WordPress REST API

WordPress REST API — built-in JSON REST API for WordPress installations enabling programmatic post creation, page management, media uploads, user management, and custom post type access for headless CMS and agent-driven publishing workflows.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools wordpress cms rest-api publishing headless-cms php open-source
⚙ Agent Friendliness
56
/ 100
Can an agent use this?
🔒 Security
74
/ 100
Is it safe for agents?
⚡ Reliability
76
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
80
Error Messages
75
Auth Simplicity
72
Rate Limits
65

🔒 Security

TLS Enforcement
90
Auth Strength
72
Scope Granularity
65
Dep. Hygiene
70
Secret Handling
72

GDPR compliant. TLS required for Application Passwords. Plugin ecosystem introduces security variability — WordPress core is secure but plugins vary widely. Application passwords preferred over basic auth. No SOC2 for self-hosted.

⚡ Reliability

Uptime/SLA
75
Version Stability
80
Breaking Changes
78
Error Recovery
72
AF Security Reliability

Best When

You need to automate content publishing on an existing WordPress site — WordPress powers 43% of the web, so if the site already exists, the REST API is the right integration point.

Avoid When

You're building a new publishing platform — modern alternatives (Ghost, Hashnode) offer better APIs and less operational overhead than WordPress.

Use Cases

  • Agents publishing AI-generated articles to existing WordPress sites used by millions of businesses and publishers
  • Headless WordPress — agents using WP REST API as content backend while serving custom frontend applications
  • Content migration — agents bulk-importing posts, pages, and media from other platforms into WordPress
  • Media management — agents uploading images and attachments then associating them with published posts
  • Plugin data access — agents reading custom post types and ACF field data from WordPress-powered applications

Not For

  • Green-field publishing for developer audiences — DEV.to, Hashnode provide built-in developer communities
  • Serverless publishing — WordPress requires PHP hosting; use Ghost or Hashnode for simpler managed options
  • High-performance headless CMS — use Contentful or Sanity for purpose-built headless CMS with better APIs

Interface

REST API
Yes
GraphQL
Yes
gRPC
No
MCP Server
No
SDK
No
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: basic_auth api_key oauth
OAuth: Yes Scopes: No

Application passwords (WordPress 5.6+) for API key auth — preferred for agents. Basic auth requires plugin for security. OAuth via WP OAuth Server plugin. JWT auth via plugin. Application passwords scoped to user permissions.

Pricing

Model: free
Free tier: Yes
Requires CC: No

WordPress self-hosted is free. WordPress.com (hosted) restricts REST API access on lower plans. VIP platform is enterprise-grade. Hosting costs separate from WordPress licensing.

Agent Metadata

Pagination
page
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Plugin conflicts can break REST API endpoints — test in clean WordPress installation before deploying
  • Application passwords require HTTPS — REST API auth fails over plain HTTP on many configurations
  • Media must be uploaded separately and attachment ID linked to post — no inline image handling in post body
  • Custom post types and fields require plugins (ACF, CPT UI) — vanilla WordPress only exposes core post types
  • WordPress.com vs self-hosted WordPress have different API capabilities — endpoint availability varies by environment

Alternatives

ghost-content-api hashnode-api contentful-api strapi-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for WordPress REST API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered