In WordPress I have created a custom post type for Events, for which the company is listing all of their concerts. To streamline event creation I’ve also built a script that will publish the exact Event to the company’s Facebook Page. This is done simply by hitting a button in the Event edit post page…
What happens is when the button is pressed a jQuery Ajax call uses the values of the Event fields and sends them to the PHP script that posts the Facebook event via GET variables. That’s it. The problem with this is that if someone were to find the URL of the script they could essentially post Facebook events no problem.
Is this a bad approach? What can I do to prevent outsiders from accessing the Facebook Event script and only allow posting from the WordPress site? Should I implement a nonce for this?
Update:
I started storing the Facebook auth token in the WordPress database and passing it to the script when the Ajax call is made. Is this secure enough? Should I do something more?
I would set a unique value (maybe a hash of the timestamp) and set it as a session var on the form page. Then pass that hash in the ajax call and the receiving PHP page will compare it to the hash in the session var.