The question:
I have a custom application with thousands of users who already have a password stored. I would like to set up a self hosted wordpress site to accompany that application and to use the usernames and encrypted passwords that already exist in that database.
Is there a way to configure WordPress to not use the normal list of users, but instead to validate usernames and passwords against another database on another server?
We have a team of developers so if there was a way to write code to hook into the login process this would be acceptable. Does anyone have experience with this, or have any suggestions of where to look?
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
Investigating the filter authenticate, we can find that it is called inside the function wp_authenticate, which is a pluggable function.
That means that it can be replaced by one of our own making.
This is the original function, plus a marked entry point:
function wp_authenticate($username, $password) {
$username = sanitize_user($username);
$password = trim($password);
$user = apply_filters('authenticate', null, $username, $password);
/* ENTRY POINT */
if ( $user == null ) {
// TODO what should the error message be? (Or would these even happen?)
// Only needed if all authentication handlers fail to return anything.
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
}
$ignore_codes = array('empty_username', 'empty_password');
if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
do_action('wp_login_failed', $username);
}
return $user;
}
The test was done creating a wp_authenticate function inside a Must Use plugin. On that entry point, I put the following:
global $wpdb;
$table = $wpdb->prefix . 'my_users';
$parent = $wpdb->get_row(
$wpdb->prepare(
"SELECT * FROM $table WHERE name='$username'"
)
);
if( $username == $parent->name && $password == $parent->password )
$user = get_user_by( 'id', $parent->id );
The table wp_my_users is a simple test table, password is even plain text.
The matter is how build the $user object completely based on a custom table. Or if it is feasible or advisable…
Because in this test the ID of the users is the same, so we are giving back (get_user_by) to WordPress a user from its own table wp_users, but with credentials checked in a custom table wp_my_users.
Notes:
This answer doesn’t goes beyond the analysis and hacking of the function wp_authenticate. No consideration is done about security, password management nor the wp_usermeta table.
For reference, this is the content of $user:
user | WP_User Object
(
[data] => stdClass Object
(
[ID] => 1
[user_login] => rod
[user_pass] => $P$BQ8qnb3iYPRzisxYHUKq5X/GCQqhoz1
[user_nicename] => rod
[user_email] => [email protected]
[user_url] =>
[user_registered] => 2012-09-21 14:39:01
[user_activation_key] =>
[user_status] => 0
[display_name] => rod
)
[ID] => 1
[caps] => Array
(
[administrator] => 1
)
[cap_key] => wp_capabilities
[roles] => Array
(
[0] => administrator
)
[allcaps] => Array
(
[switch_themes] => 1
[edit_themes] => 1
[activate_plugins] => 1
[edit_plugins] => 1
[edit_users] => 1
[edit_files] => 1
[manage_options] => 1
[moderate_comments] => 1
[manage_categories] => 1
[manage_links] => 1
[upload_files] => 1
[import] => 1
[unfiltered_html] => 1
[edit_posts] => 1
[edit_others_posts] => 1
[edit_published_posts] => 1
[publish_posts] => 1
[edit_pages] => 1
[read] => 1
[level_10] => 1
[level_9] => 1
[level_8] => 1
[level_7] => 1
[level_6] => 1
[level_5] => 1
[level_4] => 1
[level_3] => 1
[level_2] => 1
[level_1] => 1
[level_0] => 1
[edit_others_pages] => 1
[edit_published_pages] => 1
[publish_pages] => 1
[delete_pages] => 1
[delete_others_pages] => 1
[delete_published_pages] => 1
[delete_posts] => 1
[delete_others_posts] => 1
[delete_published_posts] => 1
[delete_private_posts] => 1
[edit_private_posts] => 1
[read_private_posts] => 1
[delete_private_pages] => 1
[edit_private_pages] => 1
[read_private_pages] => 1
[delete_users] => 1
[create_users] => 1
[unfiltered_upload] => 1
[edit_dashboard] => 1
[update_plugins] => 1
[delete_plugins] => 1
[install_plugins] => 1
[update_themes] => 1
[install_themes] => 1
[update_core] => 1
[list_users] => 1
[remove_users] => 1
[add_users] => 1
[promote_users] => 1
[edit_theme_options] => 1
[delete_themes] => 1
[export] => 1
[administrator] => 1
)
[filter] =>
)
Method 2
Actually you can bypass login mechanism of wordpress by login user automatically (after they succesfuly passed with credentials from another website for example) with this function: wp_set_auth_cookie($user_id);
for example with this you do login admin (user with id = 1)
wp_set_auth_cookie(1); //after this admin is logged in
so you can create user in wordpress with specified user privileges and then as user log with another credentials you can log him as this “placeholder” user.
Method 3
Simplest method
add_filter( 'authenticate', 'my_auth', 10, 3 );
function my_auth( $user, $username, $password ){
// your validation here.
return $user;
}
Method 4
I think this plugin External Database Authentication fits your needs. From there you might enable already logged-in users setting the cookie when they login just using wp_set_auth_cookie as @Roman says.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0