The JSON API is an excellent addition to WordPress.  We found that the Basic Auth plugin does not work correctly on hosts that run PHP with FastCGI.  Caution: Incorrect changes to your site's .htaccess could cause your Website to stop functioning.  Be sure to implement these instructions with the help of your Webmaster.

The fix involves two steps:

Step 1

Update your .htaccess file's mod_rewrite section to include these directives:

<IfModule mod_rewrite.c>
#METALOCATOR: This line added to allow basic authentication under FastCGI
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

#METALOCATOR: Turn on the re-write engine.  This should only be included once.  
RewriteEngine on

#METALOCATOR: This line added to allow basic authentication under FastCGI
#METALOCATOR: Establishes an environment variable used by the plugin only for URLs beginning with wp-json/
RewriteRule ^wp-json/.* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

Those lines should be placed within any existing <IfModule mod_rewrite.c> block, instead of adding a new one.  Common WordPress installations already include such a <IfModule mod_rewrite.c> block, so a complete example integrated with the WordPress-provided .htaccess might look like this:

 #BEGIN WordPress
 <IfModule mod_rewrite.c>
 #METALOCATOR: This line added to allow basic authentication under FastCGI
 SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]

 #METALOCATOR: This line added to allow basic authentication under FastCGI
 #METALOCATOR: Establishes an environment variable used by the plugin only for URLs beginning with wp-json/
 RewriteRule ^wp-json/.* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
 </IfModule>
 #END WordPress

Once the above changes to the .htaccess are made, the plugin we provide should allow for Basic Authentication.

Step 2

Install the plugin.  You must install the plugin by placing the basic-auth.php file directly within the wp-content/plugins/ folder. It should not be installed using the WordPress plugin installer, it should be added via FTP or otherwise uploaded.  The plugin must then be activated in the usual way.

Download, unzip and upload: basic-auth.zip

You can test successful authentication by running this command from a Linux command line:

curl --user yourusername:yourpassword https://www.yourwebsite.com/wp-json/users/me

The output should contain a JSON formatted dump of your user's permissions.

Did this answer your question?