Custom RPC end-point security best pratice?

I think your paradigm is not optimal. You are starting on premise of “WordPress Ajax endpoint is slow” and your solution is to “build alternate authentication scheme”. This completely spells trouble.

Anything security should be reused as much as possible and coded by people specializing in security. Trade-off of reimplementing security for the sake of performance is major red flag.

So back to square one. If your issue is “WordPress Ajax endpoint is slow” then build a faster WordPress Ajax endpoint. You can do so with SHORTINIT (there are answers about it around on site) to have very customized core load. It’s a nightmare to ship in public code and pain on upgrades, but for private high–performance Ajax it’s the way to go.

PS I am not sure how your Ajax needs relate to RPC (XML RPC?) needs, since you mention both.

Related Posts:

  1. WordPress Ajax Data Security
  2. Nonces and Cache
  3. Is it safe to assume that a nonce may be validated more than once?
  4. Multiple ajax nonce requests
  5. Nonces, AJAX, script variables & security in WordPress
  6. How do I check if AJAX nonces are implemented correctly?
  7. Is it safe to manually sign a user in using AJAX?
  8. WP Admin AJAX Security – using POST to include a relative URL
  9. ajax nonce verification failing
  10. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  11. Is it secure to use admin-ajax.php in front?
  12. Why does check_ajax_referer give a 403 error on https websites?
  13. Using nonce when loading posts with AJAX
  14. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  15. Should wordpress nonce be placed in html form or in javascript file
  16. How to prevent my external API call from being called by anyone but me (my site)
  17. check_ajax_reffer not working when logged
  18. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  19. Ajax Security regarding user priviliges and nonces
  20. Can I make an ajax response cross-domain?
  21. How to cache json with wp-super cache
  22. Why might a plugin’s ‘do_shortcode’ not work in an AJAX request?
  23. Get Previous & Next posts by Post ID
  24. REST API endpoint for elasticpress autosuggest
  25. ajax – why multiple calls to wp_create_nonce() return same value?
  26. AJAX request on the frontend always returns 0 if user is not admin
  27. Admin Notification after save_post, when ajax saving in gutenberg
  28. Using ajax on categories and wordpress loops
  29. Cannot load admin-ajax.php. No access-control allow origin*
  30. Initialize JS with an ajax loaded ACF form
  31. WordPress Nonce Issue for Ajax Login and Logout
  32. Nonces and Ajax request to REST API and verification
  33. Vue.js + AJAX Shortcode
  34. Can’t seem to get wp_localize_script to work
  35. wp_ajax action is not running
  36. Ajax – gettext without a plugin
  37. WordPress AJAX calls not detecting language properly?
  38. AJAX issue – Uncaught SyntaxError when processing Zip File
  39. wp_verify_nonce doesn’t return true on server when it matches the nonce
  40. update_user_meta doesn’t work with AJAX
  41. How do I set the url to make an ajax request for a html document?
  42. wp-admin AJAX with Fetch API is done without user
  43. Using wp_handle_upload and media_handle_sideload with ajax
  44. Populating content dynamically via AJAX and Advanced Custom Fields [closed]
  45. Load ajax if is_home()
  46. How to know what page is calling admin-ajax.php?
  47. Populate a Map at The Same Time as showing Posts via AJAX
  48. wp_localize_script not working on ajax response
  49. Why Does WordPress not output admin-ajax.php path by default?
  50. Jetpack Infinite Scroll – Add more than 7 posts each time?
  51. SSO autologin WordPress + Ajax
  52. Test WordPress api with postman
  53. How to handle 400 status in Ajax [duplicate]
  54. How to process wordpress ajax call without action parameter?
  55. Update attachment metadata fails
  56. Nonce fails on ajax save
  57. WordPress P2 live problem
  58. All AJAX requests return a 400 error
  59. Unable to successfully verify nonce
  60. Create custom POST Method URL
  61. Getting a variable using $post ajax back from php to js response in WP
  62. AJAX Call – Failed to load resource: the server responded with a status of 500 (Internal Server Error)
  63. WordPress is Not Setting PHP $_POST on Custom Ajax
  64. bulk update meta value with ajax
  65. Ajax for subscibers not working
  66. javascript ajax and nonce
  67. Is it possible to determine whether a page is a page template by page_id in ajax call?
  68. Chained ajax call, second call returns 0
  69. How to create a form button that executes a function?
  70. How to stop being directed to admin.php after sending request to admin-ajax.php
  71. How to make image in TinyMCE clickable
  72. How to use Jeditable plugin with admin-ajax.php?
  73. WordPress Ajax Not Firing
  74. Get uploaded attachment width & height and attachment ID after upload them
  75. Uncaught TypeError: Cannot read properties of undefined (reading ‘message’) [closed]
  76. Disabling ajax code that does a POST request that ends in a 400 error code
  77. Refresh checkout fields on add to cart with order bump
  78. Is it good practice to use REST API in wp-admin plugin page? [closed]
  79. get a bad request 400 on my ajax-admin.php file
  80. Registration form AJAX check for existing username (simple version)
  81. How to check Ajax request only when i opened the Notifications list?
  82. Trigger action via button
  83. Syntax error on query_vars while handling with Jquery
  84. Want to send ajax request in wordpress to a custom file in plugin
  85. How to send the checkbox value to email
  86. Sending email with wp_email and AJAX
  87. AJAX Call in Plugin Returns More than JSON
  88. Ajax take too long to return code
  89. problem when adding wp_editor with ajax [duplicate]
  90. Get wp-load.php PATH with wp_localize_script and JavaScript for plugin
  91. Ajax Form seems to post, but does not return
  92. Ajax request to admin-ajax.php and window.location.href
  93. Why can wordpress not find the actions I add in my constructor?
  94. delete attachment for one post without deleting actual attachment post
  95. Memberpress isn’t cooperating with WooCommerce
  96. where does my function output from load-* go?
  97. WordPress ajax requst returns zero
  98. WordPress blocking polling request when signed into Admin
  99. Send button using own contact form [closed]
  100. wordpress ajax bad request 400
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)