0

Wondering if someone can provide some direction.

I'm creating a Wordpress plugin that will be publicly available (free). The plugin is meant to allow bloggers to include a definition widget using bootstrap's data-toggle.

Since I don't want people stealing the content without attribution, the hyperlink will be pulled out from a private API.

Here's how I think this should flow, but I know that there are things that are inefficient:

  • Create a private API that houses all of the data. It might be as 3 branches of data:

    id -- name -- definition

  • Have the plugin authenticate somehow with the server

  • Plugin creates a shortcode in Wordpress ie. [define="term"]anchor[/define]

  • When the shortcode is called, it pings the server and stores something locally in their sql db.

Additional Notes/Concerns

I understand that there is nothing such as being hack-free or altered free. But I want to get as close as possible.

A couple exploits I can see happening is if people change the cached info in the SQL DB. Is there a way to potentially kill the data-toggle content if this happens?

Also, I don't want people to be able to create their own calls to our API creating their own programs. That's not the intended use of this.

I apologize if my thoughts seem cluttered, but I can't seem to figure out a solid workflow in where I should get started with this.

If anyone can help bring clarity, I would greatly appreciate it.

Improve this question
0

1 Answer 1

Reset to default
1

I would be inclined to do the following:

  • Give every user a unique API token or other credentials
  • Link every token to a single IP address and reject any requests where the token doesn't match the IP address.

That way if you become aware of someone misusing the content you need only delete their token to prevent access, and can be reasonably sure that it's not being used on another server. Users can enter the API credentials in the plugin admin.

I think OAuth2 will probably be the way to go to authenticate clients - it's made for granting access to client applications and there are plenty of implementations available. You'd need to add the ability to verify that the user matches the IP, but that shouldn't be difficult.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for your input. Two concerns I have about this are: 1. Changes server/host. -- 2. Overcomplicating the process. For example, Amazon's plugin to generate affiliate links is pretty easy to use. Also, would you be able to provide any documentation on setting up OAuth2 for WP plugins using their default wp-json api? Or would I need to create my own? Sorry, but I'm new to creating APIs. Lots of experience in calling them.
You could implement the functionality to associate multiple IP's with an account easily enough as it'd just be a one to many relation rather than a one to one relation. Regarding OAuth it would be a case of your own API implementing it - there are plenty of implementations, but the choice may depend on how you're building the API - for instance if you used Laravel, there's an existing OAuth implementation called Passport that should be easy to integrate. Then you build the plugin to authenticate using OAuth. The admin in the plugin should be able to accept and store the API credentials.
I don't think that's too complex for end users - it's just a case of entering a handful of details into a form in the admin.
Great. Thanks so much. I'll look into Laravel. Was hoping to pull the information directly from Wordpress' json API though without compromising all of the data and revealing user/passwords. I'm sure creating our own API using Laravel will give us more flexibility. Thanks again, Matthew.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.