http-authentication 3.0

I’ve released version 3.0 of the http-authentication plugin, which is compatible with (and requires) WordPress 3.0.

Changes in this version include:

  • Use of pluggable functions for authentication instead of plugin hooks
  • Revamped multi-user support, now that WordPress 3.0 includes it
  • New options page, using the settings API

I’ve tested the plugin extensively, but please let me know if you run into problems with your setup.

Nothing should need to change in terms of your configuration. If you’re running WordPress 3.0, please upgrade using your WordPress plugin interface or download a zip file and install the files on your server.

Update: I’ve released version 3.0.1 with an improvement in how the plugin interacts with WordPress authentication cookies. Download a zip file.

Update: I’ve released version 3.1. This version contains no changes from 3.0.1, just a new version number to make it the latest version on the plugin page. Download a zip file.

Update: I’ve released version 3.2, with a minor fix for creating users. Download a zip file.


Comment from Bryn on

I’ve got plugin 3.1 on one particular server, and that version of (freshly upgraded) wordpress will not allow me to create a new user.

It says:
ERROR: Please enter your password.

but there’s no field for password like there normally would be. Is this you or is this WP?

Comment from dwc on

Ah, you’re right. I mistakenly removed the password generation while updating the plugin because I didn’t think it was needed any longer.

I’ve committed a fix. Could you give the development version a try again? Thanks!

Comment from Adam on


First off, thanks for updating your plugin!

Now on to my error.

I’ve been trying to get http-authentication working with a completely fresh wordpress 3 install for a couple days now, it was working at one point, but it stopped as of some time yesterday.
I setup a fresh install this morning to do some more testing and get a “No REMOTE_USER or REDIRECT_REMOTE_USER found.” error message whenever a user tries to login with http authentication on the /wp-login.php page (

I threw some var_dumps into the top of the wp-login.php page and confirmed that, at that point, both of those variables are null.

The user I am trying to login with is admin, which has an entry in the wordpress user database as well as an entry in the .htaccess and .htpassword file in the /wp-admin directory.

Any thoughts?

Comment from dwc on


It doesn’t sound like Apache is protecting the wp-login.php file. Did you also add a section to your top-level .htaccess file?

Comment from Adam on

Thanks for the quick response!

The intent of the configuration I am trying to setup is to have http-authentication pass http auth credentials to wordpress *only* for the wp-admin directory.

Since the purpose of the site is a few bloggers serving a large anonymous audience it would be fairly cumbersome for readers to have the root directory protected with .htaccess.

Thinking back now I may have originally misconfigured the .htaccess file in the root of the site and not noticed it while I was doing my initial testing, which I think would explain why the plugin worked, and then did not when I tested it on a clean install.

So, if I understand correctly, wp-login.php needs the server variables from the http auth to do the auth’ing, and since it doesn’t live in the wp-admin directory it wouldn’t get those passed to it, since they’re only passed to scripts that live in a protected directory.

Then to make the http-authentication plugin work I need .htaccess (and .htpasswd) files living at the root of the wordpress site?

Comment from dwc on

That’s correct. WordPress does its authentication work in wp-login.php, so you have to protect it in addition to wp-admin.

Comment from Adam on

Thanks a bunch for clearing that up!

Comment from Jim on

Thanks for the great plugin. I placed a custom login screen in front of WordPress that queries an LDAP, AD, and a text file. That part is working great. Unfortunately, when I have the plugin activated I can’t add or remove widgets using the widget panel. When I deactivate the plugin I can add/delete widgets with no problem. It appears that there is some type of problem with the ajax calls the widget panel uses. I would appreciate any advice you may have. Thanks again.

Comment from dwc on


The ajax code for the widgets is probably not sending the external authentication information. This should show up in your server logs as e.g. 403 errors.

I’m not sure if the plugin can workaround the issue, unfortunately. I’ll try to look into it further, but please let me know if you discover anything.

Comment from Dave Tasker on

1st of all, ty Daniel for an excellent plugin!

Being a bit of a newb and all, I am scratching my head a little trying to figure out a little problem I am experiencing using plugin, and WP 3 configured with subsites. We are using a central University authentication system “xyz” to authenticate users via an Apache module.

I have an .htaccess file in the root folder, including this block:

AuthType xyz
Require valid-user

Login works fine for all of the sites – main and subsites, but unfortunately the logout seems to get stuck on this url:

Where is the main WP site, and undergraduate is the subsite.

Am I doing anything stupid here?


Comment from dwc on


Could you elaborate on what you mean by “stuck”?

Comment from Dave Tasker on

I am using the block heading Location "/wp-login.php" in the above

Comment from Dave Tasker on

Hi Daniel.
Before activating multisite in WP3, clicking logout from the admin pages would return me to the login page with the message “you are now logged out”.

With multisite enabled, clicking the logout link results in a white screen “stuck” at the URL above.

Closing the browser appears to clear the authentication cookie, as the University authentication screen is displayed once again. However, authenticating results in a “bad request message”.

I should perhaps do a little more investigation to make sure I have everything correctly set-up.


Comment from dwc on


Please try the development version and let me know your results. The current version may not be saving options correctly for multi-site configurations.

Comment from Björn Ekelöf on

I also had some problems when logging out on a multisite WP3 setup. I tried the dev version and now everything works ok.

Comment from Tim on


Great plugin. We use it all over our site, where we’re using WP 🙂

Just wondering if you or anyone else has experienced trouble with the auto-creation of users when skipping between MU subsites. We were able to successfully create a user on one subsite (with the “Automatically create accounts” option checked), but when that same user tries logging in to a different subsite, the user is not created on that subsite, but rather on the top-level parent site with the following bit attached to the end of the WordPress site URL, after it redirects them: /wp-admin/?c=1 . We are using the development version. Quite possible it’s an .htaccess issue, too, and the rewrite rules aren’t playing nice. We used the default ones provided by the MU installation. Thanks in advance for any insight you or someone else has.

Comment from dwc on


To be honest, that part of the code has not been extensively tested on MU setups. All it does is call wp_create_user.

My guess is that when switching sites, a request occurs during which the plugin is running in the context of the top-level site. The _create_user function may need some MU sugar to make it work properly.

Comment from Greg Varga on

I tried to use the plugin with LiveWriter (and other offline writers) and was running into an error where the plugin wouldn’t allow xmlrpc.php to authenticate via it’s own mechanism. xmlrpc.php has it’s own way of getting the username and password and http basic authentication should not interfere with that.

I pocked around the code and came up with a solution… First thing that needs to be done is to remove http:///xmlrpc.php out of the http authentication by:

Satisfy Any

Then apply this patch; which just removes the wp_ function override and adds a wp filter instead…

--- http-authentication.php.orig 2011-01-27 22:13:18.000000000 -0800
+++ http-authentication.php 2011-01-27 22:11:14.000000000 -0800
@@ -20,6 +20,7 @@
add_filter('login_url', array(&$this, 'bypass_reauth'));
add_filter('show_password_fields', array(&$this, 'disable'));
add_filter('allow_password_reset', array(&$this, 'disable'));
+ add_filter('authenticate', array(&$this, 'authenticate'));
add_action('check_passwords', array(&$this, 'generate_password'), 10, 3);
add_action('wp_logout', array(&$this, 'logout'));
@@ -160,17 +161,11 @@

return $user;
-// Load the plugin hooks, etc.
-$http_authentication_plugin = new HTTPAuthenticationPlugin();

-// Override pluggable function to avoid ordering problem with 'authenticate' filter
-if (! function_exists('wp_authenticate')) {
- function wp_authenticate($username, $password) {
- global $http_authentication_plugin;
+ // Do the HTTP Authentication
+ function authenticate($username, $password) {

- $user = $http_authentication_plugin->check_remote_user();
+ $user = $this->check_remote_user();
if (! is_wp_error($user)) {
$user = new WP_User($user->ID);
@@ -178,4 +173,8 @@
return $user;
+// Load the plugin hooks, etc.
+$http_authentication_plugin = new HTTPAuthenticationPlugin();

And now LiveWriter works!

Comment from Greg Varga on

grrr that first code block should be something like:

%3CLocation /support_manual/xmlrpc.php>
Satisfy Any

and if that doesn’t work then… add the left brackets to this one:

Location /support_manual/xmlrpc.php>
Satisfy Any

Comment from dwc on


Thanks for very much for the information! I’ll test it out and hopefully incorporate it into the plugin.

Comment from Dave Hostetler on


So far your plugin works great, but I’m having a couple of issues that I thought I’d ask you about.

1) I can’t seem to change any of the user profile info after they have been created

2) Logging out does not remove session information.

Let me know if you have any ideas on these. Thanks.

Comment from dwc on


I haven’t run into the first issue. The plugin disables the password forms but should allow you to edit the rest of the profile information. What version of WordPress are you testing?

As for the second issue, have you configured a logout URL? You can set it to whatever is appropriate for your single sign-on system to remove any session cookies.

Comment from Scott Shambarger on

Hi Daniel,

I pulled a copy of the devel code, and then reworked it to add support for single sign-on in addition to http_auth (ie with it’s own login uri), and also added an option to fall back to wordpress authentication if SSO isn’t active (this allows for a mixed environment).

In the process I also added handling for cookie mismatches… it’s a pretty radical update, but I’ve tested it fairly thoroughly in my own environment, and it works quite well.

Let me know if you want me to send you a copy and you can see if it’s something you want to use.


Comment from dwc on


I’d love to take a look. Fallback authentication is a common request. To start, please email me a copy at

By the way, did you start from the trunk version?

Comment from Bill on


i need a help with this plugin.

I installed the plugin, configured, and when I go into the wordpress he begins to make an infinite loop between the wp-login.php and profile.php.

I am using Win2008 Server and WordPress 3.1.1 intalled at the root

I did it in a clean version of wordpress and the error is the same.


im using a WinServer 2008 + WordPress (Intranet)

the first time, the plugin works ok., and create the user SERVERuser, no “”, ok, but after logout and back to wp-login.php, a loop infinite begins.
>>> go to >>>
>>> go to >>>

help me please.

Sorry for english, google translator


Comment from Johan Jakobsson on


I´m having a problem regarding the iPhone WP app and http authentication – It has been a bit modified to work with our site but as I´m a noob, could someone please take a look at the code and tell me what´s wrong?
I get “Blog returned invalid data” from the app as soon as I activate the http authentication plugin.


Comment from dwc on


Can you login to your site via a standard browser when the http-authentication plugin is enabled?

WordPress for iOS uses WordPress’ XML-RPC interface. This plugin doesn’t interact with that interface, so it should still work. The one caveat is with your users’ passwords: if you save a user’s profile while the current version of the plugin is enabled, their password will be scrambled.

In an upcoming version, there will be a workaround for this problem.

Comment from Holger on

Thanks a lot for this plugin. I stumbled across your mixed authentication version. I am using this version (rev 390009) currently because this was just what I was looking for. I know of course that it is not yet officially released.
While playing around a bit, I discovered that in this revision, if the admin is logged in via http and changes a different users profile, then that users password will be updated with a random one, even if that user is usually using WP authentication.
Could be I am totally wrong about this. I am not an expert. I not however, I thought this feedback might be useful for you.
Keep up the good work.

Comment from dwc on


Could you try the trunk version instead? I don’t believe it has the problem you describe.