Some WordPress Security plugin offers a setting to Restrict Access to most REST API data. With this setting, most requests will require a logged in user or a user with specific privileges, blocking public requests to potentially-private data.
For example, with such settings enabled in iThemes Security, you will see this error when you use WordPress Posts web part.
access to rest api requests is restricted by ithemes security settings
To enable WordPress Posts web part to access your site’s posts, you can use Application Passwords. An application password is a securely generated key that can be used to authenticate REST API requests only. You cannot use an application password to log in to a WordPress site.
To generate an application username and password, follow the below steps.
- Log in to your WordPress site with an admin user account (a user with the administrator role).
- Navigate to Users.
- Click on Edit link to edit details for a user.
- To list posts, iThemes Security requires the user to have a Contributor role as minimum before access is granted.
- To list categories in addition to posts, iThemes Security requires the user to have an Editor role as minimum before access is granted.
- We recommend you can create a new user specifically for this.
- Scroll down to the “Application Passwords” heading.
- Enter a descriptive name for your application password in the “New Application Password Name” field. This field is for internal use only and helps you identify what your application password is connected to.
- Click the “Add New Application Password” button to create your password.
- Be sure to immediately copy and paste your password in a secure location. Application passwords cannot be retrieved after you exit this screen.
- Your user account can generate an unlimited number of application passwords.
- We recommend generating one password per third-party app you connect with. This way you can easily disable and delete a single password if you decide not to use that third-party application or find that your password has become compromised.
- You can now use this password to authenticate with WordPress Post web part to connect to your site via REST API.
Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.
Make sure you have set CORS policy ‘Access-Control-Allow-Origin’ header to * or your SharePoint tenant URL to enable access.