#21924 closed feature request (worksforme)
add action / filter to wp-login.php so we can replace WordPress login and force using 3rd party login
Reported by: | cliffpaulick | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
I want to turn off WordPress login because I don't have an SSL certificate. I want to replace (not just hide with CSS or something) the WordPress wp-login.php login form so that a plugin can hook into that and be called within themes that use the hook to display the WordPress login form. Then, if the plugin is disabled, the generic WordPress login will display by default/fallback.
Worst concern about this is the plugin failing, especially upon an update or theme change or something and this can be fixed by logging in and disabling the plugin via FTP or via database or something.
(Of course, applies to both "login" and "register", not just "login".)
What I tried before posting here:
http://premium.wpmudev.org/forums/topic/is-there-a-plugin-to-disable-wordpress-default-login?replies=9#post-276574
and
http://www.wpquestions.com/question/show/id/7065
Might be related to:
http://core.trac.wordpress.org/ticket/19097
Thank you very much.
Change History (6)
#3
follow-up:
↓ 5
@
11 years ago
Thank you for the information. However, the "turn off default login form" and "add new page and add custom login form to it" is not a user friendly way -- and therefore a less likely to be used way -- of sort of accomplishing this.
There should be an option in the Settings menu that makes it easy to change the login destination, including support for multisite and site-by-site override if network admin permits.
This would accomplish security through obscurity and not require a new page to be added to each site.
#4
follow-up:
↓ 6
@
11 years ago
There is also a filter in wp_login_url(). That said, we don't really have a desire to deeply support this level of security-by-obscurity at this time.
#5
in reply to:
↑ 3
@
11 years ago
Replying to cliffpaulick:
There should be an option in the Settings menu that makes it easy to change the login destination, including support for multisite and site-by-site override if network admin permits.
This would accomplish security through obscurity and not require a new page to be added to each site.
#6
in reply to:
↑ 4
@
11 years ago
Replying to nacin:
There is also a filter in wp_login_url(). That said, we don't really have a desire to deeply support this level of security-by-obscurity at this time.
tyvm for your directness, @nacin. I guess resorting to multi-part hacks like http://wordpress.stackexchange.com/questions/43059/change-sign-on-urls-for-security-purposes are the result of not making this part of core. Hopefully in the eventual future. It seems more and more people are cluing in that this would be useful and important. I think it's very important and shouldn't have to be this manual (not that it's difficult) to implement.
The following actions already exist that allow you to extend the login and registration forms:
login_head
,login_form
,register_form
,register_post
. Using these, you could hide the existing form with CSS and replace it with your own. You'll also want to hook into theauthenticate
filter to add the logic for your third-party login mechanism.If you really want to disable the standard WordPress login that uses username and password, you can do that with
remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
(closing as 'worksforme' since I believe the existing hooks will do what you want. If not, feel free to reopen and explain further)