Use an external authentication source in WordPress.
The HTTP Authentication plugin allows you to use existing means of authenticating people to WordPress. This includes Apache’s basic HTTP authentication module, Shibboleth, and many others.
To follow updates to this plugin, visit:
https://danieltwc.com/
For help with this version, visit:
https://danieltwc.com/2011/http-authentication-4-0/
http-authentication
folder to your plugins folder, usually wp-content/plugins
. (Or simply via the built-in installer.)wp-login.php
and wp-admin
using your external authentication (using, for example, .htaccess
files).Any authentication mechanism which sets the REMOTE_USER
(or REDIRECT_REMOTE_USER
, in the case of ScriptAlias’d PHP-as-CGI) environment variable can be used in conjunction with this plugin. Examples include Apache’s mod_auth
and mod_auth_ldap
.
This depends on your hosting environment and your means of authentication.
Many Apache installations allow configuration of authentication via .htaccess
files, while some do not. Try adding the following to your blog’s top-level .htaccess
file:
AuthName “WordPress”
AuthType Basic
AuthUserFile /path/to/passwords
Require user dwc
(You may also want to protect your xmlrpc.php
file, which uses separate authentication code.)
Then, create another .htaccess
file in your wp-admin
directory with the following contents:
AuthName “WordPress”
AuthType Basic
AuthUserFile /path/to/passwords
Require user dwc
In both files, be sure to set /path/to/passwords
to the location of your password file. For more information on creating this file, see below.
See Apache’s HOWTO: Authentication, Authorization, and Access Control.
This plugin doesn’t actually authenticate users. It simply feeds WordPress the name of a user who has successfully authenticated through Apache.
To determine the username, this plugin uses the REMOTE_USER
or the REDIRECT_REMOTE_USER
environment variable, which is set by many Apache authentication modules. If someone can find a way to spoof this value, this plugin is not guaranteed to be secure.
By default, this plugin generates a random password each time you create a user or edit an existing user’s profile. However, since this plugin requires an external authentication mechanism, this password is not requested by WordPress. Generating a random password helps protect accounts, preventing one authorized user from pretending to be another.
Because this plugin generates a random password when you create a new user or edit an existing user’s profile, you will most likely have to reset each user’s password if you disable this plugin. WordPress provides a link for requesting a new password on the login screen.
Also, you should leave the admin
user as a fallback, i.e. create a new account to use with this plugin. As long as you don’t edit the admin
profile, WordPress will store the password set when you installed WordPress.
In the worst case scenario, you may have to use phpMyAdmin or the MySQL command line to reset a user’s password.
Yes. You can authenticate some users via an external, single sign-on system and other users via the built-in username and password combination. (Note: When mixed authentication is in use, this plugin does not scramble passwords as described above.)
When you configure your external authentication system, make sure that you allow users in even if they have not authenticated externally. Using Shibboleth as an example:
AuthName “Shibboleth”
AuthType Shibboleth
Require Shibboleth
This enables Shibboleth authentication in “passive” mode.
Then, in WordPress:
http://example.com/
, then your login URI should be http://example.com/Shibboleth.sso/Login?target=%redirect_encoded%
.http://example.com/Shibboleth.sso/Logout?return=%redirect_encoded%
.After saving the options, authentication will work as follows:
Other authentication systems (particularly those without a login or logout URI) will need to be configured differently.
Yes, you can enable this plugin across a network or on individual sites. However, options will need to be set on individual sites.
If you have suggestions on how to improve network support, please submit a comment.
If you have a WordPress site with multiple environments (e.g. dev.example.com
, test.example.com
, and example.com
) you can use additional variables in the login and logout URIs:
%host%
– The current value of $_SERVER['HTTP_HOST']
%base%
– The base domain URL (everything before the path)%site%
– The WordPress home URI%redirect%
– The return URI provided by WordPressYou can also use %host_encoded%
, %site_encoded%
, and %redirect_encoded%
for URL-encoded values.
For example, your login URI could be:
https://%host%/Shibboleth.sso/Login?target=%redirect_encoded%
This would be modified for each environment as appropriate.
get_userdatabylogin
(#1513)wp-login.php
so we can check the external authentication (thanks to Josh Larios)