Security Update: http-authentication Plugin

August 24th, 2005

I just tagged version 1.2 of the http-authentication plugin, which includes a security fix. Users of previous versions are urged to upgrade.

Previously it was possible for one authorized user to impersonate another by forging their WordPress login cookie. A malicious user would need to be authorized via your external authentication mechanism first. Thanks to Mark Quinn for reporting this.

I apologize for the inconvenience. If you have any questions, post them here or, if they are security sensitive, email me.

Update: When you upgrade, please edit each user’s profile in WordPress to scramble his or her password in the database.

Posted in Plugins, WordPress | 2 Comments »

Finally.

July 7th, 2005

It was a long time coming, but we finally released the UF News site today. It’s technically in beta for now, but I’m excited to be getting feedback from a wider audience.

The site runs WordPress, of course, and a number of custom plugins. If you have any questions about how we implemented a feature, leave a comment.

Update: These are the plugins we are using from the plugin repository:

We are also using the Permalinks Redirect plugin.

Posted in UF, WordPress | 1 Comment »

iCal Events Plugin

March 10th, 2005

I also uploaded a plugin which displays events from an iCal source: iCal Events. It uses import_ical.php from the WebCalendar project. Many thanks to them for writing a parser.

Update (2006-04-17): Version 1.5 released, with support for some types of repeating events and support for event URLs. If you were previously using version 1.4 of the plugin, please note the following API change: the display_events takes a single argument, formatted as a query string. For example, if you are invoking the function as follows:

ICalEvents::display_events('http://www.ufl.edu/calendar/ufCalendar.ics', time(), NULL, 3);

you’ll need to change this to:

ICalEvents::display_events('url=http://www.ufl.edu/calendar/ufCalendar.ics&limit=3&gmt_start=' . time());

This change was made to make the plugin more flexible. You now have much more control over the output; for more information, please see the readme for version 1.5.

Update (2007-04-09): Version 1.12 is out; download it from the WordPress plugin repository.

Update (2008-04-15): Adam Wolfe Gordon has another plugin of same name that might fit your needs if mine doesn’t.

Posted in Plugins, WordPress | 152 Comments »

HTTP Authentication Plugin

March 10th, 2005

Just a quick note: My authentication patch was accepted and should show up in WordPress 1.5.1, whenever that happens. I added the corresponding plugin to the WordPress plugin repository.

Update (2006-01-12): Version 1.4 released, which is updated to work with WordPress 2.0. It also provides better error messages if it can’t authenticate the user. You can download a zip from Owen Winkler’s site.

If you’re still using WordPress 2.0, please use version 1.8 of the plugin.

Update (2008-04-16): Changes in WordPress 2.5 are causing problems with this plugin. I’ve released an updated plugin that is compatible with the upcoming WordPress 2.5.1.

Posted in Plugins, WordPress | 30 Comments »

Authentication Plugins

March 2nd, 2005

Update: This patch has been added to WordPress as of 1.5.1. The most recent version of the plugin is available from the plugin repository.

Prior to WordPress 1.5, no hooks existed for authentication plugins. Thus, to authenticate users through GatorLink or another external authentication scheme, changes to WordPress core were needed. Fairly significant changes to wp-login.php, for example, made upgrading to a new version of WordPress more difficult.

With WordPress 1.5, some hooks into the authentication process have been added. This opens the doors for authentication plugins.

Using External Authentication

As part of UF’s efforts to use WordPress, Web Administration has developed an HTTP authentication plugin. This plugin can be used in any situation where your Web server sets the REMOTE_USER environment variable. With .htaccess files, you can use any of the authentication mechanisms available in Apache, such as basic authentication.

To properly lock down WordPress and use the HTTP authentication plugin, you need two .htaccess files: one protecting wp-login.php and one protecting the wp-admin directory.

For wp-login.php, add something like the following to your .htaccess file at the root of your WordPress installation (create the file if you don’t have it already):

<Files wp-login.php>
  AuthName "GatorLink"
  AuthType GatorLink
  GatorLinkTimeout 60
  GatorLinkVerbose Off
  Require user dwc
</Files>

For the wp-admin directory, create an .htaccess with something like the following:

AuthName "GatorLink"
AuthType GatorLink
GatorLinkTimeout 60
GatorLinkVerbose Off
Require user dwc

For basic authentication, you’ll need to change the AuthType, remove the GatorLink options, and specify the location of your AuthUserFile.

The HTTP authentication plugin uses the REMOTE_USER environment variable as the WordPress username and password. You still create users in WordPress (so that you can assign them a level), but authentication is handled externally.

API Extensions

Some minor changes were made to WordPress to extend the authentication API:

  • wp-login.php
    • Add lost_password hook to allow plugins to disable this action.
    • Move retrieve_password hook to allow plugins to disable this action before an email is sent.
    • Move reset_password hook to allow plugins to disable this action before an email is sent.
    • Add wp_authenticate hook to allow plugins to handle authentication. The username and password variables are passed by reference so plugins can pass the information back to wp-login.php.
  • wp-admin/profile.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/user-edit.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.
  • wp-admin/users.php
    • Add check_passwords hook to allow plugins to update a user’s password.
    • Add show_password_fields filter to allow plugins to hide the password fields.

See Also

Posted in WordPress | 18 Comments »

Newer Entries »