(How) does WordPress protect direct access of user data?

I guess you are not familiar with WordPress API. WordPress uses nonces to keep track of logged in users and authorized requests. Relatively new feature is also App authentication, which is under the hood basic authentication. However, while WordPress IS secure (nonces are sent in headers and have expiry time), specific plugin you are using may have this implemented correctly or incorrectly, and your security will depend on this plugin (as well as others) you are using. There are online sources to check on security of plugins, see if yours is listed.

There is another consideration – every user who has enough rights to change content may remove your “security shortcode”. So to account for that possibility, for example, only admin or specific personel should be allowed to edit these posts, which you have to develop yourself, or search plugin for that.

Related Posts:

  1. Basic auth WordPress REST API dilemma
  2. Reset Password policy
  3. How to programatically change username (user_login)?
  4. How to restrict access to uploaded files?
  5. Allowing users to edit only their page and nobody else’s
  6. Disallowing Users of a Custom Role from Deleting or Adding Administrators?
  7. Hide Admin Menu for Specific User ID who has administrator Role
  8. Allowing an email as the username?
  9. Check if specific username is logged in
  10. Post list based on the user that is logged in
  11. security+best practices: root or www-data on a wordpress content folder?
  12. Any reason to be concerned by a wave of “zombie” blog signups?
  13. How to change WordPress user ID?
  14. Setting WP Admin passwords to expire
  15. Copy a user from one WordPress site to another
  16. Front end user meta options for users
  17. What do spammers gain by signing up as a user?
  18. How can I secure a WordPress blog using OpenID from a single provider?
  19. How to customize wp_signon()
  20. Can I create users that have access to *some* other users posts instead of all other users posts?
  21. Set default page for user account in admin
  22. Share user table from WP with Drupal
  23. Log all users out of all locations after 24 hours
  24. Hide everything on site for visitors except specific page IDs
  25. Managing Users and Creating Groups [closed]
  26. show text If special user is logged
  27. Upgrade Nightmare – No Posts, Permissions Issues and Can’t Create a new post
  28. How to disable a specific page for a specific user
  29. Allow user access to Dashboard only!
  30. Restrict access of admin uploads to certain logged-in users?
  31. wordpress user roles are not working
  32. Displaying different in-page content to cliente/admin
  33. Force user to change their password on the frontend at the first login and password policy
  34. Should I encrypt the response that triggers an Ajax action? Is nonce sufficient?
  35. Are there mutiple ways to get usernames (as a hacker)
  36. Good way to block users within a multisite setup without deleting them?
  37. Problem with automatic role change through cron job
  38. How can I allow an User to publish only 5 posts per month?
  39. How do I protect user_activation_key?
  40. Where are $current_user->allcaps set?
  41. Failed login attempts
  42. Separate Out Real Users
  43. WordPress Password security related questions
  44. Preventing user enumeration: which logic is better?
  45. How do you manage your pages or functions that require logged-in users?
  46. Allow admins to login as other users
  47. Can I Create a Second Admin Level User Role?
  48. Delete a user from frontend
  49. Force users to use password with specifications
  50. Unique password to access a section site
  51. One Click Access To Users Account In WordPress?
  52. Using my own user table
  53. WordPress user role with create user capability?
  54. Update user role for expired membership
  55. Iterating users while user iteration is suppressed
  56. How to use url formatter with integer
  57. Custom User Role: Can Edit Own Page, Cannot Create New
  58. WordPress install checking permissions of user id 0
  59. throttle/limit a logged in user’s http requests to specific page on a per day basis
  60. Require confirmation of current user’s email before updating database and before send_email_change_email
  61. Allowing users to edit only their page and nobody else’s
  62. How to bulk change user role to “No role for this site”
  63. Restrict Access to the User Profile
  64. post acces for guests / unregistered users only
  65. Username has been exposed
  66. view and update form only for registered users
  67. Control Category of each user can post
  68. Securely log in a user without a password using a link?
  69. Limit user access to installing/configuring a plugin?
  70. What techniques can a user employ to achieve a password rated “strong” in the WordPress password checker
  71. WordPress – Security Question at Login from User’s Meta Data
  72. determine active user browser at the same time
  73. MySQL query to list users who never signed in
  74. Wordpres password as plain text in email
  75. WordPress password as plain text in email
  76. Getting a List of Currently Available Roles on a WordPress Site?
  77. Editor can create any new user except administrator
  78. Confirmation required on email change
  79. get_current_user_id() returns 0?
  80. Upload gravatar in WP profile?
  81. determining if the user is logged in
  82. Get users only if Gravatar is specified
  83. Authenticate with a Rails app?
  84. Are User Levels Still Currently Used?
  85. Using Cloudflare caching on wordpress with front-end user logins
  86. Redirect user after successful email change
  87. The Simple and Correct Way to Add User Meta
  88. Export Users and their Advanced Custom Fields
  89. Check if user is logged in via JS? [duplicate]
  90. Easiest way to create an user across several websites
  91. How to change default username field after login
  92. Post Taxonomy Value get from User Field Value
  93. In admin manage users page, how can I stop users with certain privileges from editing users with other privileges?
  94. user and usermeta table not found
  95. Users set passwords but cannot login
  96. Subscriber role – blank page
  97. Set user role on registration so can upload file to own media library area
  98. User “none” role
  99. show count author post today
  100. Increase by one the user counter on specific role