Title: HTTP Digest Authentication
Author: Jesin A
Published: 2013 年 10 月 16 日
Last modified: 2017 年 11 月 25 日
---
搜尋外掛
這個外掛**並未在最新的 3 個 WordPress 主要版本上進行測試**。開發者可能不再對這個
外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。
# HTTP Digest Authentication
由 [Jesin A](https://profiles.wordpress.org/jesin/) 開發
[下載](https://downloads.wordpress.org/plugin/http-digest-auth.1.2.1.zip)
* [詳細資料](https://tw.wordpress.org/plugins/http-digest-auth/#description)
* [使用者評論](https://tw.wordpress.org/plugins/http-digest-auth/#reviews)
* [安裝方式](https://tw.wordpress.org/plugins/http-digest-auth/#installation)
* [開發資訊](https://tw.wordpress.org/plugins/http-digest-auth/#developers)
[技術支援](https://wordpress.org/support/plugin/http-digest-auth/)
## 外掛說明
This plugin adds an additional layer of protection for the **wp-login.php** page
using [HTTP Digest Authentication](http://en.wikipedia.org/wiki/Digest_access_authentication)
with the PHP [header()](http://php.net/header) function.
So it doesn’t require
configuring web server files like _.htaccess_ or [_.htdigest_](https://websistent.com/tools/htdigest-generator-tool/)
and works on all web hosting environments.
**Important:** If you already have a plugin which does HTTP Authentication please
deactivate it before activating this plugin. Similarly if you have configured your
web server to do HTTP authentication on the wp-login.php file please remove it before
using this plugin.
If you are using FastCGI PHP this plugin may keep prompting for the credentials
even if you enter the right pair, in this case use the following in your **`.htaccess`**
file
```
SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST=$1
```
#### Advantages of HTTP Digest Authentication
* Digest Authentication is very much safer than HTTP Basic Authentication whose
credentials can be easily decoded with a [base64 decoder](http://www.base64decode.org/).
* From Wikipedia on [HTTP Basic Authentication](http://en.wikipedia.org/wiki/Basic_access_authentication):
> _The BA (Basic Authentication) mechanism provides no confidentiality protection
> for the transmitted credentials. They are merely encoded with BASE64 in transit,
> but not encrypted or hashed in any way._
* Digest Authentication on the other hand uses [MD5](https://websistent.com/tools/md5-encryption-tool/)
on the credentials making it “one way”
* Uses server and client [nonce](http://en.wikipedia.org/wiki/Cryptographic_nonce)
s to prevent replay attacks
#### Features of the HTTP Digest Auth plugin
* Works using PHP header() function and doesn’t require modification of service
config files (like .htaccess, nginx.conf etc)
* Supports HTTP credentials for each WordPress user
* Clears the HTTP Digest credentials when the user logs out of WordPress (more
on this in the FAQ)
* Verifies if both the HTTP and WordPress credentials are of the same user (this
is the default behavior and can be changed)
* Works on all major Web Servers (Tested on Apache, Nginx and Lighttpd)
#### Plugin Behavior
* When this plugin is activated for the first time all WordPress users will have
the following Digest credentials
Username: Password: password
This can be changed from **Users > Your Profile**.
* After activating this plugin for the first time you’ll be prompted for HTTP credentials
when you logout
* Similarly if you change your HTTP username or password you’ll be prompted for
this when you logout
#### Available languages
* English
* Serbo-Croatian by [Borisa Djuraskovic](http://www.webhostinghub.com/)
The [HTTP Digest Authentication Plugin](https://websistent.com/wordpress-plugins/http-digest-authentication/)
official homepage.
## 螢幕擷圖
[⌊Logging in using HTTP digest credentials⌉⌊Logging in using HTTP digest credentials⌉[
Logging in using HTTP digest credentials
[⌊The WordPress login page with the HTTP username⌉⌊The WordPress login page with
the HTTP username⌉[
The WordPress login page with the HTTP username
[⌊Setting a HTTP Digest username and password via Users > Your Profile⌉⌊Setting
a HTTP Digest username and password via Users > Your Profile⌉[
Setting a HTTP Digest username and password via Users > Your Profile
[⌊Logged out of WordPress⌉⌊Logged out of WordPress⌉[
Logged out of WordPress
[⌊Trying to login with someone else's WordPress username⌉⌊Trying to login with someone
else's WordPress username⌉[
Trying to login with someone else’s WordPress username
## 安裝方式
1. Unzip and upload the `http-digest-auth` folder to the `/wp-content/plugins/` directory.
2. Activate the **HTTP Digest Authentication** plugin through the ‘Plugins’ menu in
WordPress.
3. Configure a HTTP username/password by going to `Users > Your Profile` page.
4. You’ll be prompted for these credentials when you logout after activating the plugin
for the first time.
## 常見問題集
Installation Instructions
1. Unzip and upload the `http-digest-auth` folder to the `/wp-content/plugins/` directory.
2. Activate the **HTTP Digest Authentication** plugin through the ‘Plugins’ menu in
WordPress.
3. Configure a HTTP username/password by going to `Users > Your Profile` page.
4. You’ll be prompted for these credentials when you logout after activating the plugin
for the first time.
How does HTTP logout work?
When you access the _wp-login.php_ page a portion of the realm is generated and
stored in a session variable so the realm looks like “HTTP Auth Session MTM4MTc0NzU3OQ
==”
When you logout of WordPress this session variable is deleted and a new realm
is generated, hence the browser prompts you for credentials.
How are the HTTP Digest credentials stored?
The username is stored in the `wp_usermeta` table in plain-text. The password is
stored in a two-way encryption format in the same table. It is encrypted and decrypted
with the [mcrypt_encrypt()](http://php.net/mcrypt_encrypt) and [mcrypt_decrypt()](http://php.net/mcrypt_decrypt)
functions.
But I saw the plain-text password in my database
That means your PHP installation doesn’t have the mcrypt extension. To check if
this is the case go to your `` and check if there is a section
called mcrypt. If there isn’t one in your VPS/Dedicated server install it
on Debian/Ubuntu
```
apt-get install php5-mcrypt
```
on Centos/Fedora
```
yum install php5-mcrypt
```
After installation change the password (or enter the same password in Your Profile)
to encrypt it.
Shared hosting users needn’t worry about this as any decent host should already
have this installed.
Help! I forgot my HTTP Digest credentials
You can find your username by executing the following MySQL query.
> `SELECT meta_value FROM \`wp_usermeta\` WHERE meta_key = 'http-digest-auth_username'
> and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username');`
Remember to replace `wp_` with your actual database prefix and `WordPress_Username`
with your login name.
The password can be reset with the following query
> `UPDATE \`wp_usermeta\` SET meta_value = 'password' WHERE meta_key = 'http-digest-
> auth_password' and user_id = (SELECT ID from wp_users where user_login = 'admin');`
This will set the HTTP password to `password`. Login and change it immediately.
What does the “Anyone can use these credentials” option do?
By default if you access the **wp-login.php** page using your HTTP credentials,
only YOUR WordPress username can login.
This security measure can be disabled by
ticking this option.
Are the HTTP credentials stored in the database even after this plugin is deactivated/
deleted?
Deactivating this plugin doesn’t affect the credentials but deleting the plugin
erases all HTTP user credentials leaving no trace of it in the database.
## 使用者評論
### [Don't Work](https://wordpress.org/support/topic/dont-work-191/)
[CA Plugins](https://profiles.wordpress.org/ca-plugins/) 2016 年 9 月 3 日 2 則
留言
I installed this plugin and changed password and tried to log but it’s not working
for correct username/password.
[ 閱讀全部 5 則使用者評論 ](https://wordpress.org/support/plugin/http-digest-auth/reviews/)
## 參與者及開發者
以下人員參與了開源軟體〈HTTP Digest Authentication〉的開發相關工作。
參與者
* [ Jesin A ](https://profiles.wordpress.org/jesin/)
[將〈HTTP Digest Authentication〉外掛本地化為台灣繁體中文版](https://translate.wordpress.org/projects/wp-plugins/http-digest-auth)
### 對開發相關資訊感興趣?
任何人均可[瀏覽程式碼](https://plugins.trac.wordpress.org/browser/http-digest-auth/)、
查看 [SVN 存放庫](https://plugins.svn.wordpress.org/http-digest-auth/),或透過 [RSS](https://plugins.trac.wordpress.org/log/http-digest-auth/?limit=100&mode=stop_on_copy&format=rss)
訂閱[開發記錄](https://plugins.trac.wordpress.org/log/http-digest-auth/)。
## 變更記錄
#### 1.2.1
* 3rd September 2014
* Removed `line-height` styling on input boxes
#### 1.2
* 26th May 2014
* Fixed bug that allowed logging in with empty credentials
* Added Serbo-Croatian language, props [Borisa Djuraskovic](http://www.webhostinghub.com/)
#### 1.1
* 22nd March 2014
* Reduced repetitive code with inheritance
* `.htaccess` rules for FastCGI PHP
#### 1.0
* 16th October 2013
* Initial version
## 中繼資料
* 版本 **1.2.1**
* 最後更新 **9 年前**
* 啟用安裝數 **10+**
* WordPress 版本需求 ** 3.1.0 或更新版本 **
* 已測試相容的 WordPress 版本 **4.9.29**
* 語言
* [English (US)](https://wordpress.org/plugins/http-digest-auth/)
* 標籤:
* [auth](https://tw.wordpress.org/plugins/tags/auth/)[authenticate](https://tw.wordpress.org/plugins/tags/authenticate/)
[hacking](https://tw.wordpress.org/plugins/tags/hacking/)[login](https://tw.wordpress.org/plugins/tags/login/)
* [進階檢視](https://tw.wordpress.org/plugins/http-digest-auth/advanced/)
## 評分
4 星,滿分為 5 星
* [ 3 個 5 星使用者評論 ](https://wordpress.org/support/plugin/http-digest-auth/reviews/?filter=5)
* [ 1 個 4 星使用者評論 ](https://wordpress.org/support/plugin/http-digest-auth/reviews/?filter=4)
* [ 0 個 3 星使用者評論 ](https://wordpress.org/support/plugin/http-digest-auth/reviews/?filter=3)
* [ 0 個 2 星使用者評論 ](https://wordpress.org/support/plugin/http-digest-auth/reviews/?filter=2)
* [ 1 個 1 星使用者評論 ](https://wordpress.org/support/plugin/http-digest-auth/reviews/?filter=1)
[Your review](https://wordpress.org/support/plugin/http-digest-auth/reviews/#new-post)
[查看全部使用者評論](https://wordpress.org/support/plugin/http-digest-auth/reviews/)
## 參與者
* [ Jesin A ](https://profiles.wordpress.org/jesin/)
## 技術支援
使用者可在技術支援論壇提出意見反應或使用問題。
[檢視技術支援論壇](https://wordpress.org/support/plugin/http-digest-auth/)