What is authorization?
Authorization is the process through which an authenticated user or process is given permission to access resources and execute actions. In WordPress, these permissions are known as capabilities. While the authorization process is dependant on the authentication process, the two are very different and should not be confused.
Why is authorization important on a WordPress website?
Authorization plays an important part in how authenticated users access and interact with WordPress. Without it, we wouldn’t be able to do much since access to pages and rights to execute actions such as uploading new content, changing prices on the e-commerce store, or updating settings is all granted through authorization. In fact, authorization grants users the right to anything you can imagine on a WordPress website.
WordPress uses users and roles to make the assignment of rights easier. Any given user inherits the rights assigned to a role they are a member of, which the authorization process then authorizes whenever the user logs in.
How authorization works on WordPress
To understand how authorization works on WordPress, we first need to understand how WordPress handles sessions.
WordPress is a stateless application. This means that it does not store any information about the state of users. Instead, it uses cookies to keep track of who is logged in. As such, whenever a logged-in user tries to access a resource or a function, they must present their cookie, which includes authentication information.
At this point, WordPress performs an authorization check, confirming whether the user has or doesn’t have access to the resource or section. This is done by checking which role the user belongs to and then checking which capabilities are assigned to the role.
How to manage the WordPress authorization process
The WordPress authorization is an internal process, and it is not something that we have direct control over. However, this doesn’t mean that there is nothing we can do to ensure a safer WordPress environment.
Employ the principle of least privilege
The principle of least privilege tells us that users should only be authorized to do the tasks they need to do their job. This approach promotes caution, ensuring better risk management throughout your WordPress website.
Use an SSL/TLS certificate
By using an SSL/TLS certificate, you ensure that any communication between WordPress and users is encrypted, thus reducing the risk of attacks such as Man in the middle attacks. Such attacks are designed to intercept communications, easily stealing WordPress cookies if no encryption is in place. Certificates can also boost users’ trust in your website and may even help your SEO efforts.