A standalone script could be exploited to give unlimited access to a website. A custom REST API endpoint provides access with better control.
When working on the List WooCommerce products by sizes I noticed that the script was returning 404 (File not Found) status code. This wasn’t a problem when running the script in a browser but broke when the script was run using the cron-job.org service.
I asked for help with the 404 error issue on the Advanced WordPress group on Facebook. One of the suggestions was to use the REST API and add some authentication. I found a very helpful post: How to make custom endpoints for WordPress REST API. It used a class to implement the endpoint.
Adapting the code
The WPEka code required an already logged in user. This would not work for me so I did extensive searching and work on passing user credentials to the endpoint and authenticating them. Passing them as GET parameters was out as they could be easily seen in the access log so I chose to pass the info in headers.
I used the excellent Postman app to run a lot of tests on my code. I was able to easily change the headers sent to the endpoint. It helped me experiment with the user capabilities – I decided to require a very basic user to minimise abuse of the endpoint. A Subscriber user is sufficient – a dummy user can be created to work with the endpoint.
Endpoint plugin code
Creating the cron script
As this code is intended to be called by a cron script (I will convert the List WooCommerce products by sizes to an endpoint) I experimented with cURL and loads of options. I wasted a lot of time trying to figure out how to include the username and password in the headers before seeing the ‘Code‘ feature in Postman to see the automatically generated PHP cURL code.