Micro.blog

colinwalker
colinwalker
Zsolt brought up the question of security around using WordPress for private journaling considering the WP REST API relies on username & password. You could look at JSON web tokens (JWT) but would still need to initially send your username and password to get the token. Or maybe OAuth 2... colinwalker.blog
In reply to
zsbenke
zsbenke

@colinwalker

Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.

That’s what concerns me. No additional security other than a username/password can be used with the REST API to retrieve private posts, and I had a blog hacked once using a security error in WordPress. There should be a stronger authentication (maybe two factor) for the REST API too. Sure, I could disable it altogether, but that’s also annoying.

I’m just not comfortable storing private stuff on WordPress I think.

zsbenke
zsbenke

@colinwalker I also open source the import script for Day One to WordPress I mentioned yesterday. Maybe somebody else will need it. decoding.io/2018/05/4...

colinwalker
colinwalker

@zsbenke I’m going to do a full write-up of what I’ve been doing but one option is to register a custom post type and not include support for the Rest API.

vishae
vishae

@zsbenke ooh, this would be very helpful, thank you!

colinwalker
colinwalker
@zsbenke definitely have thought about it many times. Thanks for the link and the work on the script! (Ugh. Ruby!)