Instantly share code, notes, and snippets.

Embed
What would you like to do?
Adding HTTP Authentication to a WordPress site
<?php
/**
* Plugin Name: WP Basic HTTP Authentication
* Plugin URI:
* Description: Adds HTTP Authentication to a WordPress site
* Author: James Morrison
* Version: 1.0.2
* Author URI: https://www.jamesmorrison.me
**/
// Namespace
namespace WP_Basic_Auth;
// Security check
defined( 'ABSPATH' ) || die( 'Direct file access is forbidden' );
// Define valid usernames / passwords
function valid_credentials() {
return apply_filters( 'wp_basic_auth_credentials', [
'example_user' => 'example_password',
] );
}
// Define restricted environments
function restricted_environments() {
return apply_filters( 'wp_basic_auth_environments', [
'staging',
] );
}
// Is the user authenticated?
function authenticated() {
// Username and Password defaults
$user = false;
$password = false;
// Sanitize username if set
if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) {
$user = sanitize_text_field( $_SERVER['PHP_AUTH_USER'] );
}
// Sanitize password if set
if ( isset( $_SERVER['PHP_AUTH_PW'] ) ) {
$password = sanitize_text_field( $_SERVER['PHP_AUTH_PW'] );
}
// Retrieve the valid credentials
$valid_credentials = valid_credentials();
// Loop through the valid credentials to authenticate user
foreach ( $valid_credentials as $valid_username => $valid_password ) {
// If the username doesn't match, skip to the next record
if ( $user !== $valid_username ) {
continue;
}
// Validate the password; we already know we have a valid username
if ( $password === $valid_password ) {
return true;
}
}
return false;
}
// Failed authentication.. return 401
function failed_authentication() {
header( 'WWW-Authenticate: Basic realm="Private Site"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'FAILED LOGIN';
die();
}
// Function to authenicate the use
add_action( 'plugins_loaded',
function() {
// Default to no environment
$environment = false;
// Work out if there is a defined environment
if ( isset( $_SERVER['environment'] ) ) {
$environment = sanitize_text_field( $_SERVER['environment'] );
}
// Bail early if there's no environment set
if ( ! $environment ) {
return;
}
// Retrieve the restricted environments
$restricted_environments = restricted_environments();
// Check the current environment is not one of the restricted ones; bail if it's not
if ( ! in_array( $environment, $restricted_environments ) ) {
return;
}
// We have to authenticate this user
if ( ! authenticated() ) {
failed_authentication();
}
}, 1, 0
);
// Logout
add_action( 'plugins_loaded',
function() {
if ( isset( $_GET['logout'] ) ) {
$_SERVER['PHP_AUTH_USER'] = '';
$_SERVER['PHP_AUTH_PW'] = '';
}
}, 1, 0
);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment