Skip to content
Read For Learn
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP

Login and register by API

Q1. How can we do this login event? Can we login via API or do we need something different? I’m asking because I’ve seen ways to log in with a cookie.

The WP REST API provides no session management functionality. There is no way to login, register, or logout via the REST API.

If it did, the registration endpoint in your question would be unnecessary.

Plugins might exist that provide session management, but doing this will require 100% custom code.

If it helps, this is the automatic API discovery process for the REST API that reveals the authentication methods it exposes:

https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/#authentication-discovery

You may find with 3rd party authentication plugins that the ability to login via the API and create new authentication sessions purely via the API might be possible.

Q2. When it gets Ok result from API, it will return to WordPress site and log in. How can we make this turn?

You would need to create an entirely new endpoint to do this. Software such as Softaculous has an advantage the REST API does not because it can reach behind the scenes and do things directly to the database, run PHP scripts directly with priviledged access, or WP CLI commands such as wp user create etc and do things that can’t normally be done.

A common method on enterprise hosting is to do this via a WP CLI command using internal mechanisms that aren’t reachable via a browser or the open web, such as queued tasks or internal proprietary cron jobs. Others use custom REST API endpoints that create temporary users and then set up credentials and custom filters to bypass what the site normally does ( you would not want to do this as it has major security implications and is not scalable, these systems are built with a lone hosting support/maintenance agent in mind, not for regular use ).

These usually create temporary back doors that self-close, with mechanisms that rely on temporary tokens etc

Note that if we ignore all of this, the code in the question is insecure:

  • there is no rate limiting
  • it does not check if a user already exists
    • but it does return the error object, allowing an attacker to fire of repeated requests for usernames to see which ones generate user already exists errors
    • this also works for emails!!
  • although emails are sanitised, there is nothing checking that they are emails, and the endpoint will happily accept "I'm not an email" and pass it to $email
  • the endpoint bypasses the validation/verification step to confirm the user does indeed own that email. Anybody can sign up with anybody’s email, I could sign up with your email! And there’s nothing anybody could do about it. This has major legal and regulatory consequences, you should consult a lawyer with expertise in this area before continuing.
  • There are no protections for password strength and integrity in the API, this endpoint bypasses those entirely. . would be a valid password.
    • it may even be possible to use a blank password which would make it impossible for the user to login

I suspect you’ve used this answer on Stack Overflow to create the endpoint, which has its own issues, but then removed half of the protections it uses such as username_exits etc:

https://stackoverflow.com/a/50105811/57482

Related Posts:

  1. What would be the best way to implement Magic Link logins in WordPress?
  2. Best option to implement external register/login to WP from self-made API
  3. Set logged in user based on API response
  4. Can I programmatically login a user without a password?
  5. SSO / authentication integration with external ‘directory service’
  6. What is $interim_login?
  7. Adding extra authentication field in login page
  8. What exactly is ReAuth?
  9. Login members using web services
  10. Disable WordPress 3.6 idle logout / login modal window / session expiration
  11. How to pass users back and forth using session data?
  12. how to authenticate for the REST API from a plugin and from command line
  13. How to check WordPress website username and password is correct
  14. Need to execute a cron job
  15. How do I use the WP REST API plugin and the OAuth Server plugin to allow for registration and login?
  16. how to update current logged user username
  17. Validate Custom Login field
  18. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  19. Calling wp_signon doesn’t log the user in
  20. How to implement Google reCaptcha without installing a plugin?
  21. Custom Connect to Facebook, problem logging in/logging out
  22. Is it possible a one click user registration with Facebook or Twitter (or other Social Networks)?
  23. Remote REST request to check login status
  24. Are there ways of logging in that bypass wp-login.php altogether?
  25. How to display username and password after registration
  26. How to save generated JWT token to cookies on login?
  27. How to set JWT token with PHP on successful login?
  28. Calling an API to do authentication / user login
  29. Two factor authentication
  30. WordPress Login Customization for External Authentication
  31. How to generate “WP_Error” Object for user login?
  32. WordPress HTTP API NTLM Authentication
  33. Allow Access to Home Page and Login Screen but Nothing Else (unless logged in)
  34. How to authenticate a user with an external webservice
  35. Where is the php file, that does the checks for login information?
  36. I want login using email not username wordpress front end
  37. Reloading page with a query string upon login for admins
  38. WordPress authentication using custom php?
  39. authenticate user without redirecting
  40. Get WordPress login functions without printing anything
  41. Multiple issues with Ajax login function due to browsers and cookies
  42. Is there a way to call via javascript if a user is logged-in on a static html file?
  43. Secure WordPress API, how?
  44. register/login api
  45. How to post frontend login form to a different authentication script from wp-login?
  46. Custom user roles are unable to login
  47. Using WordPress login for a non word-press website
  48. The same session information for peer users on two different WordPress servers
  49. How the wordpress login and signup in react native app
  50. Extend Cookie with auth_cookie_expiration not working
  51. How to use google api for wordpress login
  52. Can we start session from another php site to wordpress blog site?
  53. Opening protected page with cookie?
  54. Handle POST request sent from an external site for login?
  55. External Authentication
  56. How can I redirect user after entering wrong password?
  57. How to prefill the username/password fields on the login page
  58. How can i increase the login expiration length?
  59. Creating a post with the REST API, curl and oauth returning 401 error
  60. custom login page redirect to logged in user profile page
  61. How to get the attached gallery in the rest API?
  62. WP API : date_query parameter
  63. How can I test the login for an expired session?
  64. Register/Login using only phone number?
  65. force user to re-login after 4 hours – how?
  66. How does WordPress handle sessions?
  67. How to determine if a user has not changed default generated password
  68. Customizing login error messages
  69. How can we redirect user from login page to home page if user is logged in WordPress?
  70. When can I safely `wp_set_auth_cookie`?
  71. Changes only show when logged in?
  72. WP_REMOTE_POST Requests are being blocked by API provider [closed]
  73. replace wp-login.php login forms via a hook & use custom forms with wp-login form validation
  74. How can I add a login/logout link in the sub-nav of my website?
  75. WordPress asking for login on public pages on localhost
  76. How can I change the email sender name from wordpress to (myblogname) on the “lost password” email?
  77. Changed primary domain and now wordpress login won’t work
  78. Forcing frontend login with UI switch
  79. Login without Password
  80. Access log “POST /wp-login.php HTTP/1.0” 400
  81. SQL – Remove All The Users and Create A New User With Admin Role Via PhpMyAdmin
  82. Can I protect a type of content site-wide with a single password?
  83. How to add Relations of a CCT from JetEngine via WordPress Rest API
  84. Need to use WordPress page as authentication for different service
  85. wp_nonce vs jwt
  86. Force REST API Authentication for each request method
  87. Login issues wordpress page
  88. Make WordPress User Name be the Company Name when Registering (not the default ‘first name’ last name’ email address’)
  89. Help to create the best plugin settings!
  90. Why do I have a reauth=1 redirection loop when I try to log in to WordPress hosted on AWS Fargate?
  91. Login form does not store/remember/suggest users password
  92. WordPress single page website redirect to index.html
  93. Save user login date
  94. Login with Username (or Code) only
  95. Is there a way to give users the option to log in to their favorite group on login? [closed]
  96. Direct access to site when log in
  97. Can not login after moving to cloudflare and adding rules
  98. Inconsistent login state
  99. Editing wp-login.php
  100. Cannot log into WordPress admin dashboard after new installation on AWS ec2
Categories login Tags api, authentication, login, rest-api
CCF7 Field numbuer prefilled after Click event
How to update the input[type=number] quantity field using custom buttons?

Recommended Hostings

Cloudways: Realize Your Website's Potential With Flexible & Affordable Hosting. 24/7/365 Support, Managed Security, Automated Backups, and 24/7 Real-time Monitoring.

FastComet: Fast SSD Hosting, Free Migration, Hack-Free Security, 24/7 Super Fast Support, 45 Day Money Back Guarantee.

Recent Added Topics

  • Bug in translation system: load_theme_textdomain() returns true, files are available and accessible but the language defaults to english
  • Custom Elementor controls not appearing in the widget Advanced tab using injection hooks
  • Get the name of the template/*html file used
  • Trying to Add Paging to Single Post Page
  • Sharing media files between live and staging servers
  • How to display the description of a custom post type in the dashboard?
  • Critical error on image display
  • Copying WP data and files into new install?
  • How to determine the DirectAdmin WordPress backup date?
  • How to get list of ALL tables in the database?
© 2026 Read For Learn
  • Database
    • Oracle
    • SQL
  • algorithm
  • asp.net
  • assembly
  • binary
  • c#
  • Git
  • hex
  • HTML
  • iOS
  • language angnostic
  • math
  • matlab
  • Tips & Trick
  • Tools
  • windows
  • C
  • C++
  • Java
  • javascript
  • Python
  • R
  • Java Script
  • jQuery
  • PHP
  • WordPress