Linux 软件免费装
Banner图

HTTP Digest Authentication

开发者 jesin
更新时间 2017年11月25日 22:25
PHP版本: 3.1.0 及以上
WordPress版本: 4.9
版权: GPLv2 or later
版权网址: 版权信息

标签

secure security login password hacking security plugin Auth authenticate two factor auth http digest

下载

1.0 1.2 1.2.1 1.1

详情介绍:

This plugin adds an additional layer of protection for the wp-login.php page using HTTP Digest Authentication with the PHP header() function.\ So it doesn't require configuring web server files like .htaccess or .htdigest and works on all web hosting environments. Important: If you already have a plugin which does HTTP Authentication please deactivate it before activating this plugin. Similarly if you have configured your web server to do HTTP authentication on the wp-login.php file please remove it before using this plugin. If you are using FastCGI PHP this plugin may keep prompting for the credentials even if you enter the right pair, in this case use the following in your .htaccess file SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST=$1 Advantages of HTTP Digest Authentication
The BA (Basic Authentication) mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way.
Features of the HTTP Digest Auth plugin Plugin Behavior Available languages The HTTP Digest Authentication Plugin official homepage.

安装:

  1. Unzip and upload the http-digest-auth folder to the /wp-content/plugins/ directory.
  2. Activate the HTTP Digest Authentication plugin through the 'Plugins' menu in WordPress.
  3. Configure a HTTP username/password by going to Users > Your Profile page.
  4. You'll be prompted for these credentials when you logout after activating the plugin for the first time.

屏幕截图:

  • Logging in using HTTP digest credentials
  • The WordPress login page with the HTTP username
  • Setting a HTTP Digest username and password via Users > Your Profile
  • Logged out of WordPress
  • Trying to login with someone else's WordPress username

常见问题:

How does HTTP logout work?

When you access the wp-login.php page a portion of the realm is generated and stored in a session variable so the realm looks like "HTTP Auth Session MTM4MTc0NzU3OQ=="\ When you logout of WordPress this session variable is deleted and a new realm is generated, hence the browser prompts you for credentials.

How are the HTTP Digest credentials stored?

The username is stored in the wp_usermeta table in plain-text. The password is stored in a two-way encryption format in the same table. It is encrypted and decrypted with the mcrypt_encrypt() and mcrypt_decrypt() functions.

But I saw the plain-text password in my database

That means your PHP installation doesn't have the mcrypt extension. To check if this is the case go to your <?php phpinfo(); ?> and check if there is a section called mcrypt. If there isn't one in your VPS/Dedicated server install it on Debian/Ubuntu apt-get install php5-mcrypt on Centos/Fedora yum install php5-mcrypt After installation change the password (or enter the same password in Your Profile) to encrypt it. Shared hosting users needn't worry about this as any decent host should already have this installed.

Help! I forgot my HTTP Digest credentials

You can find your username by executing the following MySQL query.

SELECT meta_value FROMwp_usermetaWHERE meta_key = 'http-digest-auth_username' and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username'); Remember to replace wp_ with your actual database prefix and WordPress_Username with your login name.
The password can be reset with the following query
UPDATEwp_usermetaSET meta_value = 'password' WHERE meta_key = 'http-digest-auth_password' and user_id = (SELECT ID from wp_users where user_login = 'admin'); This will set the HTTP password to password. Login and change it immediately.

What does the "Anyone can use these credentials" option do?

By default if you access the wp-login.php page using your HTTP credentials, only YOUR WordPress username can login. This security measure can be disabled by ticking this option.

Are the HTTP credentials stored in the database even after this plugin is deactivated/deleted?

Deactivating this plugin doesn't affect the credentials but deleting the plugin erases all HTTP user credentials leaving no trace of it in the database.

更新日志:

1.2.1 1.2 1.1 1.0