Where is the query and form in wp-login.php?
-
22-02-2021 - |
Question
I have no HTTPS, and I would not like to use it yet on my blog. However, I need a way to secure my login page, so I want to encrypt the password with RSA before it gets sent. As I was not able to find a recent plugin, I need to do it myself. Where is the form so I can add javascript to encrypt, and where is the query so I can decrypt it?
Solution
The hook you will probably be most interesting in is wp_authenticate
.
Codex: This action is located inside of wp_signon. In contrast to the wp_login action, it is executed before the WordPress authentication process.
That hook and wp-signon are defined in wp-incldues/user.php line 10
But wp-includes/pluggable.php has wp_authenticate()
and it can be overridden. It also provides a hook, authenticate
.
The Form
The log in form (the form itself) is defined in wp-includes/general-template.php line 402
You can hook the default $args
with login_form_defaults
filter hook defined on line 431
The default $args
for the form:
$defaults = array(
'echo' => true,
// Default 'redirect' value takes the user back to the request URI.
'redirect' => ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'],
'form_id' => 'loginform',
'label_username' => __( 'Username or Email Address' ),
'label_password' => __( 'Password' ),
'label_remember' => __( 'Remember Me' ),
'label_log_in' => __( 'Log In' ),
'id_username' => 'user_login',
'id_password' => 'user_pass',
'id_remember' => 'rememberme',
'id_submit' => 'wp-submit',
'remember' => true,
'value_username' => '',
// Set 'value_remember' to true to default the "Remember me" checkbox to checked.
'value_remember' => false,
);
With root/wp-login.php
You can enqueue scripts into the head via the action hook
do_action( 'login_enqueue_scripts' );
on line 90
Considerations
There are other internal functions, like wp_authenticate_username_password($user, $username, $password)
that follows wp_signon
on user.php, that may be expecting or passing a text password.
A note on $password
param in Codex of the wp_authenticate_user
filter found in wp_authenticate_username_password
:
$password (string) (optional) The user's password (plain text).
Hopefully wp_signon
mentioned off the top can satisfy what you're after.