WordPress.org

한국어

  • 테마
  • 플러그인
  • 소식
    • 문서
    • 포럼
  • About
    • 워드프레스와 40% 웹을 위한 여정
  • 워드프레스 번역 핸드북
  • 워드프레스 받기
워드프레스 받기
WordPress.org

Plugin Directory

HTTP Digest Authentication

  • 플러그인 제출하기
  • 내 즐겨찾기
  • 로그인
  • 플러그인 제출하기
  • 내 즐겨찾기
  • 로그인

이 플러그인은 최근 3개의 주요 워드프레스 출시와 시험 되지 않았습니다. 워드프레스의 좀 더 최근 버전으로 이용할 때 더 이상 관리되지 않고 지원되지 않고 호환성 문제가 있을 수 있습니다.

HTTP Digest Authentication

작성자: Jesin A
다운로드
  • 세부사항
  • 평가
  • 설치
  • 개발
지원

설명

This plugin adds an additional layer of protection for the wp-login.php page using HTTP Digest Authentication with the PHP header() function.
So it doesn’t require configuring web server files like .htaccess or .htdigest and works on all web hosting environments.

Important: If you already have a plugin which does HTTP Authentication please deactivate it before activating this plugin. Similarly if you have configured your web server to do HTTP authentication on the wp-login.php file please remove it before using this plugin.

If you are using FastCGI PHP this plugin may keep prompting for the credentials even if you enter the right pair, in this case use the following in your .htaccess file

<IfModule mod_setenvif.c>
SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST=$1
</IfModule>

Advantages of HTTP Digest Authentication

  • Digest Authentication is very much safer than HTTP Basic Authentication whose credentials can be easily decoded with a base64 decoder.
  • From Wikipedia on HTTP Basic Authentication:

The BA (Basic Authentication) mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way.

  • Digest Authentication on the other hand uses MD5 on the credentials making it “one way”
  • Uses server and client nonces to prevent replay attacks

Features of the HTTP Digest Auth plugin

  • Works using PHP header() function and doesn’t require modification of service config files (like .htaccess, nginx.conf etc)
  • Supports HTTP credentials for each WordPress user
  • Clears the HTTP Digest credentials when the user logs out of WordPress (more on this in the FAQ)
  • Verifies if both the HTTP and WordPress credentials are of the same user (this is the default behavior and can be changed)
  • Works on all major Web Servers (Tested on Apache, Nginx and Lighttpd)

Plugin Behavior

  • When this plugin is activated for the first time all WordPress users will have the following Digest credentials
    Username: <WordPress username>
    Password: password
    This can be changed from Users > Your Profile.
  • After activating this plugin for the first time you’ll be prompted for HTTP credentials when you logout
  • Similarly if you change your HTTP username or password you’ll be prompted for this when you logout

Available languages

  • 영어
  • Serbo-Croatian by Borisa Djuraskovic

The HTTP Digest Authentication Plugin official homepage.

스크린샷

  • Logging in using HTTP digest credentials
  • The WordPress login page with the HTTP username
  • Setting a HTTP Digest username and password via Users > Your Profile
  • Logged out of WordPress
  • Trying to login with someone else’s WordPress username

설치

  1. Unzip and upload the http-digest-auth folder to the /wp-content/plugins/ directory.
  2. Activate the HTTP Digest Authentication plugin through the ‘Plugins’ menu in WordPress.
  3. Configure a HTTP username/password by going to Users > Your Profile page.
  4. You’ll be prompted for these credentials when you logout after activating the plugin for the first time.

FAQ

Installation Instructions
  1. Unzip and upload the http-digest-auth folder to the /wp-content/plugins/ directory.
  2. Activate the HTTP Digest Authentication plugin through the ‘Plugins’ menu in WordPress.
  3. Configure a HTTP username/password by going to Users > Your Profile page.
  4. You’ll be prompted for these credentials when you logout after activating the plugin for the first time.
How does HTTP logout work?

When you access the wp-login.php page a portion of the realm is generated and stored in a session variable so the realm looks like “HTTP Auth Session MTM4MTc0NzU3OQ==”
When you logout of WordPress this session variable is deleted and a new realm is generated, hence the browser prompts you for credentials.

How are the HTTP Digest credentials stored?

The username is stored in the wp_usermeta table in plain-text. The password is stored in a two-way encryption format in the same table. It is encrypted and decrypted with the mcrypt_encrypt() and mcrypt_decrypt() functions.

But I saw the plain-text password in my database

That means your PHP installation doesn’t have the mcrypt extension. To check if this is the case go to your <?php phpinfo(); ?> and check if there is a section called mcrypt. If there isn’t one in your VPS/Dedicated server install it

on Debian/Ubuntu

apt-get install php5-mcrypt

on Centos/Fedora

yum install php5-mcrypt

After installation change the password (or enter the same password in Your Profile) to encrypt it.

Shared hosting users needn’t worry about this as any decent host should already have this installed.

Help! I forgot my HTTP Digest credentials

You can find your username by executing the following MySQL query.

SELECT meta_value FROM `wp_usermeta` WHERE meta_key = 'http-digest-auth_username' and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username');

Remember to replace wp_ with your actual database prefix and WordPress_Username with your login name.

The password can be reset with the following query

UPDATE `wp_usermeta` SET meta_value = 'password' WHERE meta_key = 'http-digest-auth_password' and user_id = (SELECT ID from wp_users where user_login = 'admin');

This will set the HTTP password to password. Login and change it immediately.

What does the “Anyone can use these credentials” option do?

By default if you access the wp-login.php page using your HTTP credentials, only YOUR WordPress username can login.
This security measure can be disabled by ticking this option.

Are the HTTP credentials stored in the database even after this plugin is deactivated/deleted?

Deactivating this plugin doesn’t affect the credentials but deleting the plugin erases all HTTP user credentials leaving no trace of it in the database.

후기

Don't Work

CA Plugins 2016년 9월 3일 답글 2개
I installed this plugin and changed password and tried to log but it’s not working for correct username/password.
모든 5 평가 읽기

기여자 & 개발자

“HTTP Digest Authentication”(은)는 오픈 소스 소프트웨어입니다. 다음의 사람들이 이 플러그인에 기여하였습니다.

기여자
  • Jesin A

자국어로 “HTTP Digest Authentication”(을)를 번역하세요.

개발에 관심이 있으십니까?

코드 탐색하기는, SVN 저장소를 확인하시거나, 개발 기록을 RSS로 구독하세요.

변경이력

1.2.1

  • 3rd September 2014
  • Removed line-height styling on input boxes

1.2

  • 26th May 2014
  • Fixed bug that allowed logging in with empty credentials
  • Added Serbo-Croatian language, props Borisa Djuraskovic

1.1

  • 22nd March 2014
  • Reduced repetitive code with inheritance
  • .htaccess rules for FastCGI PHP

1.0

  • 16th October 2013
  • Initial version

기초

  • 버전 1.2.1
  • 최근 업데이트: 8년 전
  • 활성화된 설치 10+
  • 워드프레스 버전 3.1.0 또는 그 이상
  • 다음까지 시험됨: 4.9.26
  • 언어
    English (US)
  • 태그:
    authauthenticatehackinglogin
  • 고급 보기

평점

별 5점 만점에 4점.
  • 3 5-별점 후기 별 5개 3
  • 1 4-별점 후기 별 4개 1
  • 0 3-별점 후기 별 3개 0
  • 0 2-별점 후기 별 2개 0
  • 1 1-별점 후기 별 1개 1

리뷰 추가하기

모든 리뷰 보기

기여자

  • Jesin A

지원

할 말 있으신가요? 도움이 필요하신가요?

지원 포럼 보기

  • 소개
  • 뉴스
  • 호스팅
  • 프라이버시
  • 쇼케이스
  • 테마
  • 플러그인
  • 패턴
  • 알아보기
  • 지원
  • 개발자 도구
  • WordPress.tv ↗
  • 참여하기
  • 이벤트
  • 기부하기 ↗
  • 미래를 위한 5가지
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org

한국어

  • X(이전 트위터) 계정 방문하기
  • 블루스카이 계정 방문하기
  • 마스토돈 계정 방문하기
  • 스레드 계정 방문하기
  • 페이스북 페이지 방문하기
  • 인스타그램 계정 방문하기
  • LinkedIn 계정 방문하기
  • 틱톡 계정 방문하기
  • 유튜브 채널 방문하기
  • 텀블러 계정 방문하기
코드는 詩다