WordPress Custom Login with Basic Authentication

If you want to take complete control over the validating a user’s login credentials against a WordPress database (or an external database that uses WordPress’ password hashing, as was the case for me), the following code should provide a good starting point.

In this particular example we’re using HTTP Basic Authentication to present the ‘login form’, and enforce authentication on a given directory defined in an Apache .htaccess file. The private function _authenticate_wp() along with the require() are the only bits of the code below you need if you just want to validate a WordPress user’s username/password combination


# import the wp environment, aka load all this overhead just to chack a password
# define("BASE_PATH", "/path/to/top/of/your/wp/install"
require(BASE_PATH . '/wp-blog-header.php');

class TMRSAuthentication
{
    public function do_basic_authentication()
    {
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
            header('WWW-Authenticate: Basic realm="Login with your WordPress Username and Password"');
            header('HTTP/1.0 401 Unauthorized');
            # this message is displayed if the user cancels login
            $this->show_failed_login();
            exit;
        } else {
            $username = $_SERVER['PHP_AUTH_USER'];
            $password = $_SERVER['PHP_AUTH_PW'];
            if( $this->_authenticate_wp($username, $password) ) {
                return true;
            } else {
                return false;
            }
        }
    }

    private function _authenticate_wp($username, $password)
    {
        global $wp_error;
        if ( empty($wp_error) ) {
            $wp_error = new WP_Error();
        }
        $user = wp_authenticate($username, $password);
        if(is_wp_error($user)) {
            return false;
        } else {
            return true;
        }
    }

    public function show_failed_login()
    {
        echo "Login failed";
    }

}

Here’s how you’d use the class above:


$auth = new TMRSAuthentication();
if( $auth->do_basic_authentication() ) {
    echo "login successful";
} else {
    $auth->show_failed_login();
}
Advertisements

3 thoughts on “WordPress Custom Login with Basic Authentication

  1. @franckm

    Modify _authenticate_wp()

    after this call:

    $user = wp_authenticate($username, $password);

    $user will have all the WP user information, var_dump($user) to take a look at how it’s arranged.

    Then you can modify the return values and return $user if authentication is successful, or false (or something similar).

    With the returned $user you can continue on with your custom implementation.

    Note: this example is only for very custom integration scenarios, for most use cases, there are more WP-specific ways that are more appropriate.

  2. This has been ever so useful. Now I can finally authenticate utilizing the wordpress users to my web app from within the desktop client.

    I was hoping a simple SQL query could do it, but your site helped me figure everything out and piece it together. Thanks a lot for this code!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s