Wednesday, 30 January 2008

HTTP Authentication for Wordpress MU

I've been experimenting recently with deploying Wordpress MU as a blogging solution. As we use cosign for all of our web authentication, we wanted wordpress MU to be able to accept the contents of the REMOTE_USER variable to authenticate users, rather than relying upon Wordpress's internal authentication solution.

Much web searching found a number of people asking similar questions, and the HTTP Authentication plugin for a single user Wordpress install. Unfortunately, this plugin didn't work "out-of-the-box" with Wordpress MU, so I ended up patching it. The modified plugin is available from

It's still tailored to my needs. There's no support for automatic blog creation, for example, although that would be trivial to add. I haven't looked at its integration with Wordpress in much detail yet, either.

To use it, you need to protect your wp-login.php and wp-signup.php files with something like:

<Files wp-login.php>
CosignProtected On
AuthType Cosign
Require valid-user

<Files wp-signup.php>
CosignProtected On
AuthType Cosign
Require group web/blog/create

And your wp-admin directory with:

CosignProtected On
AuthType Cosign
require valid-user
This also checks group membership before permitting blog creation.

To install the plugin, copy the file into your wp-content/mu-plugins directory, and configure using the HTTP Authentication tab in your Site Admin menu.

If you install this, please let me know how you get on!

We've also got an additional patch for wordpress MU which makes it use an HTTPS site for blogs, rather than HTTP - I'm happy to share that on request.


Flavien said...

Hi, I'm trying to patch the latest version of the HTTP Authentication 2.0 plugin for WordPress MU 1.5.1, but I'm struggling.

Would you have, by any chance, patched it for WordPress MU 1.5.1?

Thank you!

sxw said...

Not yet, but I'm going to need to at some point soon. I'll let you know when I get round to it - please tell me if you get to it first!


Flavien said...

Simon, I've posted a patched version that apparently works:

WordPress MU: plugin d’authentification HTTP

Since I cannot pretend to be a PHP coder I'm open to any criticism regarding the code.

BTW, I've changed the user creation code to automatically fetch the first name and last name from the Apache headers.

Stephen said...

does anybody have this working with IE7? HTTP authentication works fine with IE6 but Microsoft in their infinite wisdome decided to change their RSS platform for IE7. :(

Liam said...

Flavien - not all HTTP Authentication solutions set the user name in HTTP headers, so using PHP_AUTH_USER isn't a great solution. Things should probably fall back to seeing if $_SERVER['REMOTE_USER'] is set if PHP_AUTH_USER is empty.