If you want to take complete control over the validating a user’s login credentials against a WordPress database (or an external database that uses WordPress’ password hashing, as was the case for me), the following code should provide a good starting point.
In this particular example we’re using HTTP Basic Authentication to present the ‘login form’, and enforce authentication on a given directory defined in an Apache .htaccess file. The private function _authenticate_wp() along with the require() are the only bits of the code below you need if you just want to validate a WordPress user’s username/password combination
# import the wp environment, aka load all this overhead just to chack a password
# define("BASE_PATH", "/path/to/top/of/your/wp/install"
require(BASE_PATH . '/wp-blog-header.php');
class TMRSAuthentication
{
public function do_basic_authentication()
{
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="Login with your WordPress Username and Password"');
header('HTTP/1.0 401 Unauthorized');
# this message is displayed if the user cancels login
$this->show_failed_login();
exit;
} else {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if( $this->_authenticate_wp($username, $password) ) {
return true;
} else {
return false;
}
}
}
private function _authenticate_wp($username, $password)
{
global $wp_error;
if ( empty($wp_error) ) {
$wp_error = new WP_Error();
}
$user = wp_authenticate($username, $password);
if(is_wp_error($user)) {
return false;
} else {
return true;
}
}
public function show_failed_login()
{
echo "Login failed";
}
}Here’s how you’d use the class above:
$auth = new TMRSAuthentication();
if( $auth->do_basic_authentication() ) {
echo "login successful";
} else {
$auth->show_failed_login();
}
hello,
how can I retrieve the name or email of the person who was connected?
thank you for your help.
@franckm
Modify _authenticate_wp()
after this call:
$user = wp_authenticate($username, $password);
$user will have all the WP user information, var_dump($user) to take a look at how it’s arranged.
Then you can modify the return values and return $user if authentication is successful, or false (or something similar).
With the returned $user you can continue on with your custom implementation.
Note: this example is only for very custom integration scenarios, for most use cases, there are more WP-specific ways that are more appropriate.
This has been ever so useful. Now I can finally authenticate utilizing the wordpress users to my web app from within the desktop client.
I was hoping a simple SQL query could do it, but your site helped me figure everything out and piece it together. Thanks a lot for this code!