tonnicQ: Are your plugins secure enough?
Are there any plans to look at the plugins and secure them more? Isn't using the following a little bit of a security issue:
'permission_callback' => '__return_true',
That doesn't check to see if a user is logged in and check permissions. Also, why is your plugin creating an administrator login vs an author?
Hendrik_WPAutoBlog
Edited Jan 18, 2025A: Hi,
you can use our Wordpress connection without the plugin which works via the application password and REST-API endpoint, that being said the plugin is perfectly safe and fine to use as well. Sadly you don't seem to fully understand the code or you wouldn't ask that, our platform pings the plugin which then fetches the articles from our API endpoint which is hardcoded.
I hope this clears up your confusion.
Best regards,
Hendrik
The full code shows that a client secret is required as well as the post id which is then verified with our server, weird how you could overlook that:
add_action('rest_api_init', function () {
register_rest_route('Writeseed/v1', '/fetch-post/(?P<id>\d+)/(?P<uuid>.+)', [
'methods' => 'GET',
'callback' => 'Writeseed_fetch_and_create_post',
'permission_callback' => '
Even if someone for some reason tried to call the API endpoint nothing would happen without the client secret and a post id which is verified with our server by the callback.
"Also, why is your plugin creating an administrator login vs an author?"
That isn't what is happening at all, we do not create an "administrator login" but use the application password flow which is the officially recommended way to handle a use case like this.
https://wordpress.com/support/security/two-step-authentication/application-specific-passwords/