Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Authenticate via HTTP against WordPress user database
//Force SSL so that passwords aren't sent in the clear.
if($_SERVER["HTTPS"] != "on") {
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
//Here's where the Wordpress magic happens.
define('WP_USE_THEMES', false);
//Check to see if the user has an active auth session
if (!isset($_SERVER['PHP_AUTH_USER'])) {
//Show the auth dialog box
} else {
//Get the input data.
$user = stripslashes($_SERVER['PHP_AUTH_USER']);
$pass = stripslashes($_SERVER['PHP_AUTH_PW']);
//Check WordPress for correct credentials.
$auth = wp_user_pass_ok($user, $pass);
if($auth !== true) {
//Whoops! Try again!
//Otherwiuse, let em through!
// TODO: Add cookie for longer than 1 session authentication.
function http_basic_auth() {
$realm = 'Restricted-use your Wordpress credentials.';
header('WWW-Authenticate: Basic realm="' . $realm . '"');
header('HTTP/1.0 401 Unauthorized');
echo 'Whoops! You hit the cancel button. Use your WordPress credentials to gain access. Hit reload to try again.';
function wp_user_pass_ok($user_login, $user_pass) {
$user = wp_authenticate($user_login, $user_pass);
//Make sure the user authenticates and can edit posts
//(contributor level or higher - we don't want to give subscribers access)
if ( is_wp_error($user) || !user_can($user, 'edit_posts'))
return false;
return true;

This comment has been minimized.

Copy link

cookieguru commented Sep 14, 2013

I solved the same problem with fewer lines of code and it even uses cookies


if(!is_user_logged_in()) {
if(!current_user_can('update_core')) {
    exit('You can\'t do that');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.