WordPress.org

Make WordPress Core

Opened 19 months ago

Closed 9 months ago

Last modified 8 months ago

#21924 closed feature request (worksforme)

add action / filter to wp-login.php so we can replace WordPress login and force using 3rd party login

Reported by: cliffpaulick Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

I want to turn off WordPress login because I don't have an SSL certificate. I want to replace (not just hide with CSS or something) the WordPress wp-login.php login form so that a plugin can hook into that and be called within themes that use the hook to display the WordPress login form. Then, if the plugin is disabled, the generic WordPress login will display by default/fallback.

Worst concern about this is the plugin failing, especially upon an update or theme change or something and this can be fixed by logging in and disabling the plugin via FTP or via database or something.

(Of course, applies to both "login" and "register", not just "login".)

What I tried before posting here:
http://premium.wpmudev.org/forums/topic/is-there-a-plugin-to-disable-wordpress-default-login?replies=9#post-276574
and
http://www.wpquestions.com/question/show/id/7065

Might be related to:
http://core.trac.wordpress.org/ticket/19097

Thank you very much.

Change History (6)

comment:1 willnorris9 months ago

  • Resolution set to worksforme
  • Status changed from new to closed

The following actions already exist that allow you to extend the login and registration forms: login_head, login_form, register_form, register_post. Using these, you could hide the existing form with CSS and replace it with your own. You'll also want to hook into the authenticate filter to add the logic for your third-party login mechanism.

If you really want to disable the standard WordPress login that uses username and password, you can do that with remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);

(closing as 'worksforme' since I believe the existing hooks will do what you want. If not, feel free to reopen and explain further)

comment:2 helen9 months ago

  • Milestone Awaiting Review deleted

comment:3 follow-up: cliffpaulick8 months ago

Thank you for the information. However, the "turn off default login form" and "add new page and add custom login form to it" is not a user friendly way -- and therefore a less likely to be used way -- of sort of accomplishing this.
There should be an option in the Settings menu that makes it easy to change the login destination, including support for multisite and site-by-site override if network admin permits.
This would accomplish security through obscurity and not require a new page to be added to each site.

comment:4 follow-up: nacin8 months ago

There is also a filter in wp_login_url(). That said, we don't really have a desire to deeply support this level of security-by-obscurity at this time.

comment:5 in reply to: ↑ 3 SergeyBiryukov8 months ago

Replying to cliffpaulick:

There should be an option in the Settings menu that makes it easy to change the login destination, including support for multisite and site-by-site override if network admin permits.
This would accomplish security through obscurity and not require a new page to be added to each site.

Related: #24673, #13118, #7194.

comment:6 in reply to: ↑ 4 cliffpaulick8 months ago

Replying to nacin:

There is also a filter in wp_login_url(). That said, we don't really have a desire to deeply support this level of security-by-obscurity at this time.

tyvm for your directness, @nacin. I guess resorting to multi-part hacks like http://wordpress.stackexchange.com/questions/43059/change-sign-on-urls-for-security-purposes are the result of not making this part of core. Hopefully in the eventual future. It seems more and more people are cluing in that this would be useful and important. I think it's very important and shouldn't have to be this manual (not that it's difficult) to implement.

Note: See TracTickets for help on using tickets.