Menu
I need to have password protection on some web pages outside of the main Wordpress site. The users would prefer to use the usernames and passwords they already have in the Wordpress.
The obvious solution would seem to be to use the Apace module for Mysql based authentication: mod-auth-mysql.
This however does not seem to be possible, because Wordpress uses Phpass password encryption, which is not supported by mod-auth-mysql.
Is there any way to get around this limitation?
694
You can use a patched version of mod-auth-mysql to accept Phpass encrypted passwords. I'll include instructions on how to do this in ubuntu and debian.
The raw patch file is available here
These instructions have been tested in Ubuntu 10.4, 12.04 and 14.04.5, but should work on many other Debian based platforms with minimal changes.
Create a working directory for building the patched .deb package
mkdir mod-auth-mysql-phpass
cd mod-auth-mysql-phpass
Get dependencies needed for building the package and the package source.
sudo apt-get build-dep mod-auth-mysql fakeroot
apt-get source mod-auth-mysql
Go to the newly created source folder.
cd mod-auth-mysql-4.3.9
Use Debian tool to create a properly debian formatted patch (.dpatch). First check the current list of patches.
cat debian/patches/00list
The last official patch will be at the end of the list. Use the name of the last patch as the last argument of dpatch-edit-patch command below. Also pick a number one greater for the name of the new phpass patch. In my case the last patch in the list was 017-doc_persistent_conn.dpatch and the name of phpass patch is then 018-phpass.
dpatch-edit-patch patch 018-phpass 017-doc_persistent_conn.dpatch
dpatch-edit-patch will start a new shell inside a special folder that it will use to build the custom debian formatted patch.
download the raw patch
wget https://pelam.fi/published_sources/mod-auth-mysql-phpass/patch.diff
Apply the raw patch and delete it.
patch < patch.diff
rm patch.diff
Tell dpatch-edit-patch that our custom patch can be generated.
exit
Wonder at your new properly Debian formatted patch. You should also review the changes made by this unofficial patch if you care about security :)
cat debian/patches/018-phpass.dpatch
Add the new patch to the list of patches to be applied when .deb package is built.
echo 018-phpass.dpatch >> debian/patches/00list
Build the patched package
dpkg-buildpackage -b -uc
Now you can install your custom built .deb package (the built package name may vary depending on your system).
sudo dpkg --install ../libapache2-mod-auth-mysql_4.3.9-13.1ubuntu3_amd64.deb
Enable mod-auth-mysql:
sudo a2enmod auth_mysql
Restart apache for the new module to take effect:
sudo service apache2 restart
The documentation (Now including Phpass) can be viewed with eg. less command
zless /usr/share/doc/libapache2-mod-auth-mysql/DIRECTIVES.gz
Here is a sample .htaccess file that allows access only for Wordpress administrators:
AuthType Basic
AuthName "Give Wordpress Administrator username and password"
Auth_MySQL_User YOUR_MYSQL_USER_HERE
Auth_MySQL_Password YOUR_MYSQL_PASSWORD_HERE
Auth_MySQL_Host YOUR_MYSQL_SERVER_HERE
AuthBasicAuthoritative Off
# I don't know a better way to disable the default password file authentication
AuthUserFile /dev/null
Auth_MySQL on
Auth_MySQL_DB YOUR_WORDPRESS_MYSQL_SCHEMA_NAME_HERE
Auth_MySQL_Password_Table wp_users
Auth_MySQL_Username_Field wp_users.user_login
Auth_MySQL_Password_Field wp_users.user_pass
Auth_MySQL_Encryption_Types PHPass PHP_MD5
Auth_MySQL_Group_Table "wp_users, wp_usermeta"
Auth_MySQL_Group_Clause "AND wp_users.ID = wp_usermeta.user_id AND wp_usermeta.meta_key='wp-capabilities' and m.meta_value like '%s:13:\"administrator\"%'"
Auth_MySQL_Persistent On
Auth_MySQL_Authoritative Off
Auth_MySQL_CharacterSet utf8
Require valid-user
Order allow,deny
Allow from all
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With