Where is the query and form in wp-login.php?

wordpress.stackexchange https://wordpress.stackexchange.com/questions/273089

  •  22-02-2021
  •  | 
  •  

Question

I have no HTTPS, and I would not like to use it yet on my blog. However, I need a way to secure my login page, so I want to encrypt the password with RSA before it gets sent. As I was not able to find a recent plugin, I need to do it myself. Where is the form so I can add javascript to encrypt, and where is the query so I can decrypt it?

Was it helpful?

Solution

The hook you will probably be most interesting in is wp_authenticate.

Codex: This action is located inside of wp_signon. In contrast to the wp_login action, it is executed before the WordPress authentication process.

That hook and wp-signon are defined in wp-incldues/user.php line 10

But wp-includes/pluggable.php has wp_authenticate() and it can be overridden. It also provides a hook, authenticate.

The Form

The log in form (the form itself) is defined in wp-includes/general-template.php line 402

You can hook the default $args with login_form_defaults filter hook defined on line 431

The default $args for the form:

 $defaults = array(
                    'echo' => true,
                    // Default 'redirect' value takes the user back to the request URI.
                    'redirect' => ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'],
                    'form_id' => 'loginform',
                    'label_username' => __( 'Username or Email Address' ),
                    'label_password' => __( 'Password' ),
                    'label_remember' => __( 'Remember Me' ),
                    'label_log_in' => __( 'Log In' ),
                    'id_username' => 'user_login',
                    'id_password' => 'user_pass',
                    'id_remember' => 'rememberme',
                    'id_submit' => 'wp-submit',
                    'remember' => true,
                    'value_username' => '',
                    // Set 'value_remember' to true to default the "Remember me" checkbox to checked.
                    'value_remember' => false,
            );

With root/wp-login.php

You can enqueue scripts into the head via the action hook do_action( 'login_enqueue_scripts' ); on line 90

Considerations

There are other internal functions, like wp_authenticate_username_password($user, $username, $password) that follows wp_signon on user.php, that may be expecting or passing a text password.

A note on $password param in Codex of the wp_authenticate_user filter found in wp_authenticate_username_password:

$password (string) (optional) The user's password (plain text).

Hopefully wp_signon mentioned off the top can satisfy what you're after.

Licensed under: CC-BY-SA with attribution
Not affiliated with wordpress.stackexchange
scroll top