Authentication Plugins
Update: This patch has been added to WordPress as of 1.5.1. The most recent version of the plugin is available from the plugin repository.
Prior to WordPress 1.5, no hooks existed for authentication plugins. Thus, to authenticate users through GatorLink or another external authentication scheme, changes to WordPress core were needed. Fairly significant changes to wp-login.php
, for example, made upgrading to a new version of WordPress more difficult.
With WordPress 1.5, some hooks into the authentication process have been added. This opens the doors for authentication plugins.
Using External Authentication
As part of UF‘s efforts to use WordPress, Web Administration has developed an HTTP authentication plugin. This plugin can be used in any situation where your Web server sets the REMOTE_USER
environment variable. With .htaccess
files, you can use any of the authentication mechanisms available in Apache, such as basic authentication.
To properly lock down WordPress and use the HTTP authentication plugin, you need two .htaccess
files: one protecting wp-login.php
and one protecting the wp-admin
directory.
For wp-login.php
, add something like the following to your .htaccess
file at the root of your WordPress installation (create the file if you don’t have it already):
<Files wp-login.php>
AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc
</Files>
For the wp-admin
directory, create an .htaccess
with something like the following:
AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc
For basic authentication, you’ll need to change the AuthType
, remove the GatorLink options, and specify the location of your AuthUserFile
.
The HTTP authentication plugin uses the REMOTE_USER
environment variable as the WordPress username and password. You still create users in WordPress (so that you can assign them a level), but authentication is handled externally.
API Extensions
Some minor changes were made to WordPress to extend the authentication API:
wp-login.php
- Add
lost_password
hook to allow plugins to disable this action. - Move
retrieve_password
hook to allow plugins to disable this action before an email is sent. - Move
reset_password
hook to allow plugins to disable this action before an email is sent. - Add
wp_authenticate
hook to allow plugins to handle authentication. The username and password variables are passed by reference so plugins can pass the information back towp-login.php
.
- Add
wp-admin/profile.php
- Add
check_passwords
hook to allow plugins to update a user’s password. - Add
show_password_fields
filter to allow plugins to hide the password fields.
- Add
wp-admin/user-edit.php
- Add
check_passwords
hook to allow plugins to update a user’s password. - Add
show_password_fields
filter to allow plugins to hide the password fields.
- Add
wp-admin/users.php
- Add
check_passwords
hook to allow plugins to update a user’s password. - Add
show_password_fields
filter to allow plugins to hide the password fields.
- Add
See Also
Comments
Comment from Matt on
I just checked this in, let me know how it looks.
Comment from Matt on
Also you should add your plugin to wp-plugins.org.
Comment from Martin Cleaver on
Hi, does this mean that WordPress can use a htpasswd file as its master list of users?
I want to use WordPress to help http://twiki.org/cgi-bin/view/Codev/BlogginInTWiki
Comment from dwc on
Martin,
I’m not familiar with TWiki’s user system, but WordPress would most likely work in this situation. For example, if TWiki can use Apache’s mod_auth_digest, then you could use the http-authentication WordPress plugin to use the same user database.
Try downloading version 1.1 and looking at the readme.txt. At the very least, you’ll need to install the plugin, add your users to WordPress, and then set up your .htaccess file.
Let me know if you have any questions.
Comment from Martin Cleaver on
Thanks…
Does this http-authentication WordPress plugin provide a mechanism for a user to register or change the password or is that done elsewhere?
Thanks. M.
Comment from dwc on
Martin,
The plugin assumes you have an existing mechanism for managing users. For example, you could use mod_auth_ldap against an existing LDAP directory.
The plugin is actually very simple – it just looks for a username provided by Apache and passes it into the WordPress authentication code.
Comment from Steve on
I’m a first time wp; have the plugin in working but for some reason it seems to block the css file from loading so my site is looking very retro at the moment – any ideas?
Comment from dwc on
Steve,
Could you check your server logs for hits to the CSS file? The status code might be helpful in debugging the problem.
Comment from Senpai on
I successfully used your plugin to integrate a WordPress 2.2 installation with Active Directory, thanks!
Comment from Stephen on
Awesome work, thanks a lot. This was a huge help with something I was trying to get done.
Comment from Andrisi on
Does it support auto login. So the users don’t have to click login at all. I don’t see how to implement this in WP. Any suggestions? Thanks!
Comment from dwc on
Andrisi,
Off the top of my head, I don’t think that’s supported. For my sites the users are almost always logging into the WordPress administration section first.
However, I’d be happy to take a patch to add support for that. You could probably use an early plugin hook to support auto-login. The patch should make this behavior optional, as with the auto-create option added previously.
Comment from Bilinen on
I’m a first time wp; have the plugin in working but for some reason it seems to block the css file from loading so my site is looking very retro at the moment – any ideas
Comment from dwc on
It sounds like your authentication configuration might be incorrect. Can you check the Apache logs for more information?