Apache HTTP authentication against WordPress password database

0.00 avg. rating (0% score) - 0 votes

The stock mod_auth_mysql package in Ubuntu is not able to authenticate against the phpass password hashes stored in the WordPress database.

There seems to be a patch lying around to enable phpass authentication in mod_auth_mysql. Its inclusion in mod_auth_mysql has been requested a long time ago, and again more recently, but for one reason or another it has been declined. Inclusion of the patch into the Debian package has also been requested.

Thanks to Peter Lamberg, there are good instructions around on how to apply the patch and enable it. I’ve made available a pre-compiled 64-bit package here:

Below are the instructions to compile one from scratch, and after it follows an example configuration.

Please remember, it is always a good practice to use SSL/TLS protection when sending user authentication information over the Internet.

Compiling a Patched Package in Ubuntu 12.04

Make a working directory:

Get the dependencies and source code for mod_auth_mysql:

Also install fakeroot for the patching to be successful:

Go to the source code:

Check patch list:

Add a new patch with the last patch in the list as the base (for me it was number 17):

It should print something like this:

Download the patch:

Apply patch, then delete it:

Exit dpatch-edit-patch:

It should print something like this:

Add the new patch to the end of the patch list:

Build the patched version:

The package should appear one level up in the directory tree:

Installing the Patched .deb

Just install:

And make sure it is not upgraded automatically:

Configuring the Patched mod_auth_mysql

Enable the module:

Read the documentation:

Create a directory for protected files:

Configure either using .htaccess file /var/www/protected/.htaccess (you must have “AllowOverride AuthConfig Limit” enabled for this to work), or directly to Apache configuration:

Replace the DB_* values with values of your own (you can use the same values you have in wp-config.php).

Add a test file:

Restart Apache:

Now you should be prompted for username and password when you try to fetch the test file. Also, you should be able to log in with your WordPress username and password but with nothing else.

Protecting WordPress with http Authentication

At first it may sound silly, but you may wish to protect the WordPress installation itself using http authentication. This configuration is useful, if you want each user to only log in once anywhere on your site (inside or outside of WordPress) using http authentication.

To make WordPress recognize http-authenticated users, install the HTTP Authentication plugin to WordPress. Then, enable the plugin. The plugin needs no further configuration. Just protect what you want with Apache directives. You can protect the whole site, or just the wp-login.php file and wp-admin directory to protect logins and administration with http auth.


One thought on “Apache HTTP authentication against WordPress password database”

Leave a Reply