Micro.blog

colinwalker
colinwalker
Zsolt brought up the question of security around using WordPress for private journaling considering the WP REST API relies on username & password. You could look at JSON web tokens (JWT) but would still need to initially send your username and password to get the token. Or maybe OAuth 2... colinwalker.blog
zsbenke
zsbenke

@colinwalker

Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.

That’s what concerns me. No additional security other than a username/password can be used with the REST API to retrieve private posts, and I had a blog hacked once using a security error in WordPress. There should be a stronger authentication (maybe two factor) for the REST API too. Sure, I could disable it altogether, but that’s also annoying.

I’m just not comfortable storing private stuff on WordPress I think.

zsbenke
zsbenke

@colinwalker I also open source the import script for Day One to WordPress I mentioned yesterday. Maybe somebody else will need it. decoding.io/2018/05/4...

In reply to
colinwalker
colinwalker

@zsbenke I’m going to do a full write-up of what I’ve been doing but one option is to register a custom post type and not include support for the Rest API.

vishae
vishae

@zsbenke ooh, this would be very helpful, thank you!

colinwalker
colinwalker
@zsbenke definitely have thought about it many times. Thanks for the link and the work on the script! (Ugh. Ruby!)