Basic User Password Authentication
Starting from version 5.6, Basic authentication has been added to the core, but for authorization, you should use Application Password instead of the user password.
If for some reason you need to use the user password for authorization, you will need to install a plugin (read below). However, I do not recommend doing this; it's better to use application passwords!
To enable the possibility of basic authentication through user passwords, you need to install the WordPress plugin Basic Authentication.
With basic authentication, the client sends its login and password to the server along with the request. This data is sent in the request header Authorization
as a base64 encoded string.
Authorization: Basic base64_encode(login:password)
For example, if the login and password are admin
, you need to add the following header:
Authorization: Basic YWRtaW46YWRtaW4=
Since base64 is very easy to decode, this method is completely insecure, so you must use an HTTPS (SSL) connection.
Basic Authorization in Postman
- Go to the Authorization tab;
- Select the authentication method Basic Auth;
- Enter your login and password;
- That's it! Send your authorized requests.
Basic Authorization through WP HTTP API
$response = wp_remote_request( 'http://example.com/wp-json/wp/v2/posts/113', [ 'method' => 'DELETE', 'headers' => [ 'Authorization' => 'Basic ' . base64_encode( 'username:password' ) ] ] ); if( 200 == wp_remote_retrieve_response_code( $response ) ) echo 'Post deleted!'; else echo 'Error: Could not delete post';
See also: WP HTTP API
Basic Authorization through JavaScript
This type of authorization is only needed if an AJAX request is sent from one site to another. If the AJAX request occurs within the site and the user is already authorized, then the authentication cookies will be sent along with the request, meaning that authorization is already present; you just need to specify the nonce code (see above).
$.ajax({ url: 'http://example.com/wp-json/wp/v2/posts/113', method: 'DELETE', crossDomain: true, beforeSend: function ( xhr ) { xhr.setRequestHeader( 'Authorization', 'Basic ' + Base64.encode( 'username:password' ) ); }, success: function( data, txtStatus, xhr ) { console.log( data ); console.log( xhr.status ); } });
Basic Authorization through Command Line
curl -X DELETE http://example.com/wp-json/wp/v2/posts/113 -H 'Authorization: Basic a2FtYTprYW1h'
Why might authorization not work?
If you are sending authentication headers (Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
), but the request is not accepted, it may be that you are using Apache in a CGI environment. This means that Apache strips the headers. Try adding the following code to your Apache configuration file or to the .htaccess file:
<IfModule mod_setenvif> SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 </IfModule>
Starting from WP 5.6, similar code is added automatically (line 3):
<IfModule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule>