Php, Curl Post to Login to Wordpress

PHP, cURL post to login to WordPress

Kalium got this right -- paths in the WordPress interface are relative, causing the administration interface to not work properly when accessed in this manner.

Your approach is concerning in a few ways, so I'd like to make a few quick recommendations.

Firstly, I would try to find a way to remove the $username and $password variables from being hard-coded. Think about how easy this is to break -- if the password is updated via the administration interface, for instance, the hard-coded value in your code will no longer be correct, and your "auto-login" will now fail. Furthermore, if someone somehow comprises the site and gains access to handshake.php -- well, now they've got the username and password for your blog.

It looks like your WordPress installation rests on the same server as the handshake script you've written, given the path to /blog is relative (in your sample code). Accordingly, I'd suggest trying to mimic the session they validate against in your parent applications login. I've done this several times in the past -- just can't recall the specifics. So, for instance, your login script would not only set your login credentials, but also set the session keys required for WordPress authentication.

This process will involve digging through a lot of WordPress's code, but thats the beauty of open source! Instead of using cURL and hard-coding values, try to simply integrate WordPress's authentication mechanism into your application's login mechanism. I'd start by looking at the source for wp-login.php and going from there.

If all else fails and you're determined to not try to mesh your session authentication mechanism with that of WordPress, then you could immediately fix your problem (without fixing the more concerning aspects of your approach) with these changes to your code:

First, add the following curl_opt:

curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);  // Enables session support

Then, add this after closing the cURL handler:

curl_close($ch);
// Instead of echoing the result, redirect to the administration interface, now that the valid, authenticated session has been established
header('location: blog/wordpress/wp-admin/');
die();

So, in this less than ideal solution you'd use cURL to authenticate the user, and then rather than attempt to hijack the administration interface into that current page, redirect them to the regular administration interface.

I hope this helps! Let me know if you need more help / the solution isn't clear.

Log into WordPress remotely using Curl

Unfortunately this isn't completely straightforward with cURL. Your problem is that cURL doesn't set cookies on your local browser, it just keeps track of them server side, where it's using them. So when you redirect to Wordpress, you don't actually have the cookies set on your client.

If the blog is on the same domain as the page running the cURL requests, you can parse the cURL result to retrieve the cookies and set them in the browser. If it's on a separate domain, then you're out of luck, since browsers won't let you set cookies for another domain.

returning login status in php [CURL]

Writing the output to a file is not necessary for this and will waste I/O. The second request to the index of the admincp can also saved for checking the login only because wordpress will print the loginform again when the login failed. So I modified your example like the following: 

$username = 'admin';
$password = 'admin';
$loginUrl = 'http://localhost/wordpress/wp-login.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $loginUrl);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . $username . '&pwd=' . $password);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec($ch);
curl_close($ch);

if(strpos($store, 'loginform') !== false) {
    echo 'Login not correct';
}else {
    echo 'Login ok';
}

But for me this seems not to be a good way of doing this. Depending on where you want to integrate this checks it will be a better solution to write a small plugin for the check or maybe integratin wordpress: http://codex.wordpress.org/Integrating_WordPress_with_Your_Website Then you can use the wordpress-functions to check the credentials like https://codex.wordpress.org/Function_Reference/wp_check_password


Related Topics

How to Echo the Whole Content of a .HTML File in PHP

PHP Generated Xml Shows Invalid Char Value 27 Message

Malformed Utf-8 Characters, Possibly Incorrectly Encoded' in Laravel

How to Use In_Array If the Needle Is an Array

How to Add Extra Whitespace in PHP

Count the Number of Pages in a PDF in Only PHP

How to Pass Objects by Reference in PHP 5

How to Select All Column Name from a Table in Laravel

Check If Value Isset and Null

What Is the Syntax for Sorting an Eloquent Collection by Multiple Columns

What Are the Valid Characters in PHP Variable, Method, Class, etc Names

Algorithm to Get All Possible String Combinations from Array Up to Certain Length

Remotely Destroy a Session in PHP (User Logs in Somewhere Else)

Is Multiple Inheritance Allowed at Class Level in PHP

File Not Uploading PHP

How Is Testing the Registry Pattern or Singleton Hard in PHP

How to Solve Error 404 When Deploying Laravel Project to Cpanel

Codeigniter: Try Catch Is Not Working in Model Class


Leave a reply



Submit