Guide to setting up secure XenForo API user permissions

The XenForo API transports valuable data from your forum to WordPress site and is worth taking the steps to secure and make sure your data is not mishandled.

In this guide we are going to learn how to connect our XenForo forum to a WordPress website and security best practices.

It is recommended you first read the official XenForo Rest API documentation to understand the how the API works and what the differences in security are between different levels of user keys.

Reading API user permissions

Once connected you will be able to use the full features of the XFtoWP plugin so long as your API user permissions are setup correctly. The plugin settings will verify what actions you can take on your forum from WordPress:

Site setup view permissions

Based on which permissions are inactive any relevant features in the plugin will be disabled as they cannot function without the granted permissions.

For example, the settings above show thread:read as active and the thread:write permission disabled. This means that the Thread comments feature can still connect existing threads to posts, but cannot create new threads.

Additionally you must ensure the forum user you associate the API key with can also perform the required actions and view the proper content on your forum.

The the most secure API user should have the least privileges on your forum and ideally does not have any moderation controls.

Super user permissions

If you connected your site to a Super user key you will need to provide a user ID in the WP admin > XF > Setup settings. This user will also be the author of new threads and can be used for other actions.

NEW: User syncing now available!

All new and existing XFtoWP customers accounts can now be synced from the Customers area, and forum accounts are now auto-registered to the MD Forums on purchase.