This plugin will protect your wp-login.php login page using HTTP Digest Authentication and the best part is that it works with all web servers and doesn’t require modification of .htaccess or any other server configuration file.
Why use HTTP Digest Authentication?
- Basic Authentication credentials are base64 encoded and sent over the network like this –
amVzaW46c2VjcmV0. A base64 decoder is enough to find out what lies inside.
- Digest Authentication credentials are encrypted with MD5 so a response looks like this –
- A nonce is generated during each authentication so for the same pair of credentials you may see very different responses like
Features of the HTTP Digest Authentication plugin:
- Works out of the box and doesn’t require modification of service config files like .htaccess, nginx.conf
- Supports HTTP credentials for each WordPress user
- Clears the HTTP Digest credentials when the user logs out of WordPress
- Verifies if both the HTTP and WordPress credentials are of the same user
- Works on all major Web Servers (Tested on Apache, Nginx and Lighttpd)
Install this plugin and activate it. Once activated all existing users will have HTTP credentials as follows
Username: <WordPress username>
Each user can change this by going to their Users > Your Profile. Users who register or are added through the administration panel will also have the same default credentials.
I forgot my HTTP digest username
Use the following MySQL query to find it out.
SELECT meta_value FROM `wp_usermeta` WHERE meta_key = 'http-digest-auth_username' and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username');
Replace wp_ with your database prefix and use you actual WordPress login username.
I forgot my HTTP digest password
Use the following MySQL query to reset it to ‘secret’.
UPDATE `wp_usermeta` SET meta_value = 'password' WHERE meta_key = 'http-digest-auth_password' and user_id = (SELECT ID from wp_users where user_login = 'WordPress_Username');
Login and change your password immediately.