a user (authentication),
and how do sites recognise valid apps (initial connection). We have existing solutions
to both these problems (OAuth 1.0a and the Broker system respectively), however 
these are not the easiest solutions, and aren’t adequate for all use cases.

To date the most complete authentication solution maintained by the REST API team
has been a plugin providing OAuth 1.0a authentication. Moving forward, **we are 
switching authentication focus to **[**OAuth 2**](https://github.com/WP-API/OAuth2).
As [Matt announced last year](https://wordpress.org/news/2016/12/moving-toward-ssl/),
we are going to begin shipping HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer
Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data
is sent between your browser and the website that you are connected to. The 'S' 
at the end of HTTPS stands for 'Secure'. It means all communications between your
browser and the website are encrypted. This is especially helpful for protecting
sensitive data like banking information.-only features in WordPress: this allows
us to switch to OAuth 2. Work started during the WordCampWordCamp WordCamps are 
casual, locally-organized conferences covering everything related to WordPress. 
They're one of the places where the WordPress community comes together to teach 
one another what they’ve learned throughout the year and share the joy. [Learn more](https://central.wordcamp.org/about/).
Europe contributor dayContributor Day Contributor Days are standalone days, frequently
held before or after WordCamps but they can also happen at any time. They are events
where people get together to work on various areas of [https://make.wordpress.org/](https://make.wordpress.org/)
There are many teams that people can participate in, each with a different focus.
[https://2017.us.wordcamp.org/contributor-day/](https://2017.us.wordcamp.org/contributor-day/)
[https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/](https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/)
on a new official OAuth 2 provider plugin which is now under ongoing development.

Simplifying the initial connection is a much harder piece, and this is a long-term
project. Eventually, this should be as simple as a “Connect to WordPress” button,
requiring minimal effort for app developers and no effort for users. This is a complex
problem to solve, and no similar software has to work on the same scale we have.
In the meantime however, we’re going to investigate pre-configuring Core to recognize
and permit authentication from certain default apps, including the official WordPress
mobile applications. Whitelisting applications in core is a practical expedient 
but this solution is not sustainable in the long-term, and should be replaced with
a better system as soon as feasible. Work on solving this issue will be in the mid-
term, however, as we need to ensure we have solid basics first.

## Help Us!

The toughest challenge facing the REST API team right now is resourcing. There are
only a few people working on the API regularly, and we need help to build out our
projects—which is hopefully where you come in. We need people of all skillsets to
help on New List Tables, Live Settings, and OAuth 2. This includes regular contributors,
JS developers, and designers. And all of this will need documentation, too: following
a productive contributor day at WordCamp Europe we are making progress expanding
and reorganizing the REST API developer handbook, and would gladly welcome any interested
docs contributors.

Our plan is to release the first public betaBeta A pre-release of software that 
is given out to a large group of users to trial under real conditions. Beta versions
have gone through alpha testing in-house and are generally fairly close in look,
feel and function to the final product; however, design changes often occur as part
of the process. of each of these projects within the next month, with regular releases
from each project following that. New List Tables and Live Settings could be part
of either a 4.9 or 5.0 release, while OAuth 2 will remain as a plugin until fully
proven out, and would likely target a core release next year. This also requires
coordination with the Mobile team, and finalising the approach to usage inside the
apps.

If you’re interested in getting involved, we’d love to get your help. The API holds
weekly meetings every Wednesday at 13:00 UTC (next meeting at [Wednesday at 13:00 UTC](https://www.timeanddate.com/worldclock/fixedtime.html?iso=20260422T1300)),
and we’re always happy to spend time helping people get started contributing.

[#rest-api](https://make.wordpress.org/core/tag/rest-api/), [#roadmap](https://make.wordpress.org/core/tag/roadmap/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
4:03 am _on_ January 10, 2017      

# 󠀁[API Chat Summary: January 9th (4.8 kickoff)](https://make.wordpress.org/core/2017/01/10/api-chat-summary-january-9th-4-8-kickoff/)󠁿

We’ve had an early kickoff meeting for the REST APIREST API The REST API is an acronym
for the RESTful Application Program Interface (API) that uses HTTP requests to GET,
PUT, POST and DELETE data. It is how the front end of an application (think “phone
app” or “website”) can communicate with the data store (think “database” or “file
system”) [https://developer.wordpress.org/rest-api/](https://developer.wordpress.org/rest-api/)
for 4.8 ([Slack archive](https://wordpress.slack.com/archives/core-restapi/p1483970401002191))
to establish some of the new workflows and structure for the team heading into 4.8.

## Development Process for 4.8

 * There are three big areas for the APIAPI An API or Application Programming Interface
   is a software intermediary that allows programs to interact with each other and
   share data in limited, clearly defined ways. moving forward: usage in coreCore
   Core is the set of software required to run WordPress. The Core Development Team
   builds WordPress., usage in apps, and general expansion
 * Focus for 4.8 core development will be on usage in core
 * Other areas will continue development in Feature Projects where they need to,
   but won’t be the focus of the core API team
 * Feature Projects for the API:
    - Two additional requirements:
       1. Project must have a reviewer, who needs to be a core committercommitter A
          developer with commit access. WordPress has five lead developers and four
          permanent core developers with commit access. Additionally, the project usually
          has a few guest or component committers - a developer receiving commit access,
          generally for a single release cycle (sometimes renewed) and/or for a specific
          component.
       2. Project must have a design doc with a few specifics
    - Exactly what is required in the design doc will be laid out in the future,
      will include detailed merging plan
    - These changes based on our own experiences being a feature project
 * Project Organisation (including feature projects and core projects)
    - Overview and tracking of features [will use Trello](https://trello.com/b/GGuA76vx/wordpress-rest-api-planning)(
      mainly for our own internal usage)
    - Projects will have their own teams with a point-person to organise
    - Projects can have their own meetings, and will report their progress in the
      main API meeting
    - Our first core project is the [Multisite API](https://make.wordpress.org/core/2017/01/09/improving-the-rest-api-users-endpoint-in-multisite/),
      [@jnylen0](https://profiles.wordpress.org/jnylen0/) [has been volunteered](https://make.wordpress.org/core/2017/01/09/improving-the-rest-api-users-endpoint-in-multisite/#comment-31937)
      for point-person 😉

## 4.8 Focus: Adminadmin (and super admin)

 * Attacking the problem from multiple fronts: lots of JSJS JavaScript, a web scripting
   language typically executed in the browser. Often used for advanced user interfaces
   and behaviors. work, backend/new endpoints also required
 * New endpoints
    - “Appearance” menu is largest area lacking API support
    - Will work with the Customiser team closely here, including work on Widgets
      and Menus
 * Frontend work
    - Press This is great candidate, and work is already underway in [#38343](https://core.trac.wordpress.org/ticket/38343)
    - Large amount of work around List Tables required
    - Work here can start with Quick Edit and Quick Delete
    - These will act as smaller areas to help establish process, including dealing
      with backwards compatibility

## Documentation and Support

 * Meeting this week at [ 23:00 UTC, Wednesday](https://www.timeanddate.com/worldclock/fixedtime.html?iso=20170111T0000)
 * Support has been migrated to the [rest-api tag on the forums](https://wordpress.org/support/topic-tag/rest-api/)

As noted, we’re trying out some new things with API development for this cycle. 
Those may stick, or they may not, and we’ll be continuing to improve and refine 
the process as we go.

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
4:05 am _on_ October 8, 2016     
Tags: [feature plugins ( 122 )](https://make.wordpress.org/core/tag/feature-plugins/),
[json-api ( 39 )](https://make.wordpress.org/core/tag/json-api/), [merge-proposals ( 6 )](https://make.wordpress.org/core/tag/merge-proposals/),
[rest-api ( 107 )](https://make.wordpress.org/core/tag/rest-api/)   

# 󠀁[REST API Merge Proposal, Part 2: Content API](https://make.wordpress.org/core/2016/10/08/rest-api-merge-proposal-part-2-content-api/)󠁿

Hi everyone, it’s your friendly REST APIREST API The REST API is an acronym for 
the RESTful Application Program Interface (API) that uses HTTP requests to GET, 
PUT, POST and DELETE data. It is how the front end of an application (think “phone
app” or “website”) can communicate with the data store (think “database” or “file
system”) [https://developer.wordpress.org/rest-api/](https://developer.wordpress.org/rest-api/)
team here with our second merge proposal for WordPress coreCore Core is the set 
of software required to run WordPress. The Core Development Team builds WordPress..(
WordPress 4.4 included the [REST API Infrastructure](https://make.wordpress.org/core/2015/09/21/wp-rest-api-merge-proposal/),
if you’d like to check out our previous merge proposal.) Even if you’re familiar
with the REST API right now, we’ve made some changes to how the project is organised,
so it’s worth reading everything here.

(If you haven’t done so already, now would be a great time to install the [REST API](https://wordpress.org/plugins/rest-api/)
and [OAuth](https://wordpress.org/plugins/rest-api-oauth1/) plugins from WordPress.
orgWordPress.org The community site where WordPress code is created and shared by
the users. This is where you can download the source code for WordPress core, plugins
and themes as well as the central location for community conversations and organization.
[https://wordpress.org/](https://wordpress.org/).)

## A brief history of the REST API

The REST API was created as a proof-of-concept by Ryan McCue (hey, that’s me!) at
the WordPress Contributor Summit in 2012, but the project kicked off during the 
2013 Google Summer of Code. The end result was Version 1.0, which grew into a community
supported initiative that saw adoption and provided for a solid learning platform.
The team used Version 1 to test out the fundamental ideas behind the APIAPI An API
or Application Programming Interface is a software intermediary that allows programs
to interact with each other and share data in limited, clearly defined ways., and
then iterated with Version 2, which made some major breaking changes, including 
explicit versioning, the introduction of namespacing for forwards compatibility,
and a restructure of the internals. Version 2 also led to the [infrastructure of the REST API being committed to WordPress core in 4.4](https://make.wordpress.org/core/2015/10/28/rest-api-welcome-the-infrastructure-to-core/).

This infrastructure is the core of the REST API, and provides the external interface
to send and receive RESTful HTTPHTTP HTTP is an acronym for Hyper Text Transfer 
Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol
defines how messages are formatted and transmitted, and what actions Web servers
and browsers should take in response to various commands. requests. Since shipping
in 4.4, the infrastructure is now used by WordPress Core for oEmbed responses, and
by plugins like [WooCommerce](https://woocommerce.wordpress.com/2016/04/22/new-rest-api-based-on-the-wp-rest-api-in-2-6/)
and [Jetpack](https://jetpack.com/2016/08/31/the-all-new-jetpack-lets-see-how-you-react/),
enabling anyone to create their own REST API endpoints.

The team has also been hard at work on the API endpoints. This has included core
changes to WordPress to support the API, including deeper changes to both [settings](https://core.trac.wordpress.org/ticket/37885)
and [meta](https://core.trac.wordpress.org/ticket/35658).

Today the REST API team is proposing the inclusion of a collection of endpoints 
that we term the “Content API” into WordPress Core.

## Proposals for Merge

### Content Endpoints

For WordPress 4.7 the API team proposes to merge API endpoints for WordPress content
types. These endpoints provide machine-readable external access to your WordPress
site with a clear, standards-driven interface, allowing new and innovative apps 
for interacting with your site. These endpoints support all of the following:

 * Content:
    - **Posts:** Read and write access to all post data, for all types of post-based
      data, including pages and media.
    - **Comments:** Read and write access to all comment data. This includes pingbacks
      and trackbacks.
    - **Terms:** Read and write access to all term data.
    - **Users:** Read and write access to all user data. This includes public access
      to some data for post authors.
    - **MetaMeta Meta is a term that refers to the inside workings of a group. For
      us, this is the team that works on internal WordPress sites like WordCamp 
      Central and Make WordPress.:** Read and write access to metadata for posts,
      comments, terms, and users, on an opt-in basis from plugins.
 * Management:
    - **Settings:** Read and write access to settings, on an opt-in basis from plugins
      and core. This enables API management of key site content values that are 
      technically stored in options, such as site title and byline.

This merge proposal represents a complete and functional Content API, providing 
the necessary endpoints for mobile apps and frontends, and lays the groundwork for
future releases focused on providing a Management API interface for full site administration.

Content API endpoints support both public and authenticated access. Authenticated
access allows both read and write access to anything your user has access to, including
post meta and settings. Public access is available for any already-public data, 
such as posts, terms, and limited user data for published post authors. To avoid
potential privacy issues we’ve taken pains to ensure that everything we’re exposing
is already public, and the API uses WordPress’ capabilitycapability A **capability**
is permission to perform one or more types of task. Checking if a user has a capability
is performed by the `current_user_can` function. Each user of a WordPress site might
have some permissions but not others, depending on their role. For example, users
who have the Author role usually have permission to edit their own posts (the “edit_posts”
capability), but not permission to edit other users’ posts (the “edit_others_posts”
capability). system extensively to ensure that all data is properly secured.

Just like the rest of WordPress, the Content API is fully extensibleExtensible This
is the ability to add additional functionality to the code. Plugins extend the WordPress
core software., supporting custom post meta, as well as allowing more complex data
to be added via register_rest_field. The API is built around standard parts of WordPress,
including the capability system and filters, so extending the API in plugins should
feel as familiar to developers as extending any other part of WordPress.

This Content API is targeted at a few primary use cases, including enhancing themes
with interactivity, creating powerful pluginPlugin A plugin is a piece of software
containing a group of functions that can be added to a WordPress website. They can
extend functionality or add new features to your WordPress websites. WordPress plugins
are written in the PHP programming language and integrate seamlessly with WordPress.
These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party. interfaces, building mobile and 
desktop applications, and providing alternative authoring experiences. We’ve been
working on first-party examples of these, including [a mobile app using React Native](https://github.com/joehoyle/vienna)
and [a liveblogging web app](https://github.com/humanmade/liveblog), as well as 
getting feedback from others, including [WIRED](http://www.slideshare.net/kvignos/wired-and-the-wp-rest-api),
the [New York Times](http://scotty-t.com/2014/09/29/first-draft-at-the-new-york-times-wordpress/),
and [The Times of London](https://medium.com/digital-times/how-the-wordpress-rest-api-is-changing-the-way-we-tell-stories-770b767c4cac).
Based on experience building on the API, we’ve polished the endpoints and expanded
to support settings endpoints, which are included as the first part of the Management
API.

### Authentication

The API Infrastructure already in WordPress core includes support for regular cookie-
based authentication. This is useful for plugins and themes that want to use the
API, but requires access to cookies and nonces, and is hence only useful for internal
usage.

To complement the Content Endpoints, for WordPress 4.7 the API team also proposes
merging the [REST API OAuth 1 server plugin](https://wordpress.org/plugins/rest-api-oauth1/)
into WordPress Core. This plugin provides remote authentication via the OAuth 1 
protocol, allowing remote servers and applications to interact securely with the
WordPress API.

OAuth is a standardised system for delegated authorisation. With OAuth, rather than
providing your password to a third-party app, you can authorise it to operate on
your behalf. Apps are also required to be registered with the site beforehand, which
gives site administrators control over third-party access. Access to these apps 
can be revoked by the user if they are no longer using the app, or by a site administrator.
This also allows apps with known vulnerabilities to have compromised credentials
revoked to protect users.

We’ve chosen OAuth 1 over the newer OAuth 2 protocol because OAuth 1 includes a 
complex system for request signing to ensure credentials remain secure even over
unsecured HTTP, while OAuth 2 requires HTTPSHTTPS HTTPS is an acronym for Hyper 
Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol
over which data is sent between your browser and the website that you are connected
to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications
between your browser and the website are encrypted. This is especially helpful for
protecting sensitive data like banking information. with a modern version of TLS.
While it is strongly encouraged for sites to use HTTPS whenever possible (Let’s 
Encrypt makes it easier than ever to do so), WordPress itself does not require HTTPS
and we do not believe WordPress should make HTTPS a requirement for using the API.
The additional complexity that OAuth 1 adds can be easily supported by a library,
and many such libraries already exist [in most programming languages](https://oauth.net/1/).
OAuth 1 remains supported around the web, including for the [Twitter API](https://dev.twitter.com/oauth/overview/introduction),
and we also provide [extensive documentation](https://oauth1.wp-api.org/) on using
it.

#### Authentication Beyond 4.7

One issue with OAuth over direct username and password authentication is that it
requires applications to be registered on the site. For centralized OAuth servers
this wouldn’t be a problem, but the distributed nature of WordPress installations
makes this tough to handle: your application must be independently registered with
every WordPress site it connects to. If you’ve ever had to create a Twitter or Facebook
app just to use an existing plugin on your site, you’ll know this can be a less-
than-optimal experience for users.

To solve this distribution problem, we’ve created a solution called [brokered authentication](https://make.wordpress.org/core/2016/05/16/rest-api-authentication-broker/).
This allows a centralised server (called the “broker”) to handle app registration
and to vouch for these apps to individual sites. It simplifies app registration 
by allowing app developers to register once for all sites, and improves security
by allowing the broker to vet applications and revoke them across the entire networknetwork(
versus site, blog). The system is designed to allow multiple brokers; while the 
main broker is run at [apps.wp-api.org](https://apps.wp-api.org/), organisations
can run their own broker for internal usage, and developers can run a broker locally
for testing.

While the broker system has been running live at [apps.wp-api.org](https://apps.wp-api.org/)
for months, we want to stay conservative in our approach to the API, especially 
where security is concerned. We are therefore proposing brokered authentication 
for WordPress 4.8 to ensure we have further time to continue testing and refining
the broker system. In addition, this will require an installation of the broker 
on a centralised server to act as the canonical broker for out-of-the-box WordPress.
While [apps.wp-api.org](https://apps.wp-api.org/) is currently acting in this role,
this is currently hosted by a third-party (Human Made) on behalf of the API team.
For long-term usage the broker should instead be hosted on WordPress.org, alongside
the existing plugin and theme repositories. This migrationMigration Moving the code,
database and media files for a website site from one server to another. Most typically
done when changing hosting companies. will take time but we remain committed to 
continuing to develop and support the broker.

## After Merge

After merging the REST API, the team plans to continue developing the API as before.
We expect that integrating the REST API into WordPress core will bring additional
feedback, and we plan on incorporating this feedback through the rest of the 4.7
cycle.

During the remaining parts of this release cycle and through into the 4.8 cycle,
additional work will go into other parts of the API. This includes further work 
and refinement on the broker authentication system, including work on WordPress.
org infrastructure. Additionally, we plan to continue working on the Management 
API endpoints, including theme and appearance endpoints to support the Customiser
team. Both of these components will be maintained as separate feature projects on
GitHubGitHub GitHub is a website that offers online implementation of git repositories
that can easily be shared, copied and modified by other developers. Public repositories
are free to host, private repositories require a paid subscription. GitHub introduced
the concept of the ‘pull request’ where code changes done in branches by contributors
can be reviewed and discussed before being merged by the repository owner. [https://github.com/](https://github.com/)
until they’re ready for merge into core.

The team remains committed to supporting the API in core, and the Content API will
switch from GitHub to TracTrac An open source project by Edgewall Software that 
serves as a bug tracker and project management tool for WordPress. for project management
and contributions. This same process occurred for the [API Infrastructure in WordPress 4.4](https://make.wordpress.org/core/2015/09/21/wp-rest-api-merge-proposal/).

## Reviews and Feedback

With this merge proposal, we’re looking for feedback and review of the project. 
In particular, we’re focussing on feedback on the security of the API and OAuth 
projects, and are also reaching out to specific people for reviews. (We take the
security of the API seriously, and bugbug A bug is an error or unexpected result.
Performance improvements, code optimization, and are considered enhancements, not
defects. After feature freeze, only bugs are dealt with, with regressions (adverse
changes from the previous version) being the highest priority. reports are welcomed
on [HackerOne](https://hackerone.com/wp-api) at any time.) Design and accessibilityAccessibility
Accessibility (commonly shortened to a11y) refers to the design of products, devices,
services, or environments for people with disabilities. The concept of accessible
design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning
compatibility with a person’s assistive technology (for example, computer screen
readers). (https://en.wikipedia.org/wiki/Accessibility) reviews for the [OAuth](https://wordpress.org/plugins/rest-api-oauth1/)
authorisation UIUI User interface are also welcomed to ensure we maintain the high
standards of WordPress core.

Both the [REST API plugin](https://wordpress.org/plugins/rest-api/) and the [OAuth plugin](https://wordpress.org/plugins/rest-api-oauth1/)
are available on WordPress.org, and issues can be reported to the GitHub tracker
for the [API](https://github.com/WP-API/WP-API) and the [OAuth](https://github.com/WP-API/OAuth1)
plugin respectively. We have released a final betaBeta A pre-release of software
that is given out to a large group of users to trial under real conditions. Beta
versions have gone through alpha testing in-house and are generally fairly close
in look, feel and function to the final product; however, design changes often occur
as part of the process. ([Beta 15 “International Drainage Commission”](https://github.com/WP-API/WP-API/releases/tag/2.0-beta15))
which includes the meta and settings endpoints.

## With Love from Us

As always, this is a merge _proposal_, and is not final until 4.7 is released. We’re
eager to hear your thoughts and feedback; the comments below are a perfect place
for that, or you can pop along to one of our [regular meetings](https://make.wordpress.org/meetings/).
We’re also always available in the [#core-restapi](https://make.wordpress.org/core/tag/core-restapi/)
room on SlackSlack Slack is a Collaborative Group Chat Platform [https://slack.com/](https://slack.com/).
The WordPress community has its own Slack Channel at [https://make.wordpress.org/chat/](https://make.wordpress.org/chat/).

We’d like to thank every single one of our contributors, including [88 contributors to the main repository](https://github.com/WP-API/WP-API/graphs/contributors)
and [23 contributors to the OAuth repository](https://github.com/WP-API/OAuth1/graphs/contributors).
Particular thanks goes to my ([@rmccue](https://profiles.wordpress.org/rmccue/))
wonderful co-lead Rachel Baker ([@rachelbaker](https://profiles.wordpress.org/rachelbaker/)),
our 2.0 release leads Daniel Bachhuber ([@danielbachuber](https://profiles.wordpress.org/danielbachuber/))
and Joe Hoyle ([@joehoyle](https://profiles.wordpress.org/joehoyle/)), and our key
contributors for the 4.7 cycle: Adam Silverstein ([@adamsilverstein](https://profiles.wordpress.org/adamsilverstein/)),
Brian Krogsgard ([@krogsgard](https://profiles.wordpress.org/krogsgard/)), David
Remer ([@websupporter](https://profiles.wordpress.org/websupporter/)), Edwin Cromley(
[@chopinbach](https://profiles.wordpress.org/chopinbach/)), and K. Adam White ([@kadamwhite](https://profiles.wordpress.org/kadamwhite/)).
Thanks also to the core committers helping us out through the 4.7 cycle, including
Aaron D. Campbell ([@aaroncampbell](https://profiles.wordpress.org/aaroncampbell/))
and Aaron Jorbin ([@aaronjorbin](https://profiles.wordpress.org/aaronjorbin/)), 
and to the fantastic release leadRelease Lead The community member ultimately responsible
for the Release., Helen Hou-Sandí ([@helen](https://profiles.wordpress.org/helen/)).

Thanks also to everyone who has used the REST API, and to you for reading this. 
We built the REST API for you, and we hope you like it.

With love, The REST API Team

[#feature-plugins](https://make.wordpress.org/core/tag/feature-plugins/), [#json-api](https://make.wordpress.org/core/tag/json-api/),
[#merge-proposals](https://make.wordpress.org/core/tag/merge-proposals/), [#rest-api](https://make.wordpress.org/core/tag/rest-api/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
10:34 am _on_ July 27, 2016     
Tags: [4.6 ( 140 )](https://make.wordpress.org/core/tag/4-6/),
[dev-notes ( 616 )](https://make.wordpress.org/core/tag/dev-notes/), http-api   

# 󠀁[HTTP API in 4.6](https://make.wordpress.org/core/2016/07/27/http-api-in-4-6/)󠁿

For WordPress 4.6, the HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol.
HTTP is the underlying protocol used by the World Wide Web and this protocol defines
how messages are formatted and transmitted, and what actions Web servers and browsers
should take in response to various commands. APIAPI An API or Application Programming
Interface is a software intermediary that allows programs to interact with each 
other and share data in limited, clearly defined ways. (`wp_remote_request()` and
family) have undergone a large internal change. Rather than using a WordPress-specific
HTTP library, WordPress now uses the open-source independent [Requests library](http://requests.ryanmccue.info/),
developed by yours truly.

### Why Requests?

The WP_HTTP library in previous releases has been primarily maintained by myself
and [@dd32](https://profiles.wordpress.org/dd32/), with my support time split between
the two libraries. Both libraries are very similar, and code has been shared between
them (when licensing permitted) in the past. Requests follows the same development
philosophies as WordPress: developing for the masses with broad PHPPHP The web scripting
language in which WordPress is primarily architected. WordPress requires PHP 7.4
or higher support, and maintaining backwards compatibility.

By switching to Requests, a library without any WordPress-specific dependencies,
WordPress benefits from input from the wider PHP ecosystem and community

Requests also has a huge number of unit tests, with [test coverage at 92%](https://codecov.io/github/rmccue/Requests?branch=master)
of the codebase and increasing. It’s also [used by other projects via the Composer ecosystem](https://packagist.org/packages/rmccue/requests/dependents),
including wp-cliWP-CLI WP-CLI is the Command Line Interface for WordPress, used 
to do administrative and development tasks in a programmatic way. The project page
is [http://wp-cli.org/](http://wp-cli.org/) [https://make.wordpress.org/cli/](https://make.wordpress.org/cli/)’
s HTTP functionality.

### What has changed?

From your perspective as a developer, nothing should have changed visibly. You can
and should continue to use WP’s HTTP functions the way you always have.

(Note: For the 4.6 development cycle and betaBeta A pre-release of software that
is given out to a large group of users to trial under real conditions. Beta versions
have gone through alpha testing in-house and are generally fairly close in look,
feel and function to the final product; however, design changes often occur as part
of the process. 1, the HTTP functions returned an array-like object. Many plugins
and themes in the real world are using direct `is_array()` checks, so it was decided
to pull this functionality back a bit to be safe, see [#37097](https://core.trac.wordpress.org/ticket/37097).)

Some new functionality has been introduced. In particular, the array returned from`
wp_remote_request()` now includes a new `http_response` value, which contains a `
WP_HTTP_Response` object (technically, `WP_HTTP_Requests_Response`). This shares
functionality with `WP_REST_Response` objects introduced in WordPress 4.4, allowing
common functionality to be developed for both APIs. In future releases, WordPress
may introduce new `WP_HTTP_Request` objects as well, allowing common middleware 
to be used across both APIs.

In addition, all of Requests’ features are now available in WordPress. This includes
things like better HTTP standard support, case-insensitive headers, parallel HTTP
requests, support for Internationalized Domain Names (like `böcean901.ch`), and 
many other internal improvements.

Some new features are only available when using `Requests::request()` directly (
such as parallel requests), however, these will be introduced into new WordPress-
specific APIs in future releases ([#37459](https://core.trac.wordpress.org/ticket/37459)).
This release is focussing on switching internal implementation and remaining stable.

For more background on the change, see [#33055](https://core.trac.wordpress.org/ticket/33055).

[#4-6](https://make.wordpress.org/core/tag/4-6/), [#dev-notes](https://make.wordpress.org/core/tag/dev-notes/),
[#http-api](https://make.wordpress.org/core/tag/http-api/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
7:10 am _on_ May 16, 2016     
Tags: [rewrite-rules ( 2 )](https://make.wordpress.org/core/tag/rewrite-rules/)

# 󠀁[Rewrites Next Generation: Next Meeting](https://make.wordpress.org/core/2016/05/16/rewrites-next-generation-next-meeting/)󠁿

There was a bit of confusion with the last Rewrites meeting, so we never really 
got to kick off the conversation. Let’s give it another shot this week. The revised
kick-off meeting for the Rewrites Next Generation project will hence be on [May 18th 23:00 UTC](https://www.timeanddate.com/worldclock/fixedtime.html?iso=20160518T2300).

The agenda for this meeting is to discuss problems you see with the rewrites system,
any particular use-cases you think should be considered, as well as agreeing on 
a broad approach for how we want to tackle the problems.

(In case you missed it, you may want to [read the introductory post](https://make.wordpress.org/core/2016/05/03/proposal-next-generation-rewrites/)
for the project.)

Hope to see you all there!

[#rewrite-rules](https://make.wordpress.org/core/tag/rewrite-rules/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
8:46 am _on_ May 3, 2016     
Tags: [rewrite-rules ( 2 )](https://make.wordpress.org/core/tag/rewrite-rules/)

# 󠀁[Proposal: Next Generation Rewrites](https://make.wordpress.org/core/2016/05/03/proposal-next-generation-rewrites/)󠁿

Hi everyone! Today I’d like to propose a new feature project for WordPress: **Next
Generation Rewrites**. After [proposing this](https://wordpress.slack.com/archives/core/p1461118938000819)
at the last feature projects meeting, it’s time to flesh out the details of what
this project would be.

The aim of the project is to modernise the rewriting and routing system for the 
modern CMS and platform era of WordPress.

(This project was previously proposed in [a ticket on Trac](https://core.trac.wordpress.org/ticket/36292),
however the project is larger than a single TracTrac An open source project by Edgewall
Software that serves as a bug tracker and project management tool for WordPress.
ticketticket Created for both bug reports and feature development on the bug tracker.
and needs a larger discussion.)

## Overview

If you’ve worked with custom development on WordPress, you’ve probably registered
at least one rewrite rule. Rewrites are the key to what WordPress calls “pretty 
permalinks”, which are URLs designed for humans rather than the server. They look
like `/2016/04/19/`, or /about/requirements/, rather than `index.php?p=42`.

As a developer, you can register your own rewrite rules as well. For example, bbPressbbPress
Free, open source software built on top of WordPress for easily creating forums 
on sites. [https://bbpress.org](https://bbpress.org) registers URLs like `/forums/
topic/jjj-is-awesome/` and WooCommerce has URLs like `/product/gs3/`. WordPress 
then “re-writes” these to the internal query variables (“query vars”), which are
eventually passed into the main WP Query.

The rewrite system was initially designed to implement pretty permalinks, but has
been used and abused for so much more since then. With modern plugins and web apps
built on top of WordPress, it’s not uncommon to have pages that don’t need a main
query, or need a specialised system of querying. As an example of this, the REST
APIREST API The REST API is an acronym for the RESTful Application Program Interface(
API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front
end of an application (think “phone app” or “website”) can communicate with the 
data store (think “database” or “file system”) [https://developer.wordpress.org/rest-api/](https://developer.wordpress.org/rest-api/)
infrastructure added in WordPress 4.4 doesn’t use the main query, as many of the
endpoints don’t require querying posts at all.

While the usage of rewrites has developed, the internals of how URLs are handled
internally hasn’t changed. The system is fundamentally still designed for the blogblog(
versus network, site) era of WordPress. It also predates a lot of the pieces of 
WordPress we take for granted, such as transients and object caching.

## Project Proposal

It’s time to change the rewrite system. Rewrite rules should be changed from a layer
on top of WP Query to a fully-fledged system all of their own. To do this, I’m proposing
three initial steps:

 * Decouple rewrites from the query system
 * Refactor and rework the internals to make them testable
 * Rethink rewrite storage and remove flushing

These steps would take place under the umbrella of a new feature project, Next Generation
Rewrites. This feature project would coordinate the project and people working on
it across the various parts of coreCore Core is the set of software required to 
run WordPress. The Core Development Team builds WordPress. it touches (primarily
the Rewrite Rules component, but also potentially involving UIUI User interface 
and UXUX User experience discussion and changes; fixing the “visit the Permalinks
page and save to fix your site” issue, for example). This would also coordinate 
the team across multiple release cycles as we slowly but surely make progress. It’s
important to make progress while keeping rewrites stable, as they’re a critical 
part of WordPress that we _cannot_ break.

### Decoupling Rewrites from Querying

The first step I’m proposing is to decouple rewrites from querying. Right now, rewrites
for anything except querying posts involves jumping through a few hoops. This includes
registering temporary query vars, or using global state to track route matching.
Separating these two components will make it easier to add non-query-based rewrites,
as well as allowing more powerful query rewrites.

Currently, rewrites are registered using code like the following:

    ```
    add_rewrite_rule( '/regex/', 'index.php?var=value' );
    ```

These rewrite rules map a regular expression to a query string, which is later parsed
into an array internally. You can achieve more complex routing via regular expressions
by using a special syntax in the rewrite string:

    ```
    add_rewrite_rule( '/topic/(.+)', 'index.php?topic=$matches[1]' );
    ```

Note that while this looks like a PHPPHP The web scripting language in which WordPress
is primarily architected. WordPress requires PHP 7.4 or higher variable, it’s actually
a static string that gets replaced after the regular expression. This can lead to
confusion with developers who are new to the syntax, and it also can make doing 
more complex rewrites hard. These typically involve temporary query vars, as well
as quite a bit of processing.

Instead, I want to introduce a new `WP_Rewrite_Rule` object to replace the current
rewrite string. This object would contain a method called `get_query_vars` that 
receives the `$matches` variable and returns the query vars to set. This would look
something like this:

    ```
    class MyRule extends WP_Rewrite_Rule {
        public function get_query_vars( $matches ) {
            return array(
                'post_type' => 'topic',
                'meta_query' => array(
                    array(
                        'key' => '_topic_name',
                        'value' => $matches[1],
                    ),
                ),
            );
        }
    }
    add_rewrite_rule( '/topic/(.+)', new MyRule() );
    ```

(The exact format of the object is yet to be decided; we’ve also started discussing
the possibility of passing a request object into this callback as well.)

Using an object for this allows us to have multiple callbacks for different stages
of the routing process, and starts to simplify some of the internal code in `WP_Rewrite`.
For example, the routing code around pages that allows URLs like `/parent/child/
sub-child/` for child pages can be simplified and moved out of the main routing 
code. This also helps make the code more testable, which dovetails nicely with the
third goal.

### Refactor rewrite internals

Step 2 of changing rewrites is to make the rewrite system fully testable. Currently,
a bunch of global state is mixed into the internals of rewrite matching, and the
rewrite methods tend to be monolithic. [@ericlewis](https://profiles.wordpress.org/ericlewis/)
has previously begun work on this in [#18877](https://core.trac.wordpress.org/ticket/18877),
and this can be continued and rolled into the Next Generation Rewrites project.

Ideally, this should happen at the same time or before the first step to allow easy
checking of regressions. This is relatively boring work that won’t affect many developers,
but it’s important we do it. The rewrite system is a critical part of WordPress,
and it’s crucially important that it’s testable and verifiable.

### Rethink rewrite storage

Once the first two steps are in place, we should begin reconsidering how rewrites
are stored. Currently, rewrites are stored in the database in the `rewrite_rules`
option. The option is less of an option (it’s not really configuration), and more
of a caching technique. This is somewhat of a relic, as rewrites predate object 
caching and transients in WordPress, both of which are better techniques to handle
caching in modern WordPress.

Removing this option and changing it to use a proper caching subsystem in WordPress
should fix multiple problems, including the need to flush rewrites. This should 
improve the UX for end users, as we should be able to remove the “links on your 
site don’t work, so go to the Permalinks page and save” trick (which only really
requires visiting the page, not saving).

The need to cache rewrites at all can also be reconsidered; many of the rewrite 
rules are simply entries in an array, and are not expensive to generate on-the-fly,
while removing the caching so can make for an easier to use and more dynamic system.
More expensive rules can be cached by the code generating the rule, rather than 
via the monolithic rewrite cache.

This has the potential to improve the user experience and fix a class of issues,
but it also has the potential to ruin performance, depending on how other code is
using it. It’s important to tread carefully as we attempt to improve this, and ensure
we remain compatible and performant. Introducing a two-tiered system is one approach
we can consider, with the ability for plugins to opt-in to a newer, dynamic system
to avoid problems with flushing.

## Why a Feature Project?

I’m proposing Rewrites Next Generation as a feature project for several reasons.
The concept and implementation are both large and complex, moreso than simply operating
in an informal matter on Trac tickets. The impact of this project is also large,
affecting many pluginPlugin A plugin is a piece of software containing a group of
functions that can be added to a WordPress website. They can extend functionality
or add new features to your WordPress websites. WordPress plugins are written in
the PHP programming language and integrate seamlessly with WordPress. These can 
be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party. and theme developers, as well as
potential improvements to UX. Gaining feedback from all interested stakeholders 
is important, as this is a crucial part of WordPress.

## Getting Started

The steps I’ve listed here are only a selection of the issues with rewrites. The
rewrite system hasn’t been massively changed since its inception, so there are plenty
of parts that could be changed to better suit the modern era of WordPress development.
The issues here are simply the three most important that I’ve found, but I want 
to hear your feedback too.

Let’s talk rewrites. I’m proposing a **weekly meeting** for Rewrites Next Generation,
at [Wednesday, 23:00 UTC](https://www.timeanddate.com/worldclock/fixedtime.html?iso=20160504T2300)
with the first meeting at [May 4th 23:00 UTC](https://www.timeanddate.com/worldclock/fixedtime.html?iso=20160504T2300).
If you’re interested in rewrites, or have had problems with them in the past, let’s
talk and work out what we need to do to improve rewrites. (This is a non-permanent
meeting to set the scope of the project; we’ll refine meeting frequency and timing
at a later date.)

After this initial discussion, we can settle on concrete goals and a timeline for
the initial stages of the project. A proof-of-concept patchpatch A special text 
file that describes changes to code, by identifying the files and lines which are
added, removed, and altered. It may also be referred to as a **diff**. A patch can
be _applied_ to a codebase for testing. and ticket are available on Trac, however
alternative approaches should be considered after this discussion. The short-term
goal is to begin landing these improvements in trunktrunk A directory in Subversion
containing the latest development code in preparation for the next major release
cycle. If you are running "trunk", then you are on the latest revision., with the
goal of having our first changes in WordPress 4.6, which is a quick but achievable
timeline.

This project has the potential to make a large impact on developers and users, and
it’s important that everyone has their say. I hope you’ll join me for the first 
meeting, and join in the fun of contributing to a key part of WordPress!

Thanks for reading. <3

[#rewrite-rules](https://make.wordpress.org/core/tag/rewrite-rules/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
9:23 pm _on_ April 6, 2016     
Tags: [4.4 ( 46 )](https://make.wordpress.org/core/tag/4-4/),
[4.5 ( 60 )](https://make.wordpress.org/core/tag/4-5/), [rest-api ( 107 )](https://make.wordpress.org/core/tag/rest-api/)

# 󠀁[REST API: Slashed Data in WordPress 4.4 and 4.5](https://make.wordpress.org/core/2016/04/06/rest-api-slashed-data-in-wordpress-4-4-and-4-5/)󠁿

Hi everyone. The REST APIREST API The REST API is an acronym for the RESTful Application
Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.
It is how the front end of an application (think “phone app” or “website”) can communicate
with the data store (think “database” or “file system”) [https://developer.wordpress.org/rest-api/](https://developer.wordpress.org/rest-api/)
team recently discovered a bugbug A bug is an error or unexpected result. Performance
improvements, code optimization, and are considered enhancements, not defects. After
feature freeze, only bugs are dealt with, with regressions (adverse changes from
the previous version) being the highest priority. with parameter parsing in the 
APIAPI An API or Application Programming Interface is a software intermediary that
allows programs to interact with each other and share data in limited, clearly defined
ways. infrastructure, part of WordPress 4.4. For those of you using the API infrastructure,
you need to be aware of a bug fix we’re making with the API.

## The Problem

The REST API has several types of parameters that it mixes together. These come 
from several sources including the request body as either JSONJSON JSON, or JavaScript
Object Notation, is a minimal, readable format for structuring data. It is used 
primarily to transmit data between a server and web application, as an alternative
to XML. or URLURL A specific web address of a website or web page on the Internet,
such as a website’s URL www.wordpress.org-encoded form data (`$_POST`), query parameters(`
$_GET`), the API route, and internally-set defaults. Unfortunately, due to an oversight
on our behalf, these parameters can be inconsistently formatted.

In WordPress, the superglobal request variables (`$_POST` and `$_GET`) are “slashed”;
effectively, [turning magic quotes on](https://core.trac.wordpress.org/ticket/18322)
for everyone. This was originally built into PHPPHP The web scripting language in
which WordPress is primarily architected. WordPress requires PHP 7.4 or higher as
a feature to help guard against SQL injection, but was later removed. Due to compatibility
concerns, WP cannot change this behaviour for the superglobals. This only applies
to the PHP superglobals, not to other sources of input like a JSON body or parameters
in the URL. It additionally does not apply to form data on PUT or DELETE requests.

Internally, some low-level WordPress functions [expect slashed data](https://core.trac.wordpress.org/ticket/21767).
These functions internally call `wp_unslash()` on the data you pass in. This means
input data from the superglobals can be passed in directly, but other data needs
to be wrapped with a call to `wp_slash()`.

When the REST API gathers the data sources, it accidentally mixes slashed and unslashed
sources. This results in inconsistent behaviour of parameters based on their source.
For example, data passed as a JSON body is unslashed, whereas data passed via form
data in the body is slashed (for POST requests).

For example, the following two pieces of data are equivalent in the REST API:

    ```
    // JSON body:
    {"title": "Foo"}

    // Form-data ($_POST)
    title=Foo

    // Both result in:
    $request->get_param('title') === 'Foo';
    ```

However, if the data contains slashes itself, this will be inconsistently passed
to the callback:

    ```
    // JSON body:
    {"title": "Foo\Bar"}

    // Results in:
    $request->get_param('title') === 'Foo\Bar';

    // Form-data ($_POST) (%3D = "\")
    title=Foo%3DBar

    // Results in:
    $request->get_param('title') === 'Foo\\Bar';
    ```

This means that callbacks need to understand where parameters come from in order
to consistently handle them internally. Specifically:

 * Data passed in the query string (`$_GET`, `$request->get_query_params()`) is 
   slashed
 * Data passed in the body as form-encoded (`$_POST`, `$request->get_body_params()`)
   is slashed for `POST` requests, and unslashed for `PUT` and `DELETE` requests.
 * Data passed in the body as JSON-encoded (`$request->get_json_params()`) is unslashed.
 * Data passed in the URL (`$request->get_url_params()`) is unslashed.
 * Data passed as a default (`$request->get_default_params()`) is unslashed.

In addition, parameters set internally via `$request->set_param()` are unslashed.
Unit and integration tests for API endpoints typically use these directly, so the
majority of tested code (such as the WP REST API pluginPlugin A plugin is a piece
of software containing a group of functions that can be added to a WordPress website.
They can extend functionality or add new features to your WordPress websites. WordPress
plugins are written in the PHP programming language and integrate seamlessly with
WordPress. These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party.) assumes parameters are unslashed.

See the related TracTrac An open source project by Edgewall Software that serves
as a bug tracker and project management tool for WordPress. Ticketticket Created
for both bug reports and feature development on the bug tracker. [#36419](https://core.trac.wordpress.org/ticket/36419)
for more information.

## The Solution for WordPress 4.4 and 4.5

We are regarding inconsistently-slashed data as a major bug, and **are changing 
the API infrastructure to ensure unslashed data**. This will ensure that data is
consistent regardless of the source. Callbacks will now receive unslashed data only,
and can rely on this regardless of the original data source or request method.

If you are using functions that expect slashed data in your callback, you will need
to slash your data before passing into these functions. Commonly used functions 
that expect slashed data are `wp_insert_post`, `wp_update_post`, `update_post_meta`,`
wp_insert_term`, `wp_insert_user`, along with others. Before passing data into these
functions, you must call `wp_slash()` on your data.

The fix for this issue, will be included in the WordPress 4.5 release candidates
and final release. Due to the severityseverity The seriousness of the ticket in 
the eyes of the reporter. Generally, severity is a judgment of how bad a bug is,
while **priority** is its relationship to other bugs. of the bug, we are also backporting
the fix to the next minor WordPress 4.4 update. This also ensures you can update
your plugins can act consistently across all versions of the REST API.

We understand that this may inadvertently break some plugins that are expecting 
slashed data. Right now, it’s not possible to consistently ensure that callbacks
receive slashed data, so it is likely that these plugins will already break in some
conditions.

**tl;dr:** if you’re using `wp_insert_*` or `*_post_meta` in your REST API callback,
you need to ensure you are calling `wp_slash()` on data you are passing in, regardless
of source.

We apologize for this bug existing in the first place. Slashed data is a problem
that has plagued WordPress for a long time, and we’re not immune to getting caught
by the issue ourselves.

[#4-4](https://make.wordpress.org/core/tag/4-4/), [#4-5](https://make.wordpress.org/core/tag/4-5/),
[#rest-api](https://make.wordpress.org/core/tag/rest-api/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
4:39 am _on_ April 4, 2016     
Tags: [json-api ( 39 )](https://make.wordpress.org/core/tag/json-api/),
[rest-api ( 107 )](https://make.wordpress.org/core/tag/rest-api/)   

# 󠀁[WP REST API: 2.0 Beta 13 & Roadmap](https://make.wordpress.org/core/2016/04/04/wp-rest-api-2-0-beta-13-roadmap/)󠁿

Hi folks! I’m here with another exciting update from the APIAPI An API or Application
Programming Interface is a software intermediary that allows programs to interact
with each other and share data in limited, clearly defined ways. team.

### BetaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. 13

First off, we’re excited to announce 2.0 Beta 13 _“yoink.adios\losers”_ is now available.
[Grab it from the plugins repo](https://wordpress.org/plugins/rest-api/) or [GitHub](https://github.com/WP-API/WP-API/releases/tag/2.0-beta13)
while it’s hot. Here’s some of the key updates:

 * **BREAKING CHANGE:** Fix Content-Disposition headerHeader The header of your 
   site is typically the first thing people will experience. The masthead or header
   art located across the top of your page is part of the look and feel of your 
   website. It can influence a visitor’s opinion about your content and you/ your
   organization’s brand. It may also look different on different screen sizes. parsing.
   This technically breaks backwards compatibility to correctly match the header
   specification. ([#2239](https://github.com/WP-API/WP-API/pull/2239))
 * **BREAKING CHANGE:** Use compact links for embedded responses if they are available.
   We now use CURIEs for sites on 4.5+, which look like `wp:term` (but canonicalise
   to the full URI relation). ([#2412](https://github.com/WP-API/WP-API/pull/2412))
 * Updated JSJS JavaScript, a web scripting language typically executed in the browser.
   Often used for advanced user interfaces and behaviors. client to the latest version.(
   [#2403](https://github.com/WP-API/WP-API/pull/2403))

There’s lots more changes in this release; check out [the release notes](https://github.com/WP-API/WP-API/releases/tag/2.0-beta13)
or [the commits for this release](https://github.com/WP-API/WP-API/compare/2.0-beta12...2.0-beta13).

### Roadmap

We’ve been thinking about how to tackle the API in the coming future. We want to
do the most we can to ensure you can build sites with confidence.

Along these lines, we’re going to release a 2.0 final version in the coming months.
This will be a completely stable release with guaranteed backwards compatibility
for the foreseeable future. This backwards compatibility ensures that your sites
can remain up-to-date with minimal maintenance or issues with upgrading.

We originally held the software in beta for a long period to ensure that breaking
changes could be rolled in if deemed necessary to move the project forward. However,
the majority of these breaks occurred at the start of the 2.0 lifecycle, and the
API is mostly stable at this point. Keeping the ability to break compatibility benefits
only us, whereas moving to a stable release benefits everyone.

Moving forward, version 2.0 of the WP REST APIREST API The REST API is an acronym
for the RESTful Application Program Interface (API) that uses HTTP requests to GET,
PUT, POST and DELETE data. It is how the front end of an application (think “phone
app” or “website”) can communicate with the data store (think “database” or “file
system”) [https://developer.wordpress.org/rest-api/](https://developer.wordpress.org/rest-api/)
will follow a normal project release cycle. We will have minor releases in the 2.
x series as new features are added, and bugfix releases in the 2.0.x series.

As for the coreCore Core is the set of software required to run WordPress. The Core
Development Team builds WordPress. merge itself, we are not submitting a merge proposal
of the core endpoints for WordPress 4.6. We believe endpoints for the main WordPress
objects (posts, users, comments, terms, and taxonomies) are not enough to garner
the support needed for the proposal to be accepted. Our hope is that with a stable
version 2.0 release, we will attract our community members that have been waiting
for the endpoints to be available in core, and submit a merge proposal for the WordPress
4.7 release cycle.

In addition to attracting more developers within our community, we are also looking
to get more contributors involved with the project. As noted in previous discussions,
the four of us on the API team can’t keep pace with WordPress itself without help.
We’re looking to get WordPress core component maintainers involved in their relevant
components, as well as new developers from outside the project. Moving forward, 
the API team sees our role as advisory over the API itself, with the API treated
as an integral part of the component rather than maintained by a separate team. 
We’re also going to continue to work on our feature plugins (metadata, site/multisitemultisite
Used to describe a WordPress installation with a network of multiple blogs, grouped
by sites. This installation type has shared users tables, and creates separate database
tables for each blog (wp_posts becomes wp_0_posts). See also **network**, **blog**,**
site**, menus/widgets, and authentication) in parallel, and are looking for help
on these as well. (There’s also more news regarding authentication coming very soon.)

If you’d like to get involved with the API, please let us know. You can comment 
here, pingPing The act of sending a very small amount of data to an end point. Ping
is used in computer science to illicit a response from a target server to test it’s
connection. Ping is also a term used by Slack users to @ someone or send them a 
direct message (DM). Users might say something along the lines of “Ping me when 
the meeting starts.” us on SlackSlack Slack is a Collaborative Group Chat Platform
[https://slack.com/](https://slack.com/). The WordPress community has its own Slack
Channel at [https://make.wordpress.org/chat/](https://make.wordpress.org/chat/) 
in the [#core-restapi](https://make.wordpress.org/core/tag/core-restapi/) room, 
or via GitHubGitHub GitHub is a website that offers online implementation of git
repositories that can easily be shared, copied and modified by other developers.
Public repositories are free to host, private repositories require a paid subscription.
GitHub introduced the concept of the ‘pull request’ where code changes done in branches
by contributors can be reviewed and discussed before being merged by the repository
owner. [https://github.com/](https://github.com/) issues. We’re looking at spending
significant time onboarding new users, so if you’d like to get involved, now’s the
time! Our weekly meeting is at [Monday 23:00 UTC](https://www.timeanddate.com/worldclock/fixedtime.html?iso=20160404T2300)

Thanks for catching up with us, and have a wonderful day.

With love,

Ryan, Rachel, Daniel, and Joe

[#json-api](https://make.wordpress.org/core/tag/json-api/), [#rest-api](https://make.wordpress.org/core/tag/rest-api/)

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
12:35 am _on_ December 15, 2015      

# 󠀁[WP REST API: OAuth Plugin Security Update](https://make.wordpress.org/core/2015/12/15/wp-rest-api-oauth-plugin-security-update/)󠁿

Hi everyone. This is a quick update on the OAuth 1.0a Server pluginPlugin A plugin
is a piece of software containing a group of functions that can be added to a WordPress
website. They can extend functionality or add new features to your WordPress websites.
WordPress plugins are written in the PHP programming language and integrate seamlessly
with WordPress. These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party., available on [GitHub](https://github.com/WP-API/OAuth1).

Versions of the OAuth plugin prior to [this commit](https://github.com/WP-API/OAuth1/commit/be6b51f8e2ea8ecc5c2d7362d5617044abb8a888)
contain a security issuesecurity issue A security issue is a type of bug that can
affect the security of WordPress installations. Specifically, it is a report of 
a bug that you have found in the WordPress core code, and that you have determined
can be used to gain some level of access to a site running WordPress that you should
not have. during the authorization flow, regarding signature and nonce checks. Due
to the OAuth architecture, it is highly unlikely this can be used to compromise 
a site or client application; however due to an abundance of caution, we recommend
all users **update to 0.2.1 immediately**. (Pull the latest changes from master.)

Thanks to [@bradyvercher](https://profiles.wordpress.org/bradyvercher/) for responsible
disclosure of this issue via [HackerOne](https://hackerone.com/wp-api).

 [  ](https://profiles.wordpress.org/rmccue/) [Ryan McCue](https://profiles.wordpress.org/rmccue/)
9:52 am _on_ December 7, 2015     
Tags: [feature plugins ( 122 )](https://make.wordpress.org/core/tag/feature-plugins/),
[json-api ( 39 )](https://make.wordpress.org/core/tag/json-api/), [rest-api ( 107 )](https://make.wordpress.org/core/tag/rest-api/)

# 󠀁[WP REST API: New Tools & OAuth Updates](https://make.wordpress.org/core/2015/12/07/rest-api-tools-and-oauth/)󠁿

Hi everyone! I’m here today with some special news for everyone, rather than a standard
release announcement. I have three things to announce instead. 🙂

## Discovery Library for PHPPHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 7.4 or higher

A super cool thing that you might not know about with the APIAPI An API or Application
Programming Interface is a software intermediary that allows programs to interact
with each other and share data in limited, clearly defined ways. is that it’s entirely
discoverable. We use a [relatively simple process](http://v2.wp-api.org/guide/discovery/)
modelled after Atom/RSS feedRSS Feed RSS is an acronym for Real Simple Syndication
which is a type of web feed which allows users to access updates to online content
in a standardized, computer-readable format. This is the feed. discovery. All you
need to do is check a site’s headers for a Link headerHeader The header of your 
site is typically the first thing people will experience. The masthead or header
art located across the top of your page is part of the look and feel of your website.
It can influence a visitor’s opinion about your content and you/ your organization’s
brand. It may also look different on different screen sizes.:

    ```
    Link: <http://example.com/wp-json/>; rel="https://api.w.org/"
    ```

This allows a tonne of possibilities, including renaming the API base, or even delegating
API access to someone else. (For example, WordPress.comWordPress.com An online implementation
of WordPress code that lets you immediately access a new WordPress environment to
publish your content. WordPress.com is a private company owned by Automattic that
hosts the largest multisite in the world. This is arguably the best place to start
blogging if you have never touched WordPress before. [https://wordpress.com/](https://wordpress.com/)
could use `https://api.wordpress.com/{site_id}/` instead of per-site APIs.)

However, this isn’t always the easiest process to use (even if you have an advanced
degree in hypothetical topology). To simplify this, we now have [a discovery library](https://github.com/WP-API/discovery-php)
for PHP 5.3+.

To use it, add `wp-api/discovery` to your Composer requirements manually or run `
composer require wp-api/discovery` in your project directory. You can then use the`
WordPress\Discovery\discover()` function to discover the API for a given URLURL 
A specific web address of a website or web page on the Internet, such as a website’s
URL www.wordpress.org. (Oh hey, namespaces!)

The library also includes a demo that you can run using PHP’s built-in server, and
we’re working on getting a public version of this up on wp-api.org so you don’t 
even need to install it.

This should simplify the discovery process for everyone, and I’m hoping some wonderful
folks in the community will help port this to other languages as well. (Hint hint.)

## New OAuth Server

One of the weakest points of developing with the API right now is getting authentication
working. For a long time, our OAuth server pluginPlugin A plugin is a piece of software
containing a group of functions that can be added to a WordPress website. They can
extend functionality or add new features to your WordPress websites. WordPress plugins
are written in the PHP programming language and integrate seamlessly with WordPress.
These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party. has languished and fallen behind
as we push forward with the API. No longer is this the case!

Simply update to the latest master. This will also be available on WordPress.orgWordPress.
org The community site where WordPress code is created and shared by the users. 
This is where you can download the source code for WordPress core, plugins and themes
as well as the central location for community conversations and organization. [https://wordpress.org/](https://wordpress.org/)
very soon.

This new version of the OAuth server has a bunch of changes, including:

 * Full adminadmin (and super admin) UIUI User interface, including application 
   management and the ability to revoke tokens
 * Ability to delete applications or regenerate their secrets
 * Callback validation process overhaul, now supporting custom protocols
 * Overhauled internals

In addition to this, I wanted to address one of the biggest problems with the OAuth
process: documentation. The documentation for the OAuth server and process has been
terrible in the past. Previously, I’d indicated to people that they should just 
go read the generic OAuth 1.0a documentation on the web and try with that, but as
it turns out, there’s no good documentation on this. (Apologies to those of you 
who’ve struggled in the past.)

Thankfully, this is now fixed, with a guide included and [available on Gitbook](http://oauth1.wp-api.org/).
This is an initial version of the guide, and I imagine it’ll grow and improve further
in the future.

If there’s anything missing you’d like added or improved, [file an issue](https://github.com/WP-API/OAuth1/issues)
on the plugin repo. (The guide’s source is also [included with the plugin](https://github.com/WP-API/OAuth1/tree/master/docs).)

## Demo API Client

_(pause for breath)_

Combining all these pieces, there’s now [a demo API client](https://github.com/WP-API/example-client)
in PHP that you can download and run to try all of this out. The demo client uses
the discovery library to find your site, then connects with OAuth to display your
user details. Again, you can run this locally using PHP’s built-in server, and we’re
working on getting a version set up on wp-api.org too.

![](https://i.imgur.com/COQZrDW.png)

Internally, this uses the wonderful [OAuth 1 client library](https://github.com/thephpleague/oauth1-client)
by [The League of Extraordinary Packages](https://thephpleague.com/). This repo 
also acts as a provider for that library, allowing you to use the library in your
own code to handle OAuth.

(Both the discovery library and the demo client are open sourceOpen Source Open 
Source denotes software for which the original source code is made freely available
and may be redistributed and modified. Open Source **must be** delivered via a licensing
model, see GPL. and MIT licensed, allowing you to use them in commercial projects
should you so desire.)

Hopefully you find these pieces useful. As always, your feedback on all of this 
is much appreciated; we’d also love to see discovery libraries and demo clients 
in other languages, if anyone wants to port them across. Thanks for being great.

[#feature-plugins](https://make.wordpress.org/core/tag/feature-plugins/), [#json-api](https://make.wordpress.org/core/tag/json-api/),
[#rest-api](https://make.wordpress.org/core/tag/rest-api/)

# Post navigation

[← Older posts](https://make.wordpress.org/core/author/rmccue/page/2/?output_format=md)