Custom RPC end-point security best pratice?

I think your paradigm is not optimal. You are starting on premise of “WordPress Ajax endpoint is slow” and your solution is to “build alternate authentication scheme”. This completely spells trouble.

Anything security should be reused as much as possible and coded by people specializing in security. Trade-off of reimplementing security for the sake of performance is major red flag.

So back to square one. If your issue is “WordPress Ajax endpoint is slow” then build a faster WordPress Ajax endpoint. You can do so with SHORTINIT (there are answers about it around on site) to have very customized core load. It’s a nightmare to ship in public code and pain on upgrades, but for private high–performance Ajax it’s the way to go.

PS I am not sure how your Ajax needs relate to RPC (XML RPC?) needs, since you mention both.

Related Posts:

  1. WordPress Ajax Data Security
  2. Nonces and Cache
  3. Is it safe to assume that a nonce may be validated more than once?
  4. Multiple ajax nonce requests
  5. Nonces, AJAX, script variables & security in WordPress
  6. How do I check if AJAX nonces are implemented correctly?
  7. Is it safe to manually sign a user in using AJAX?
  8. WP Admin AJAX Security – using POST to include a relative URL
  9. ajax nonce verification failing
  10. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  11. Is it secure to use admin-ajax.php in front?
  12. Why does check_ajax_referer give a 403 error on https websites?
  13. Using nonce when loading posts with AJAX
  14. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  15. Should wordpress nonce be placed in html form or in javascript file
  16. How to prevent my external API call from being called by anyone but me (my site)
  17. check_ajax_reffer not working when logged
  18. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  19. Ajax Security regarding user priviliges and nonces
  20. Can I make an ajax response cross-domain?
  21. How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?
  22. How does the security of admin_ajax.php work?
  23. Ajax takes 10x as long as it should/could
  24. Load minimum WordPress environment
  25. How to call a PHP function with Ajax when the user clicks a button
  26. WordPress embeds in AJAX inserted content
  27. How do I send an ajax request and get a response back from a function?
  28. Automatically pull newer posts and append to current page.
  29. Load page content with AJAX using Fancybox?
  30. Dynamically changing navigation links (next and previous) via AJAX
  31. Why is my AJAX call not working?
  32. How to Access custom database content with AJAX onClick refresh of div inside member-only WordPress page?
  33. how to use reCaptcha v3 in wordpress custom login form?
  34. admin-ajax.php HTTP400: BAD REQUEST – The request could not be processed by the server due to invalid syntax
  35. AJAX action not triggering PHP function
  36. WP_Session not acting with AJAX
  37. add_action and Ajax
  38. Help with AJAX front end comment moderation
  39. Enqueue script in header
  40. wp_ajax_nopriv_xxx is not firing on one site, works on all others. -1 for logged out users
  41. WP_User_Query ignoring ‘meta_query’ arguments
  42. Ajax Modal Flickers When Opened Multiple Times
  43. Increased CPU load due to admin-ajax.php spam
  44. Can’t get result from sql using ajax result
  45. Theme Customizer – Conditional Controls
  46. Edit a different page in WP Customizer
  47. Get the_content with ajax
  48. WordPress AJAX – how to return true or false in the callback function
  49. Admin ajax error 400 when passing select value to populate another select
  50. WordPress Ajax POST Error 403 admin-ajax.php
  51. Pass additional parameter with async upload
  52. AJAX request randomly stop working and returns error 400
  53. Sending variable from ajax on form submit
  54. WordPress search results with Ajax, get_post_type() not working
  55. Audio TAG Not using MediaElement When Page is loaded through ajax
  56. Interim-Login form on frontend
  57. WordPress ajax call returns a zero though die()
  58. Save value from Javascript object to WP user
  59. wp_update_post onclick button using ajax
  60. add Additional class to woocommerce cart-contents link
  61. Ajax insert or update data
  62. Add Ajax to rating button
  63. wp_ajax declaration confusing for Front end
  64. Delete ACF repeater field row on Front End
  65. No errors in the console but Ajax call doesn’t seem to be working
  66. Preprocess submitted data
  67. Update status, meta while inside a post using AJAX button
  68. How to disable drag-and-drop upload function in Media Library?
  69. update_option in WordPress AJAX
  70. Load more posts (Ajax) in tabbed sidebar on single.php
  71. Something strange with ajax
  72. admin-ajax.php returns 0 even when the post status code is 200 OK
  73. Why is the file not uploading to the server?
  74. Get localize of a loaded javascript
  75. REST public POST giving 403 forbidden nginx
  76. Query data after an Ajax insert
  77. How to get next and previous post into ajax formed modal windows?
  78. Content including hooks inside wp-settings.php are being called twice in WordPress
  79. Problem when sending file via ajax
  80. wp_verify_nonce not working on the mobile device
  81. Frontend AJAX Media Upload returning 404
  82. JS global variable doesn’t update
  83. 404 error custom post type rest api
  84. Change button text after ajax db update
  85. Jquery wrap permalink in a data-attribute?
  86. How do I display posts of a specific day?
  87. Load .php file into div using ajax
  88. Native WordPress Video Shortcode Not Working After Post is Loaded via Ajax
  89. Ajax Function call is always returning 0 in front end(without plugin) [closed]
  90. Ajax live search, “No products found” when the title contains apostrophes and quotations
  91. Using AJAX for dynamic settings pages
  92. Speeding up admin-ajax.php
  93. admin ajax is not working for non logged in users
  94. Change search to outpout category name instead of Post type name
  95. ‘Dehighlighting’ navigation once clicked
  96. wp_localize_script not create variable in head section
  97. AJAX admin Internal 500 error Failed to Upload
  98. Class property not visible inside ajax callback function?
  99. wordpress ajax bad request 400
  100. JQuery UI Autocomplete/Autosuggest WordPress