Last active
May 21, 2019 09:41
-
-
Save jamesmorrison/73a913d729ad09d4f7f1c8e99ce4d28b to your computer and use it in GitHub Desktop.
Adding HTTP Authentication to a WordPress site
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Plugin Name: WP Basic HTTP Authentication | |
| * Plugin URI: | |
| * Description: Adds HTTP Authentication to a WordPress site | |
| * Author: James Morrison | |
| * Version: 1.0.2 | |
| * Author URI: https://www.jamesmorrison.me | |
| **/ | |
| // Namespace | |
| namespace WP_Basic_Auth; | |
| // Security check | |
| defined( 'ABSPATH' ) || die( 'Direct file access is forbidden' ); | |
| // Define valid usernames / passwords | |
| function valid_credentials() { | |
| return apply_filters( 'wp_basic_auth_credentials', [ | |
| 'example_user' => 'example_password', | |
| ] ); | |
| } | |
| // Define restricted environments | |
| function restricted_environments() { | |
| return apply_filters( 'wp_basic_auth_environments', [ | |
| 'staging', | |
| ] ); | |
| } | |
| // Is the user authenticated? | |
| function authenticated() { | |
| // Username and Password defaults | |
| $user = false; | |
| $password = false; | |
| // Sanitize username if set | |
| if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) { | |
| $user = sanitize_text_field( $_SERVER['PHP_AUTH_USER'] ); | |
| } | |
| // Sanitize password if set | |
| if ( isset( $_SERVER['PHP_AUTH_PW'] ) ) { | |
| $password = sanitize_text_field( $_SERVER['PHP_AUTH_PW'] ); | |
| } | |
| // Retrieve the valid credentials | |
| $valid_credentials = valid_credentials(); | |
| // Loop through the valid credentials to authenticate user | |
| foreach ( $valid_credentials as $valid_username => $valid_password ) { | |
| // If the username doesn't match, skip to the next record | |
| if ( $user !== $valid_username ) { | |
| continue; | |
| } | |
| // Validate the password; we already know we have a valid username | |
| if ( $password === $valid_password ) { | |
| return true; | |
| } | |
| } | |
| return false; | |
| } | |
| // Failed authentication.. return 401 | |
| function failed_authentication() { | |
| header( 'WWW-Authenticate: Basic realm="Private Site"' ); | |
| header( 'HTTP/1.0 401 Unauthorized' ); | |
| echo 'FAILED LOGIN'; | |
| die(); | |
| } | |
| // Function to authenicate the use | |
| add_action( 'plugins_loaded', | |
| function() { | |
| // Default to no environment | |
| $environment = false; | |
| // Work out if there is a defined environment | |
| if ( isset( $_SERVER['environment'] ) ) { | |
| $environment = sanitize_text_field( $_SERVER['environment'] ); | |
| } | |
| // Bail early if there's no environment set | |
| if ( ! $environment ) { | |
| return; | |
| } | |
| // Retrieve the restricted environments | |
| $restricted_environments = restricted_environments(); | |
| // Check the current environment is not one of the restricted ones; bail if it's not | |
| if ( ! in_array( $environment, $restricted_environments ) ) { | |
| return; | |
| } | |
| // We have to authenticate this user | |
| if ( ! authenticated() ) { | |
| failed_authentication(); | |
| } | |
| }, 1, 0 | |
| ); | |
| // Logout | |
| add_action( 'plugins_loaded', | |
| function() { | |
| if ( isset( $_GET['logout'] ) ) { | |
| $_SERVER['PHP_AUTH_USER'] = ''; | |
| $_SERVER['PHP_AUTH_PW'] = ''; | |
| } | |
| }, 1, 0 | |
| ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment