Authentication Plugins
Update: This patch has been added to WordPress as of 1.5.1. The most recent version of the plugin is available from the plugin repository.
Prior to WordPress 1.5, no hooks existed for authentication plugins. Thus, to authenticate users through GatorLink or another external authentication scheme, changes to WordPress core were needed. Fairly significant changes to wp-login.php
, for example, made upgrading to a new version of WordPress more difficult.
With WordPress 1.5, some hooks into the authentication process have been added. This opens the doors for authentication plugins.
Using External Authentication
As part of UF‘s efforts to use WordPress, Web Administration has developed an HTTP authentication plugin. This plugin can be used in any situation where your Web server sets the REMOTE_USER
environment variable. With .htaccess
files, you can use any of the authentication mechanisms available in Apache, such as basic authentication.
To properly lock down WordPress and use the HTTP authentication plugin, you need two .htaccess
files: one protecting wp-login.php
and one protecting the wp-admin
directory.
For wp-login.php
, add something like the following to your .htaccess
file at the root of your WordPress installation (create the file if you don’t have it already):
<Files wp-login.php>
AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc
</Files>
For the wp-admin
directory, create an .htaccess
with something like the following:
AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc
For basic authentication, you’ll need to change the AuthType
, remove the GatorLink options, and specify the location of your AuthUserFile
.
The HTTP authentication plugin uses the REMOTE_USER
environment variable as the WordPress username and password. You still create users in WordPress (so that you can assign them a level), but authentication is handled externally.
API Extensions
Some minor changes were made to WordPress to extend the authentication API:
wp-login.php
- Add
lost_password
hook to allow plugins to disable this action. - Move
retrieve_password
hook to allow plugins to disable this action before an email is sent. - Move
reset_password
hook to allow plugins to disable this action before an email is sent. - Add
wp_authenticate
hook to allow plugins to handle authentication. The username and password variables are passed by reference so plugins can pass the information back towp-login.php
.
- Add
wp-admin/profile.php
- Add
check_passwords
hook to allow plugins to update a user’s password. - Add
show_password_fields
filter to allow plugins to hide the password fields.
- Add
wp-admin/user-edit.php
- Add
check_passwords
hook to allow plugins to update a user’s password. - Add
show_password_fields
filter to allow plugins to hide the password fields.
- Add
wp-admin/users.php
- Add
check_passwords
hook to allow plugins to update a user’s password. - Add
show_password_fields
filter to allow plugins to hide the password fields.
- Add
See Also
Comments