HTTP Digest Authentication

plugin banner

Protect your wp-login.php page with HTTP Digest Authentication without the need of adding web server modules or changing config files.

Author:Jesin (profile at
WordPress version required:3.1.0
WordPress version tested:4.9.26
Plugin version:1.2.1
Added to WordPress repository:16-10-2013
Last updated:25-11-2017
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
Rating, %:80
Rated by:5
Plugin URI:
Total downloads:3 960
Active installs:40+
plugin download
Click to start download

This plugin adds an additional layer of protection for the wp-login.php page using HTTP Digest Authentication with the PHP header() function.
So it doesn’t require configuring web server files like .htaccess or .htdigest and works on all web hosting environments.

Important: If you already have a plugin which does HTTP Authentication please deactivate it before activating this plugin. Similarly if you have configured your web server to do HTTP authentication on the wp-login.php file please remove it before using this plugin.

If you are using FastCGI PHP this plugin may keep prompting for the credentials even if you enter the right pair, in this case use the following in your .htaccess file

<IfModule mod_setenvif.c>
SetEnvIfNoCase ^Authorization$ "(.+)" PHP_AUTH_DIGEST=$1

Advantages of HTTP Digest Authentication

The BA (Basic Authentication) mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with BASE64 in transit, but not encrypted or hashed in any way.

  • Digest Authentication on the other hand uses MD5 on the credentials making it “one way”
  • Uses server and client nonces to prevent replay attacks

Features of the HTTP Digest Auth plugin

  • Works using PHP header() function and doesn’t require modification of service config files (like .htaccess, nginx.conf etc)
  • Supports HTTP credentials for each WordPress user
  • Clears the HTTP Digest credentials when the user logs out of WordPress (more on this in the FAQ)
  • Verifies if both the HTTP and WordPress credentials are of the same user (this is the default behavior and can be changed)
  • Works on all major Web Servers (Tested on Apache, Nginx and Lighttpd)

Plugin Behavior

  • When this plugin is activated for the first time all WordPress users will have the following Digest credentials
    Username: <WordPress username>
    Password: password
    This can be changed from Users > Your Profile.
  • After activating this plugin for the first time you’ll be prompted for HTTP credentials when you logout
  • Similarly if you change your HTTP username or password you’ll be prompted for this when you logout

Available languages

The HTTP Digest Authentication Plugin official homepage.