0

I'm trying to delete media from the WordPress Library using the rest-api with cookie authentication. I can create a file (POST) and retrieve (GET) the file contents, but DELETE do not work. I'm using IIS Version 10.0.

Note: this code is ran on the website domain, not from another domain.

Things I've tried:

  • Enabling WebDAV on the server
  • Used Basic WordPress authentication plugin

Here is the XMLHttpRequest that I'm using:

var apiCall = new XMLHttpRequest();

apiCall.onreadystatechange = function() {
...
};

apiCall.open("DELETE", wpApiSettings.root + "wp/v2/media/");
apiCall.setRequestHeader("X-WP-Nonce", wpApiSettings.nonce);
apiCall.send("2000");

The error I get back:

HTTP Error 401.0 - Unauthorized. You do not have permission to view this directory or page.

This error is never present with GET or POST, only when doing the delete, which makes me think about the authentication within IIS. Maybe it's not even reaching the WordPress engine and IIS is intercepting the request and denying it. Which I thought enabling WebDAV would fix, but sadly, it did not.

Programmer
  • 1

1 Answers1

0

First, 401 error typically indicates the request is not authenticated. We have to set up the credential based on the authentication mode in IIS. If it requires basic credential, we need to set up the HTTP header like below,

xhr.setRequestHeader('Authorization', 'Basic ZWx1c3VhcmlvOnlsYWNsYXZl');

How to send a correct authorization header for basic authentication
In addition, for supporting Delete HTTP verb, please add the below code to your the webconfig file.

<system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true">
        <remove name="WebDAVModule"/> <!-- ADD THIS -->
    </modules>

Here is a related discussion.
WebAPI Delete not working - 405 Method Not Allowed

Abraham Qian
  • 6,097
  • 1
  • 3
  • 20
  • I've setup basic authentication within IIS but if I disable Anonymous Authentication then the website brings up a username and password box on the normal home page. Is there any way to setup Anonymous Authentication for normal users just accessing the website (which requires no login) and then have the Basic Authentication available to call through the REST API. When I tried to add that line in the web.config. There was no modules section in the file and when I added it in anyway the website wouldn't load and gave me a config error. I can disable it through IIS manually though? – Programmer Aug 17 '20 at 14:44
  • Also, when I disable WebDAV through IIS, the error changes to a 405 saying the method is not allowed, when I keep it enabled it's a 401. So maybe it's better to keep it enabled and just configure the Authentication? – Programmer Aug 17 '20 at 14:48
  • To make the authentication method effective only for a certain folder, we only need to expand the website directory, click on the specific folder and then set the authentication mode. This will add authentication settings specific to a certain folder in the applicationhost.config file. – Abraham Qian Aug 18 '20 at 09:42
  • – Abraham Qian Aug 18 '20 at 09:42