{"id":25645,"date":"2013-10-16T19:16:56","date_gmt":"2013-10-16T19:16:56","guid":{"rendered":"https:\/\/wordpress.org\/plugins-wp\/http-digest-auth\/"},"modified":"2017-11-25T14:25:46","modified_gmt":"2017-11-25T14:25:46","slug":"http-digest-auth","status":"publish","type":"plugin","link":"https:\/\/twd.wordpress.org\/plugins\/http-digest-auth\/","author":8048391,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.1","stable_tag":"1.2.1","tested":"4.9.29","requires":"3.1.0","requires_php":"","requires_plugins":"","header_name":"HTTP Digest Authentication","header_author":"Jesin","header_description":"","assets_banners_color":"c9d5dc","last_updated":"2017-11-25 14:25:46","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/websistent.com\/wordpress-plugins\/http-digest-authentication\/","header_author_uri":"https:\/\/websistent.com","rating":4,"author_block_rating":0,"active_installs":10,"downloads":5001,"num_ratings":5,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":[],"ratings":{"1":"1","2":0,"3":0,"4":"1","5":"3"},"assets_icons":[],"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":"1057424","resolution":"772x250","location":"assets"}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0","1.1","1.2","1.2.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":"1057424","resolution":"1","location":"assets"},"screenshot-2.png":{"filename":"screenshot-2.png","revision":"1057424","resolution":"2","location":"assets"},"screenshot-3.png":{"filename":"screenshot-3.png","revision":"1057424","resolution":"3","location":"assets"},"screenshot-4.png":{"filename":"screenshot-4.png","revision":"1057424","resolution":"4","location":"assets"},"screenshot-5.png":{"filename":"screenshot-5.png","revision":"1057424","resolution":"5","location":"assets"}},"screenshots":{"1":"Logging in using HTTP digest credentials","2":"The WordPress login page with the HTTP username","3":"Setting a HTTP Digest username and password via Users &gt; Your Profile","4":"Logged out of WordPress","5":"Trying to login with someone else's WordPress username"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[8382,9227,1189,35286,602],"plugin_category":[38,54],"plugin_contributors":[82480],"plugin_business_model":[],"class_list":["post-25645","plugin","type-plugin","status-publish","hentry","plugin_tags-auth","plugin_tags-authenticate","plugin_tags-hacking","plugin_tags-http-digest","plugin_tags-login","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-jesin","plugin_committers-jesin"],"banners":{"banner":"https:\/\/ps.w.org\/http-digest-auth\/assets\/banner-772x250.png?rev=1057424","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/http-digest-auth_c9d5dc.svg","icon_2x":false,"generated":true},"screenshots":[{"src":"https:\/\/ps.w.org\/http-digest-auth\/assets\/screenshot-1.png?rev=1057424","caption":"Logging in using HTTP digest credentials"},{"src":"https:\/\/ps.w.org\/http-digest-auth\/assets\/screenshot-2.png?rev=1057424","caption":"The WordPress login page with the HTTP username"},{"src":"https:\/\/ps.w.org\/http-digest-auth\/assets\/screenshot-3.png?rev=1057424","caption":"Setting a HTTP Digest username and password via Users &gt; Your Profile"},{"src":"https:\/\/ps.w.org\/http-digest-auth\/assets\/screenshot-4.png?rev=1057424","caption":"Logged out of WordPress"},{"src":"https:\/\/ps.w.org\/http-digest-auth\/assets\/screenshot-5.png?rev=1057424","caption":"Trying to login with someone else's WordPress username"}],"raw_content":"<!--section=description-->\n<p>This plugin adds an additional layer of protection for the <strong>wp-login.php<\/strong> page using <a href=\"http:\/\/en.wikipedia.org\/wiki\/Digest_access_authentication\">HTTP Digest Authentication<\/a> with the PHP <a href=\"http:\/\/php.net\/header\">header()<\/a> function.<br \/>\nSo it doesn't require configuring web server files like <em>.htaccess<\/em> or <a href=\"https:\/\/websistent.com\/tools\/htdigest-generator-tool\/\"><em>.htdigest<\/em><\/a> and works on all web hosting environments.<\/p>\n\n<p><strong>Important:<\/strong> If you already have a plugin which does HTTP Authentication please deactivate it before activating this plugin. Similarly if you have configured your web server to do HTTP authentication on the wp-login.php file please remove it before using this plugin.<\/p>\n\n<p>If you are using FastCGI PHP this plugin may keep prompting for the credentials even if you enter the right pair, in this case use the following in your <strong><code>.htaccess<\/code><\/strong> file<\/p>\n\n<pre><code>&lt;IfModule mod_setenvif.c&gt;\nSetEnvIfNoCase ^Authorization$ \"(.+)\" PHP_AUTH_DIGEST=$1\n&lt;\/IfModule&gt;\n<\/code><\/pre>\n\n<h4>Advantages of HTTP Digest Authentication<\/h4>\n\n<ul>\n<li>Digest Authentication is very much safer than HTTP Basic Authentication whose credentials can be easily decoded with a <a href=\"http:\/\/www.base64decode.org\/\">base64 decoder<\/a>.<\/li>\n<li>From Wikipedia on <a href=\"http:\/\/en.wikipedia.org\/wiki\/Basic_access_authentication\">HTTP Basic Authentication<\/a>:<\/li>\n<\/ul>\n\n<blockquote>\n  <p><em>The BA (Basic Authentication) mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way.<\/em><\/p>\n<\/blockquote>\n\n<ul>\n<li>Digest Authentication on the other hand uses <a href=\"https:\/\/websistent.com\/tools\/md5-encryption-tool\/\">MD5<\/a> on the credentials making it \"one way\" <\/li>\n<li>Uses server and client <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cryptographic_nonce\">nonce<\/a>s to prevent replay attacks<\/li>\n<\/ul>\n\n<h4>Features of the HTTP Digest Auth plugin<\/h4>\n\n<ul>\n<li>Works using PHP header() function and doesn't require modification of service config files (like .htaccess, nginx.conf etc)<\/li>\n<li>Supports HTTP credentials for each WordPress user<\/li>\n<li>Clears the HTTP Digest credentials when the user logs out of WordPress (more on this in the FAQ)<\/li>\n<li>Verifies if both the HTTP and WordPress credentials are of the same user (this is the default behavior and can be changed)<\/li>\n<li>Works on all major Web Servers (Tested on Apache, Nginx and Lighttpd)<\/li>\n<\/ul>\n\n<h4>Plugin Behavior<\/h4>\n\n<ul>\n<li>When this plugin is activated for the first time all WordPress users will have the following Digest credentials<br \/>\nUsername: &lt;WordPress username&gt;<br \/>\nPassword: password<br \/>\nThis can be changed from <strong>Users &gt; Your Profile<\/strong>.<\/li>\n<li>After activating this plugin for the first time you'll be prompted for HTTP credentials when you logout<\/li>\n<li>Similarly if you change your HTTP username or password you'll be prompted for this when you logout<\/li>\n<\/ul>\n\n<h4>Available languages<\/h4>\n\n<ul>\n<li>English<\/li>\n<li>Serbo-Croatian by <a href=\"http:\/\/www.webhostinghub.com\/\">Borisa Djuraskovic<\/a><\/li>\n<\/ul>\n\n<p>The <a href=\"https:\/\/websistent.com\/wordpress-plugins\/http-digest-authentication\/\">HTTP Digest Authentication Plugin<\/a> official homepage.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Unzip and upload the <code>http-digest-auth<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory.<\/li>\n<li>Activate the <strong>HTTP Digest Authentication<\/strong> plugin through the 'Plugins' menu in WordPress.<\/li>\n<li>Configure a HTTP username\/password by going to <code>Users &gt; Your Profile<\/code> page.<\/li>\n<li>You'll be prompted for these credentials when you logout after activating the plugin for the first time.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt>Installation Instructions<\/dt>\n<dd><ol>\n<li>Unzip and upload the <code>http-digest-auth<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory.<\/li>\n<li>Activate the <strong>HTTP Digest Authentication<\/strong> plugin through the 'Plugins' menu in WordPress.<\/li>\n<li>Configure a HTTP username\/password by going to <code>Users &gt; Your Profile<\/code> page.<\/li>\n<li>You'll be prompted for these credentials when you logout after activating the plugin for the first time.<\/li>\n<\/ol><\/dd>\n<dt>How does HTTP logout work?<\/dt>\n<dd><p>When you access the <em>wp-login.php<\/em> page a portion of the realm is generated and stored in a session variable so the realm looks like \"HTTP Auth Session MTM4MTc0NzU3OQ==\"<br \/>\nWhen you logout of WordPress this session variable is deleted and a new realm is generated, hence the browser prompts you for credentials.<\/p><\/dd>\n<dt>How are the HTTP Digest credentials stored?<\/dt>\n<dd><p>The username is stored in the <code>wp_usermeta<\/code> table in plain-text. The password is stored in a two-way encryption format in the same table. It is encrypted and decrypted with the <a href=\"http:\/\/php.net\/mcrypt_encrypt\">mcrypt_encrypt()<\/a> and <a href=\"http:\/\/php.net\/mcrypt_decrypt\">mcrypt_decrypt()<\/a> functions.<\/p><\/dd>\n<dt>But I saw the plain-text password in my database<\/dt>\n<dd><p>That means your PHP installation doesn't have the mcrypt extension. To check if this is the case go to your <code>&lt;?php phpinfo(); ?&gt;<\/code> and check if there is a section called mcrypt. If there isn't one in your VPS\/Dedicated server install it<\/p>\n\n<p>on Debian\/Ubuntu<\/p>\n\n<pre><code>apt-get install php5-mcrypt\n<\/code><\/pre>\n\n<p>on Centos\/Fedora<\/p>\n\n<pre><code>yum install php5-mcrypt\n<\/code><\/pre>\n\n<p>After installation change the password (or enter the same password in Your Profile) to encrypt it.<\/p>\n\n<p>Shared hosting users needn't worry about this as any decent host should already have this installed.<\/p><\/dd>\n<dt>Help! I forgot my HTTP Digest credentials<\/dt>\n<dd><p>You can find your username by executing the following MySQL query.<\/p>\n\n<blockquote>\n  <p><code>SELECT meta_value FROM `wp_usermeta` WHERE meta_key = 'http-digest-auth_username' and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username');<\/code><\/p>\n<\/blockquote>\n\n<p>Remember to replace <code>wp_<\/code> with your actual database prefix and <code>WordPress_Username<\/code> with your login name.<\/p>\n\n<p>The password can be reset with the following query<\/p>\n\n<blockquote>\n  <p><code>UPDATE `wp_usermeta` SET meta_value = 'password' WHERE meta_key = 'http-digest-auth_password' and user_id = (SELECT ID from wp_users where user_login = 'admin');<\/code><\/p>\n<\/blockquote>\n\n<p>This will set the HTTP password to <code>password<\/code>. Login and change it immediately.<\/p><\/dd>\n<dt>What does the \"Anyone can use these credentials\" option do?<\/dt>\n<dd><p>By default if you access the <strong>wp-login.php<\/strong> page using your HTTP credentials, only YOUR WordPress username can login.\nThis security measure can be disabled by ticking this option.<\/p><\/dd>\n<dt>Are the HTTP credentials stored in the database even after this plugin is deactivated\/deleted?<\/dt>\n<dd><p>Deactivating this plugin doesn't affect the credentials but deleting the plugin erases all HTTP user credentials leaving no trace of it in the database.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.1<\/h4>\n\n<ul>\n<li>3rd September 2014<\/li>\n<li>Removed <code>line-height<\/code> styling on input boxes<\/li>\n<\/ul>\n\n<h4>1.2<\/h4>\n\n<ul>\n<li>26th May 2014<\/li>\n<li>Fixed bug that allowed logging in with empty credentials<\/li>\n<li>Added Serbo-Croatian language, props <a href=\"http:\/\/www.webhostinghub.com\/\">Borisa Djuraskovic<\/a><\/li>\n<\/ul>\n\n<h4>1.1<\/h4>\n\n<ul>\n<li>22nd March 2014<\/li>\n<li>Reduced repetitive code with inheritance<\/li>\n<li><code>.htaccess<\/code> rules for FastCGI PHP<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>16th October 2013<\/li>\n<li>Initial version<\/li>\n<\/ul>","raw_excerpt":"Protect your wp-login.php page with HTTP Digest Authentication without the need of adding web server modules or changing config files.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/25645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=25645"}],"author":[{"embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/jesin"}],"wp:attachment":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=25645"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=25645"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=25645"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=25645"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=25645"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=25645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}