The REST API is a Premium-only feature.

4.5.1. Ensure the PHP hash Extension is Enabled

The hash extension is included by default in PHP 5.3 and later, but it must also be enabled. The WPf2b REST API will not load or run without the hash extension.

4.5.2. Define the Shared Secret

The Shared Secret must be defined in wp-config.php - it cannot be set via the UI - and it must be at least 64 characters long.


An easy way to get a suitable Secret is to use one of the salts generated by the WordPress API. For example:

define('AUTH_KEY',         ' )h%mo9/sa3v<kc$aLuM,R~mj/fwjtCEv2*{Kva<jmq-V<OC} A6T(O*<*B-+$ka');
define('SECURE_AUTH_KEY',  'I0-b/MK/sLnsLXBhi>*~2sEXapCoWC6T;?IhjTn38lz~LJ(S29BoiSjlf6~yM=?H');
define('LOGGED_IN_KEY',    'yr|(+vLu+PyyTvZ|r (h_IO!bOX,nU-?+Z&=hVB>ekQT~ t$BCU`$65b<DdM5cmm');
define('NONCE_KEY',        'GFkF{@sIoPp<b,<mUyu5,i)hs/4hF0Al axhi:7KWmcgl||Z{Fi]z@&qlZFv1Mq+');
define('AUTH_SALT',        '|+(C<`Qjb4<dPpbE0I-i59+PD_*Ch^<G{7EuAP_40WGi;&5 v:>gYFQ:+=S-zm`P');
define('SECURE_AUTH_SALT', '-%6q4fpO8~vlmiW`Ge|Ia!UGK{oB?p;RIX7h%IDEVCoRuv9awsujP nz5@&YrH8B');
define('LOGGED_IN_SALT',   'N&w}80wPp3[p}=>reU;+&|G.*Rn!(g.z=UG5,68^tE}03{3gRYWR^m/Mg-Fu?G<W');
define('NONCE_SALT',       'x%x3Y=}Gkc8YgEEeZsE_mAnE0>MCJFvT<=cl&W=2o=U5o1J+ BF-YTZT4Xau!X{B');


  1. The Secret must be random data.
  2. The Secret must be at least 64 characters long.
  3. The Secret must be unique.
  4. Do not use these example salts [1].

You will compromise the security of your site if you fail to follow these rules.

4.5.3. Enable the WPf2b REST API



[1]You can try, but the REST API won’t load if you do.