HTTP BASIC authentication (Wikipedia) is a form of client / server authentication where the username and password are base64 encoded in the request header. However, because these credentials can be easily decoded, BASIC authentication requires SSL for the request to be secured.

HTTP DIGEST authentication (Wikipedia) permits more secure communication between the client and server over insecure HTTP. It’s also a fair bit more challenging to implement, for a couple of reasons:

  1. Every API call actually requires two HTTP requests. Although the first request will fail with 401 Unauthorized, it returns a www-authenticate response header with values critical for signing the second request.
  2. Sending the second request requires creating a signature with several variables where the order matters. Because of the number of variables (pun intended), debugging authentication failures can be very frustrating.

To make HTTP DIGEST authentication requests easier in WordPress, here’s a function you can use:

Hand Built is Daniel Bachhuber, an effective developer with technology leadership you can trust.

How can I help?

Hit me at [email protected] with a short note about what you'd like to do.

My roots are WordPress and publishing, and I love pretty much everything related to web development (architecture, performance, security, etc.). When not working with clients, I also maintain WP-CLI (WordPress' command line interface) and other open source projects.