WordPress – XMLRPC – IXR client and http Basic Authentication

In the context of :

WordPress contains a rich XML library to manage exchanges via XMLRPC to send or receive datas to/from another WP website. (also named webservices)

The limits are :
– it is impossible from one WP site to send datas to a WP website protected via http Basic Authentication (.htaccess and .htpasswd used time to time during development steps).
and use of URI like http://user:paswd@www.domain.tld/xmlrpc.php don’t work.
– …

The (3 hours) trip in the online docs and sources :

In WP core source, most important files are :

include_once(ABSPATH . WPINC . '/class-IXR.php'); /* not included in wp-settings */
include_once(ABSPATH . WPINC . '/class-wp-http-ixr-client.php'); /* not included in wp-settings */

added to those called at start of WP


IXR in WP is the The Incutio XML-RPC Library.
As explained here,
this library don’t contain ways to manage authentication.

Continuing research, we found another library xml-rpc for library with features supporting authentication.


By reading the source of the xmlrpc.inc, the way to authenticate is described by adding some headers in xml datas sent by the client.

$credentials='Authorization: Basic ' . base64_encode($username . ':' . $password) . "\r\n";

Fortunately WP create his own wp-ixr-client (extend of IXR class) and uses his class-HTTP library and function wp_remote_post found in http.php

The WP_Http class contains a lot of filters.
Here, the most interesting is – http_request_args – (line 110 in WP 3.2.1)

A quick (and very basic) solution :

With the filter – http_request_args – to add the Authorization in the request.

Example of code :

function xili_add_basic_authentication ( $args, $url ) {
	if ( false !== strpos($url, 'www.target_site.tld') ) {
		//error_log ($url);
		//error_log (serialize( $args ));
		$args['headers']['Authorization'] = 'Basic '. base64_encode('http_user' . ':' . 'http_passwd');
	return $args;
add_filter ( 'http_request_args', 'xili_add_basic_authentication', 10, 2 );

Note that:

  • ‘headers’ is an array and that class WP_Http build the lines sent to remote site.
  • ‘http_user’ and ‘http_passwd’ are the user login and password written in .passwd file with path in .htaccess of the target wp website. They are not the login/pass of xmlrpc protocol (wp users).
  • Basic Authentication is very basic but can be an example for other ideas using WP_Http class filters…

Hope this small post will be helpful !

This entry was posted in Experts corner, Studies and tagged , , , , , , . Bookmark the permalink.

One Response to WordPress – XMLRPC – IXR client and http Basic Authentication

  1. Ray says:

    Thanks for this! Helped with a .htpasswd issue I was having when using wp_remote_post()!

Laisser un commentaire