http-authentication 2.0

I’ve finished updating the http-authentication plugin for WordPress 2.5.

This version of the plugin will work with WordPress 2.5.1 and above, due to a change in the wp_authenticate plugin hook.

This plugin will not work on WordPress 2.5, but if you want to test it you can download a nightly build or use Subversion WordPress 2.5.1.

You can download the plugin from the WordPress Plugin Directory.

Finally, for this release, I’m starting a new post for the plugin. Refer to the previous post for support issues, and if you don’t find an answer there, please ask here. Questions asked on the old post about this version will not be answered.

Update (2008-04-25): WordPress 2.5.1 is out.


Comment from Ben Chun on

Sweet! Thanks for getting that wp_authenticate fix into 2.5.1. And thanks again for this plugin.

Comment from Mork the Delayer on

Good job. Works for me on 2.6-bleeding. Now all I have to do is wait for a 2.5.1 WordPress release to recommend http auth 2.0 and WP 2.5 via documentation at work.

Comment from dwc on

@Mork: Thanks for the confirmation!

Comment from rh on

If you put the file directive on “wp-login.php” is it necessary to have a separate .htaccess file in the wp-admin directory? It seems to properly protect without the latter, but I’m not an auth expert.

The reason I ask is because when I add the prescribed htaccess file to wp-admin I lose all my css on the admin pages.

Comment from dwc on

@rh: Doing so would leave wp-admin open to attack. It is safer to protect wp-admin as well because any attacker would first have to crack your Apache authentication to exploit a hole in WordPress.

I haven’t seen the problem you describe. Have a look through your Web server logs (especially the error log) to see if there might be a problem with your setup.

Comment from Daniel on

Image upload is broken here on 2.5.1 when using HTTP Authentication together with Admin SSL. For everything it is an asome combination. Thanks for the hard work.

All I see is a red “HTTP error. An error occured in the upload. Please try again later.” message on the upload page. File permissions are all good.

Comment from dwc on

@Daniel: I’ll try to investigate the combination this week. Let me know if you find any additional details.

Comment from dwc on

@Daniel: The problem appears not to be in the combination of the two plugins, but in that the WordPress uploading tool is not sending the authentication information. There is an existing ticket open about this issue:

There are some helpful pointers in the forum post linked in the ticket as well, but I have not been able to verify if they work. Please let me know if you find a solution!

Comment from rh on

@rh: In the unlikely scenario that someone else experiences the same problem I did, here’s the solve … Our auth system is pubcookie. Declaring a “PubcookieAppID” in my .htaccess file solved the problem.

Comment from Jonathan on


I adapted your plugin for Active Directory. I don’t see your email listed, so I’m leaving a note here.

I really have no idea what the proper etiquette is when one modifies software as such, but in any case, thank you very much for this plugin. It was enormously helpful. WordPress’s documentation was not particularly helpful, and the references to non-existent code within WordPress (e.g. wp-signon) seemed daunting. Using HTTP Authentication as a base, it was very easy to extend for AD authentication. (I’ve sent a submission to so others can use this.)

Thanks again.

Comment from Rod on

Hi — I’ve installed http-authentication 2.0 with the latest version of WordPressMU and it _mostly_ works well. The only aspect that is not working is setting the options:

Logout URL
Automatically create accounts
Email address domain

Making a change to these fields gives me the message:

Are you sure you want to do this?
Please try again.

The changed options never get stored. Needless to say, trying again does not work. Anyone else see this issue?

Thanks for producing a great plugin!

Comment from dwc on

@Rod: I haven’t used MU, to be honest. I assume that MU has different functions for getting and setting options, since they could be site specified.

Someone previously updated the plugin to work with MU:

But I have not had a chance to talk with him and try to incorporate the changes into the main plugin. Let me know if you find out anything more!

Comment from Flavien on

@Rod: Same issue here.

I’m trying to merge the code together, but I’m not fluent in PHP. Has anyone done the grunt work and have something that I could test? I’ll happily beta-test it.

Thanks for you work!

Comment from rbroemeling on

I’m using the HTTP authentication plugin on a combined blog/mail server. It works great, and it lets me pull the user management into a single place. Thanks for the tool!

The one thing that I needed to change was the $email_domain. On my server, the user name is a full e-mail address (i.e. login is ‘’), so appending ‘@$email_domain’ to it actually corrupts the e-mail address.

What I ended up doing is leaving $email_domain blank, and then changing the wp_create_user call in http-authentication.php (line 139) to be:

“wp_create_user($username, $password, $username . ($email_domain ? ‘@’ . $email_domain : ”));”

This little one-line fix made the HTTP authentication plugin do exactly what I wanted it to… I think it is probably non-intrusive enough to be folded into the main distribution as well?

Anyway, thanks for a great plugin.

Comment from Bret McMillan on

I’ve been doing some wordpress-mu work lately, prepping it for inclusion in Fedora and internal usage. I’ve hacked up a version that works for our purposes, and would like to discuss whether we can make your code natively support either wp or wpmu.


Comment from dwc on


By all means, send me an email (my username at this site (dwc) followed by the second-level domain ( I’d definitely like to work on making the plugin support WordPress MU natively.

Comment from Daniel Eggert on

This is an awesome plugin. Have been using it for a year or so now.

Will this work on WordPress 2.6.1? I’m holding off upgrading to 2.6.1 untilI’m sure this plugin will work.

Comment from dwc on


Yes, I’ve been running it here with no problems. I’ve updated the readme and pushed a new release to note this. Thanks!

Comment from bigbaaadbob on

I’m very interested in the MU stuff. I may try out Flavien’s patches, but if McMillan has better I’d be glad to start there.

Comment from Robb on

This looks really great — I’m creating a plugin for Ruby on Rails, and this does nearly everything I need:

…I’m not sure if I should “branch” the code into a seperate project or not … I might have to: there’ll be a bunch of changes necessary.

Comment from dwc on


A branch seems sensible to me. Let me know if you have any questions about how the plugin works.

Comment from Scott Plumlee on

Got a weird issue with your plugin (or my install) and was hoping you might be able to point me to a starting point for figuring it out. Users can authenticate, but the moment they try to edit a post and click the save button, it’s not saved. They can create a new post, but editing/publishing fails. The users who have the problem are on a different domain, but are able to get into the wp-admin area, so I know the actual authentication is working. Any ideas where to start looking? This is on wp 2.6.2, and I’ll happily share anything I can find.

Comment from dwc on


Do you have access to the server logs? If there are any 401 or 403 errors, those lines would help debug.

I know that the Flash uploading tool fails (see WordPress ticket #6473), but otherwise I haven’t had any problems with the plugin on 2.6.

Comment from Scott Plumlee on

Seeing a lot of errors like this:
SERVER.IP-ADDRESS.GOES.HERE – – [19/Nov/2008:14:35:58 -0500] “GET /WP-DIRECTORY/wp-cron.php?check=e6e54a42282d5fd5c51d2c4a274b1217 HTTP/1.0” 401 401

I usually replicate the problem like this: I log in, and the other user logs in. I create a new test post and add content. Then the other user tries to edit that post. They put content in, click save, and the new content doesn’t show.

Thanks for your help. I really appreciate it, and the plugin as well.

Comment from Scott Plumlee on

Did some digging into the support codex, and looks like it might be a case of wp-cron.php not being able to be accessed by this server because the request comes from the servers external IP address. I’m disabling cron to check it out, and if that’s it, I apologize to your plugin for unfairly blaming it. Thanks for your help.

Comment from Greg Hill on

This plugin seems to have stopped working under WordPress 3.o for me. Have you tested it?
Thanks, Greg.

Comment from Greg Hill on

Sorry, should have supplied more details: the error I get is “ERROR: Invalid username”. I have “Automatically create accounts” set, but it is not creating the user if it does not already exist.
Cheers, Greg.

Comment from dwc on


I’m working on updating the plugin to work with WordPress 3.0. Stay tuned for updates.

Comment from Greg Hill on

Sorry, false alarm. I’ve just done a fresh WP3.0 install with only your plugin and it works fine. The main difference between the one that works and the one that doesn’t is the theme. If I can narrow it down some more I’ll let you know.
Cheers, Greg.

Comment from Greg Hill on

More info: to recreate this problem I install a new wordpress 3.0 blog. Then I import the data from my production blog. Immediately after the import I get “ERROR: Invalid username” when attempting to sign in with a non-existant user name. No problems before the import.
Cheers, Greg.

Leave a Reply to bigbaaadbob Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.