Custom RPC end-point security best pratice?

I think your paradigm is not optimal. You are starting on premise of “WordPress Ajax endpoint is slow” and your solution is to “build alternate authentication scheme”. This completely spells trouble.

Anything security should be reused as much as possible and coded by people specializing in security. Trade-off of reimplementing security for the sake of performance is major red flag.

So back to square one. If your issue is “WordPress Ajax endpoint is slow” then build a faster WordPress Ajax endpoint. You can do so with SHORTINIT (there are answers about it around on site) to have very customized core load. It’s a nightmare to ship in public code and pain on upgrades, but for private high–performance Ajax it’s the way to go.

PS I am not sure how your Ajax needs relate to RPC (XML RPC?) needs, since you mention both.

Related Posts:

  1. WordPress Ajax Data Security
  2. Nonces and Cache
  3. Is it safe to assume that a nonce may be validated more than once?
  4. Multiple ajax nonce requests
  5. Nonces, AJAX, script variables & security in WordPress
  6. How do I check if AJAX nonces are implemented correctly?
  7. Is it safe to manually sign a user in using AJAX?
  8. WP Admin AJAX Security – using POST to include a relative URL
  9. ajax nonce verification failing
  10. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  11. Is it secure to use admin-ajax.php in front?
  12. Why does check_ajax_referer give a 403 error on https websites?
  13. Using nonce when loading posts with AJAX
  14. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  15. Should wordpress nonce be placed in html form or in javascript file
  16. How to prevent my external API call from being called by anyone but me (my site)
  17. check_ajax_reffer not working when logged
  18. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  19. Ajax Security regarding user priviliges and nonces
  20. Can I make an ajax response cross-domain?
  21. How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?
  22. How does the security of admin_ajax.php work?
  23. nonce_user_logged_out to assign guests unique nonces breaks ajax calls
  24. PHP “php://input” vs $_POST
  25. Google Maps API throws “Uncaught ReferenceError: google is not defined” only when using AJAX
  26. Access-Control-Allow-Origin error sending a jQuery Post to Google API’s
  27. Access-Control-Allow-Origin error sending a jQuery Post to Google API’s
  28. How to solve the error “SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.” in IE
  29. Show spinner GIF during an $http request in AngularJS?
  30. Refresh HTML Page in Browser Automatically on Timer – Every 15 Min
  31. JavaScript implementation of Gzip
  32. jQuery: Performing synchronous AJAX requests
  33. ASP.NET MVC controller actions that return JSON or partial html
  34. jQuery’s .on() method combined with the submit event
  35. Ajax takes 10x as long as it should/could
  36. How to check if I am in admin-ajax.php?
  37. Best way to end WordPress ajax request and why?
  38. How to load wp_editor() through AJAX/jQuery
  39. How does admin-ajax.php work?
  40. How to cache json with wp-super cache
  41. Load minimum WordPress environment
  42. Why use wp_send_json() over echo json_encode()?
  43. Why use admin-ajax.php and how does it work?
  44. How to get a unique nonce for each Ajax request?
  45. Open a Thickbox with content trough AJAX
  46. Initialize TinyMCE editor / visual editor after AJAX insert
  47. Why not register shortcodes if is_admin dashboard?
  48. WordPress AJAX with Axios
  49. Why is die() used at the end of function that handles an Ajax request?
  50. Why might a plugin’s ‘do_shortcode’ not work in an AJAX request?
  51. Making my AJAX powered WordPress Crawlable
  52. Is there a JavaScript API? How to access public and private data in JS?
  53. Get Previous & Next posts by Post ID
  54. failed to load wp-admin/admin-ajax.php
  55. Using Backbone with the WordPress AJAX API
  56. Using Ajax with a Class file
  57. Ajax in a settings page (update_option is undefined)
  58. How to pass data parameter to ajax action function handler
  59. Nonces can be reused multiple times? Bug / Security issue?
  60. Displaying PHP Errors from admin-ajax.php
  61. wp_set_auth_cookie() doesn’t work in Ajax call
  62. gettext does not translate when called in ajax
  63. Execute one AJAX request after another AJAX request finished
  64. WP-AJAX vs WP REST API: What to use for requests to the website from outside?
  65. Ajax and autocomplete
  66. How to add to cart via AJAX Woocommerce [closed]
  67. SSL breaks customizer: page isn’t returned from ajax
  68. Why is a 500 error generated by admin-ajax.php not going into the Apache error log?
  69. Are ‘wp_ajax’ and ‘wp_ajax_nopriv’ exclusive to authenticated and non-authenticated users?
  70. How to HTML5 FormData Ajax
  71. admin-ajax.php vs Custom Page Template for Ajax Requests
  72. How to override WP_DEBUG for Ajax responses?
  73. Stop admin-ajax?
  74. redirect out of wp-admin, without losing admin-ajax.php
  75. Call to undefined function add_action()
  76. Including WordPress in RESTful API
  77. Get posts with ajax
  78. admin-ajax.php doesn’t work when using POST data and Axios
  79. How to call a PHP function with Ajax when the user clicks a button
  80. REST API endpoint for elasticpress autosuggest
  81. Ajax for non-logged-in users
  82. Contact Form 7 Custom Post Action
  83. Custom Form with Ajax
  84. How to process ajax requests correctly using ajax plugins
  85. ajax – why multiple calls to wp_create_nonce() return same value?
  86. Update user meta using with ajax
  87. Registering AJAX callback function that is part of a class without instantiating the class in function.php
  88. WordPress function that makes HTML safe to be sent via AJAX request
  89. How do I hook an Ajax request into a PHP callback?
  90. AJAX request on the frontend always returns 0 if user is not admin
  91. admin-ajax.php returns 0. How do I debug it and fix it?
  92. Ajax requests without JQuery
  93. Admin Notification after save_post, when ajax saving in gutenberg
  94. How to properly use wp.ajax.post?
  95. Load tinyMCE / wp_editor() via AJAX [duplicate]
  96. How to tie built in AJAX to an add_action?
  97. Using Nonces for AJAX that only retrieves data
  98. WordPress AJAX Login Screen
  99. AJAX vs Fragment Caching for W3 Total Cache [closed]
  100. Saving (Updating) Post / Page Edits With AJAX
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)