Comments on: Detecting WordPress login via htaccess

By: Steve Taylor

Steve Taylor — Fri, 06 May 2011 15:43:26 +0000

OK… well I guess you could just hard-code that. But then it would be pretty easy to get past. OK, a bit harder than the above, but it’s still not really doing authentication or authorisation. I guess you could come up with something that actually modifies .htaccess dynamically with even more detailed login data every time someone logs in, but that could get hairy. Keep me posted if you come up with anything more elegant!

By: Nathan Rice

Nathan Rice — Fri, 06 May 2011 15:30:07 +0000

No, it doesn’t, as far as I can tell.

However, a plugin for WP could be written to add this bit to .htaccess. If you did that, then passing PHP values to .htaccess would be no problem.

I’m sure there’s a hook that fires after the rewrite rules get flushed, triggering WP to create/edit the .htaccess file. That would be the best point to insert the extra stuff.

The insert_with_markers() function would be very helpful.

By: Steve Taylor

Steve Taylor — Fri, 06 May 2011 15:23:08 +0000

Thanks for the info Nathan – but I’m presuming there’s no way to access these values in .htaccess? That’s the nub of the above technique. Even if you can hardcode the site URL, does Apache provide an MD5 function in its directives?

By: Nathan Rice

Nathan Rice — Fri, 06 May 2011 15:20:16 +0000

The random characters at the end of the cookie key are the md5 hash of whatever your site URL is. You can access that by doing this, in PHP:

md5( get_site_option( ‘siteurl’ ) );

Or access what WP calculates (a bit safer) by the constant, COOKIEHASH.

And the whole string can be accessed via the constant, LOGGED_IN_COOKIE, which WP also defines.