 Theo is going to talk about the REST API, basically a secret weapon, so here you go. Yeah, welcome to my talk about the WordPress REST API, the secret weapon. As you can see here in the first slide, it's already there seven years in WordPress and the most people I met didn't even know what it is. So you You can be very curious what's happening now. So I feel one first the first slide with the points today. It's about me. It's what's the WordPress REST API. Why is it there? Why is it important? Why is it the most secret weapon in web development? And we have some example use cases very shortly. It's more like a joke or something, but you will see what happened. By the way, if you're checking out Twitter, you will find every minute one tweet wide in the moment with some AI picture of the VT of the WCCH. So whatever you see there, it's all generated by WordPress REST API. So about me, I'm a WordPress developer in WordPress development since 2009 was a long journey. Exactly today I submitted my first plug-in to WordPress.org 10 years. I've got a master in business informatics in Berlin and worked five years as WordPress developer in Winter Tour. It was a little bit stressful, as you all know, as WordPress developer you have sometimes too much stress and so I decided to go into the education and since three years exactly from today. I'm doing education in IT on application development, as it called. That's all about me. The company is called Twofold Academy. It's like they're working with autism, young people with autism. It's a little bit complicated to explain, but you can later ask me if you want. So we're going further in the next thing. What is the WordPress REST API? Who of you is using the WordPress REST API for something? Okay, it's less than half, of course. So who of you is also aware of what REST is? Okay, this is more than half. Okay, interesting. Because who don't know everything about REST? Who don't know anything about REST? Okay. Good. So what is REST? REST is representational state transfer and is the main communication between computers and the WordPress REST. You don't see them. They're all working somewhere on the servers and you don't ever see them. By the way, Google is getting so rich because of a lot of REST things and Amazon as well. Amazon was one of the first adapters of RESTful architectures and so they got so incredible rich just because of REST APIs. The REST API of WordPress is a collection of roots and endpoints. What is a root? A root is something like you have an address, a specific URI, where you can reach some resources and the endpoint is also merely the same way you can do questions on this route. So something like you want to get something from the WordPress, you can get it through the endpoint. It's in the core of WordPress. It's already there. You don't have to install it anymore. In former times, you needed to plug in which had this kind of logo but this plug-in is away because it's in the core right now. Yeah, and it's running all the time and it's open by default. You have to be very careful because it exposed all your data you have in your WordPress through the REST API. I think every one of you has got a WordPress blog. So you really have to check this out. This is my last point here. Check it on your WordPress slash VPWP minus Jason and look what you can see there if you give it on your WordPress inside the REST API and any web browser. It doesn't matter what you take. You will see a Jason where all your data is shown and so you really have to be careful what is inside this because you can imagine if your whole WordPress is open what could be, what possibly could go wrong. So then we hear the root is a pattern how to find a way in the web so you can find every thing through the root on the WordPress about the WordPress itself, what's in there and you have to be aware that every plug-in you have also takes advantage of the REST API so you can find all plug-ins through the REST API in most cases unless they are protected somehow. As I said you can you can really check this on your own blog with slash WP minus Jason as that you can see this. It's there since WordPress 4.7 which is now seven years 2016 and the web, the whole WordPress web, 43% of the world right now, is completely open data. So you really have to think about this if your WordPress is not open data, you really have to be careful what is exposing there. So then I often get asked why is it there? And I have some assumptions, but I'm not sure if some of them are factors as well. The first assumption is they want to try to modernize WordPress. Everybody of us knows that WordPress is a big PHP monster which has thousands of functions and you can do whatever and some functions are not documented well and so on. So they want to modernize it in a way that they only have a JSON API for the content. There was also in mind, I think I have this here somewhere. No, it's not here. Okay. So when it is the JSON API of the WordPress there is some other way to show your WordPress website. Then just the old PHP theme you can see and you maybe heard about Jamstack pages. Jamstack pages are just HTML and JavaScript, which is no PHP at all and they have these ability with some frameworks in Jamstack, for example, to pass WordPress JSON files to install the content of a WordPress into the Jamstack. So you can can see there is one point. So I heard from some guys five years ago on WordCamp Zerish. He spoke about the New York Times. The New York Times was making for all the journalists. They have the backend in WordPress. But the first page of the New York Times have to be so incredible fast. They can't use WordPress there. Just they just use the REST API on this case to push the contents there and just recompile the Jamstack page every time with the WordPress backend. It's much faster because we don't have to render any PHP. PHP is by luck a little bit faster than a few years ago. I know some of you really had a problem, I think, because PHP 5.6 was very slow. Facebook, for example, was a social network on PHP, which was very slow as well. They created some React component for the overview, for the front-end to make it faster. But then PHP gets faster. So and now the very interesting part is the WordPress also has now the same Facebook component in. All of you know that maybe it's this React and WordPress forced Facebook to make it fully MIT license. They was able to do this. So they forced Facebook to make it full MIT license. It was not that way before. Also, the REST API is used for the first WordPress app. If you are blogging on WordPress.com, you can see that you can download in the app store something, some app, which is called WordPress, and you can blog with it. It's not a it's all about the REST API because this app only communicates to the WordPress over this API, not at any other thing. So the app don't need any PHP in this case. Another assumption is that the REST API is there. So they already have this Gutenberg React editor in mind since 2016. I believe so. This editor came out in 2018, so it took two years to have the REST API ready to get this React editor there up and running and they have it before inside to power the development of this. The next thing is just an assumption. They want to push the boundaries of open data. So we heard before that they want to democratize publishing. So open data is really a democratizing of publishing because if everybody can access every data everywhere, it's it's open data and open data is a very cool stuff in some cases for researchers and something. So be aware every WordPress is, if you don't do anything, is open data now. So you have to see that. It's a little bit scary because when I first was aware of this, I thought, what the heck? I don't need the WordPress anymore. I can do everything with this data. So this is a little bit funny and also scary because it's all there in another representation of than your design. So design doesn't matter anymore in this case because it's all there as a normal data. So why this is so important? It helps WordPress content to be rendered everywhere. So apps, web, whatever else you can think. So if it is just a small display in a train, you can render WordPress content there. Why not? So this is important in this case because you can access it from everywhere, from every small machine. So a REST API is, if you think in terms of Internet of Things, there are very small machines and they can access REST APIs and they literally need no data at all. So you can, in another way, you can connect WordPress to every other service, which is also based on REST, which means that whatever else system you have there, you can connect it with your WordPress. For example, I worked in a company where we got a very, very old system where you have got events in there and to the websites have to be WordPress because it has to be easy for the customers to fill content and something like this. But we needed a REST API for the old system that WordPress can consume that. And this is the thing, so the old system still is in presence, but the WordPress can show the data from there. So WordPress is now able to interact with every API worldwide. So whatever you can imagine, if there is an API, you can include it in your WordPress, whatever you can imagine, if there is an API, it can take data from your WordPress and so on. So this, you have to keep this in mind that this is the really big thing about this. So we are coming to the part why it's the most secret weapon. I've already said something, but the REST APIs are the most significant driver of economy. You don't believe it, but everything what you see, what is working somewhere in the Internet, has got a REST API behind. If it is the delivery of a package, if it is the delivery of your food on lunch or something like this, there are thousands of REST APIs. If you take Uber or something like this, there are REST APIs with Google Maps and here is the Uber right now and it's going there and it's going there. So everything in the economy today is a REST API at the crazy part about this. Nobody is aware of this and nobody is seeing this. So you can just if you type the API somewhere, you will find a thousand of services just for free use, also paid use, whatever, which have an API today. So just Google that, then you can find a lot of this. This is the problem that the REST API is in this case still completely underestimated because nobody, everybody is taking design and we have a Gutenberg editor and we make better designs with it and we start optimizing it with the react of the Gutenberg and everything else and so you never think about that you have this REST API there in place. So why we can't use it for better? So you can integrate everything into WordPress, as I said, and you can provide everything with WordPress. You can take your WordPress also as the API provider. So your WordPress can be the application programming interface for the REST. For something else. So you can think whatever, if the customers need to know some special thing over what they have to consume over an API, you can create this API and they can consume it from your website directly. So we're coming to the next slide. So the important functions to know inside the WordPress, there are three, I have three functions right now in this slide. There's a VP removed GET. It's a WordPress function used to send HTTP GET requests to remove servers. It's like some of you PRP developers notify get contents, but this WordPress function is much faster than this. It's even faster than this cool one. In earlier days, we always need to use Curl to consume some data from some APIs, but WordPress now exactly has this inside. So and the next one is the VP removed post. Everybody from you who knows a post request, we have to send some data with the post request also and we can put it in WordPress directly with the VP remote post. So we can send something and it's much you really have a much lesser you have much lesser code in this case because if you use the WordPress functions, everything comes pre built for the things you need to know. And you don't have to find out how can I send this thing to the server and what should I do to get some data from the server and something like this. This was really in earlier days. Now it's one command in the WordPress. And then the third point is to register REST route. I was really wondering WordPress is using root and endpoint as the same word. So it's a function to use to create custom roots and points for the REST API in WordPress. So with the register REST route, you can create whatever you want from the REST, from the WordPress VPJS, WPJSON to consumed by different people. And this is a real interesting point because you can have there whatever you want. On the register REST route, you can do whatever you want. You can register whatever you can imagine. You can write one for baby names or something like this. So you can have a REST route to creating baby names in your WordPress. Nobody is seeing this as well, but you can have it there. Why not? So now I have one special example use case. I just need to take a photo from you here just so that you can see what REST APIs are doing exactly. As you can see, I didn't do anything with the photo right now. So we're coming back, we're going to the next slide. This photo is now sent to an API and it's tweeting that automatically and create a meme of it. Now with this people. So I hope it's already there. It's not very fast. I have to admit that it's not the fastest one. I can click the link. Is that crazy? I have to leave this. So this is an old one. You don't see it? Oh, yeah, crazy stuff. There was a session before. So it was a session before. Now here we have it. It's exactly the photo from a few things. And all the things like this one and this one is all done by APIs in the moment. So I didn't put the text somewhere and it's tweeting that as well from there. So if I go here to Twitter, there it is. So it just was one photo and it's doing that instantly spreading it over the internet. So that's a very crazy stuff about this. I need to find my... Here it is. I hope it works. Ah, where's the mouse? Here's the mouse. So, yes, it was all spread by APIs from... I send it to a Telegram server. You all know Telegram somehow. WordPress told me once they use it for their internal messaging as well because it's very fast with the bot API of the Telegram so they can get all the server errors directly over Telegram. And what it's doing now I take the photo, send it to Telegram Telegram is sending it to WordPress to the rest API and the WordPress is sending it to another WordPress to make the text on the image. Then it goes back to my WordPress tweets it and the tweet is sending back to my API so that I can show it on a specific page. So I got this address of the page inside the slide and the image was not there before. It just spread it there from the... So the tweet is sending back his ID to the WordPress and another WordPress is taking it from the API of this WordPress where the tweet came from and using the image. So it's very complicated in a case but you can imagine if you have interconnected systems like this and you are journalist or something like this you can work really fast and imagine what it means for life events or something like this. In a life event you always have some problems with maybe you are not fast enough and some stations or something like this you need to have a buffer for censoring content so in this case, censoring content is not possible because it's going live directly in seconds. So this is... I think it was it. So we are at the end of the slide. I'm not sure what's the time. Any questions right now? Okay, yeah. Do you have any experience or any practical experience with frameworks or themes that use the focus on the WordPress API because in theory the idea is to use WordPress as a decoupled CMS like a headless CMS and the technology seems cool but the reality is so complicated to create a website with only APIs and especially if you use e-commerce that you have problems with plugins that something breaks. At the end I go back always to the old ways of doing websites because how can I convince my boss to use headless WordPress if it's going to make it more complicated than before? Yeah, this is a very good question, thank you. One thing I can tell you is that WordPress is in some cases way too slow and this is the reason why we have to consume the API and there is one framework from Google exactly, it's called Hugo. It's the Hugo CMS and the Hugo can consume with one little comment, can consume some JSON but you need to compile it every time before you load it on the server and you can put all the content into the WordPress but the Hugo can compile the content again and put it on the web server. You can have an automated workflow for this which means HTML at the end if it's on the web server which makes this thing so incredible fast that you never, never want to switch back to the old WordPress because today you have to have a little problem because Google is very sensitive if the side speed is too slow. So you need to find a way to go around the side speed which is caused by PHP and a lot of plugins. And so the Hugo is one of the things. There is one page from these Netlify guys Netlify is a Jamstack page he also created the term Jamstack and it's jamstack.org so you can find a lot of frameworks which just can consume WordPress with the JSON API. There's also another way on the Jamstack.org that you render the whole WordPress page as HTML again and then it's also very fast but it's not recommended because it takes long. Yeah, there's a second question. Did you just answer your question? Okay. You can ask it again then. So could you characterize, describe again what is open by default in the API in WordPress and also the sub-question would be what kind of mechanism are in place to decide what I want to leave open the WPJs on API or what I will hide but how can I let's say manage exactly what I want to be public or not? Okay, it's a good question as well. It's open by default. I want to show this. I need to find the mouse. It's always running somewhere there. Open by default means that we have it's the website I want to show. If you type behind your website here the WP minus JSON. Yeah, I didn't vote JSON. Everybody's seeing my history right now. Oh my God, it's double-edged. What happened? You selected the whole JSON word. So in this case the Firefox has got a very special function to show JSONs somehow rendered and this is what you see if you go to the WP minus JSON inside a Firefox and if you go now with command you can see it's a one-line JSON file with a lot of information about your blog. The blog itself has not much information but there are some rest APIs you can find there and now we can see this right here. There are, here is written that is the WP minus JSON and there are some things inside like the IP Hippo, the Bushit, the screenshot, what is the memes, the WP dark mode, some of them are some plugins, some ominous and what you can see is when you go here deep enough you also have these standard WordPress functions like the OMBAD or here are a lot of APIs which are not meant to be public but they are public. I hope they have API keys if not you can use them. Here we have the WP version 2 post and in this case it is also written what you have to put in there to see where you can get this post and you can access all your websites and all your posts from this one. Only the ones which are published. Actually it didn't really work a lot with the rest of the API from where it was so far but what I figured out is only the posts that are published are publicly accessible and I think also from the users I tried to do a users list and it's only the users that published something like a post are publicly available but I'm not completely sure about that. Yes it's true partially because some plugins which are restricting content for only users are not doing it really right what happens is that sometimes in the WordPress API you find some data you don't want to be there so you have to be sometimes very careful there on the top is also a question it was before you but it doesn't matter. Give it to him. Try it. My name is Alexandro Filippescu and I will soon finish my master's in computer science at the University of Bern and now my question is so you mentioned that Hugo is a CMS that in the WordPress web app manages to create routes to offer static pages for what we don't need to use any plugins they get that in the right direction so it makes our web app run faster by just serving static content right? Yes this question is also very interesting. Now my question would be instead of using this method would it be a better idea to use a load balancer and have two servers that run WordPress with the same data wouldn't that be a better solution? Because then you can have multiple instances that if a server is stressed you can go to the other one wouldn't that be more reliable? That's my question. According to your use case if you have to be really fast it would be a better idea to serve all over the REST API because in this case you can do whatever you want there and send it to whatever system you want and so if you consult the REST API you are very, very, very fast but if you are not aware of how to use it or you just need a small website for your small business there is a very, very expansive solution of course because you have to put in a lot of brain power to get it for your use case right. That's the reason why WordPress developers sometimes paid very good as they know that. So if you need a job change and you want to boost your career try to learn this and I can guarantee you you are paid one number more in your yearly wage. I hope it answered your question. Sorry. Somehow, imagine having a car and making your gas tank larger so you can drive faster and instead you can just make engine consume less fuel wouldn't it be a better idea to make a better engine than a larger tank? This is the way at some point you will end up with 5 million servers just to handle the same traffic which you would handle basically by creating better application. So that's the idea. I will actually just this is a request more than a question but I will turn it into a question. What are your tips because you've been talking about functions which are used to communicate with the API what I think is very important is the security of the API. It's like you cannot talk about it about the rest API without talking about security and most important thing people ask about what's open by default. Funny thing you cannot check it only once imagine if you install I don't want to use the word trivial but just install WooCommerce on your site and basically you are able to break some country's law by basically exposing data through WordPress API by installing the plugin. That's all you do and you already broke the law because at some point I'm not sure about now but at some point you are able to see all the customer details who made the purchase on your website through WooCommerce you are able to see the details of your customers just like that. So keep that in mind registering new endpoints seeing the API through the URL it's cool but instead of focusing on creating new ones but think about removing the ones which you don't want to show. So to turn the question what are your tips to make WordPress API more secure? Thank you very much. So it's according to your use case again but the best case would be if you don't need it to close it at all because if you don't want to have it there on this particular website then you have to close it because then you can for 100% sure it's not exposed somehow but if you're using WooCommerce it's a good example and you close the rest API then good luck with all of this. You are not able to receive the products. So it's somehow like a circular problem so closing maybe break something inside the WordPress leave it open maybe break the law because you're exposing data you don't want to expose and there is a good example from the government you're on a noted page okay it's too complicated it takes too long to type it in so if you go to a web page from the government like brg-coronavirus.ch and type in slash wp-json it's closed completely because if it is there everybody else could use the contents from there so yes you have a problem if you close it completely and also if you leave it open in best case you can hide the endpoint which means nobody can find out anything about the endpoint so that's very easy to do there's one part of code that you hide the endpoint so you can leave the WordPress open to work properly but the endpoints are hidden and nobody else can see what happens there there's one approach to get there to hide them just to hide them to don't break anything okay there's another question we have time for two more questions not really a question I would like to add on to that statement from before mostly what you can do is just close the API and only let it open for logged in users which mostly doesn't break the website and still makes everything work normally for logged in users like the Gutenberg editor and all of that stuff will still work but other users who aren't logged in will not be able to access your endpoints it's very interesting because you have to show me how you want to rest stateless that means to be logged in is somehow some creepy thing sometimes there are some plugins which allows it because at the end of the day it still sends your login cookie when you do a request with WordPress so you can just do it like any other web page it's technically not really past standard but it works yeah it's possible you have an application password inside WordPress for users which also is using can be work for some users but if you are logged in and you have this Jason I exposed a lot of networks social networks as logged in WordPress user with the application password I can do everything over the rest API so that's also sometimes a little bit dangerous so last question Hi, it's not really a question I use what's best with API to manage land dash land dash is a learning plugin in WordPress and CRM and I use an application password then I when I send a request this request is authentication then I can get user login email and that's the security not only my this endpoint is only open for with authentication with application password you can use it in WordPress you go to user admin and you add the application password yeah it works it's okay but sometimes it does not work for every plugin out there so you have to see what your plugin is doing if you are aware of VP scan it's very much scanning the rest API also to find out a lot of things so then we are finished I think thank you for having me here I hope you find it interesting