Authentication Plugins

Update: This patch has been added to WordPress as of 1.5.1. The most recent version of the plugin is available from the plugin repository.

Prior to WordPress 1.5, no hooks existed for authentication plugins. Thus, to authenticate users through GatorLink or another external authentication scheme, changes to WordPress core were needed. Fairly significant changes to wp-login.php, for example, made upgrading to a new version of WordPress more difficult.

With WordPress 1.5, some hooks into the authentication process have been added. This opens the doors for authentication plugins.

Using External Authentication

As part of UF‘s efforts to use WordPress, Web Administration has developed an HTTP authentication plugin. This plugin can be used in any situation where your Web server sets the REMOTE_USER environment variable. With .htaccess files, you can use any of the authentication mechanisms available in Apache, such as basic authentication.

To properly lock down WordPress and use the HTTP authentication plugin, you need two .htaccess files: one protecting wp-login.php and one protecting the wp-admin directory.

For wp-login.php, add something like the following to your .htaccess file at the root of your WordPress installation (create the file if you don’t have it already):

<Files wp-login.php>
  AuthName "GatorLink"
  AuthType GatorLink
  GatorLinkTimeout 60
  GatorLinkVerbose Off
  Require user dwc
</Files>

For the wp-admin directory, create an .htaccess with something like the following:

AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc

For basic authentication, you’ll need to change the AuthType, remove the GatorLink options, and specify the location of your AuthUserFile.

The HTTP authentication plugin uses the REMOTE_USER environment variable as the WordPress username and password. You still create users in WordPress (so that you can assign them a level), but authentication is handled externally.

API Extensions

Some minor changes were made to WordPress to extend the authentication API:

  • wp-login.php
    • Add lost_password hook to allow plugins to disable this action.
    • Move retrieve_password hook to allow plugins to disable this action before an email is sent.
    • Move reset_password hook to allow plugins to disable this action before an email is sent.
    • Add wp_authenticate hook to allow plugins to handle authentication. The username and password variables are passed by reference so plugins can pass the information back to wp-login.php.
  • wp-admin/profile.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/user-edit.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/users.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.

See Also

Comments