Basic Authorization Header Missing

George Stephanis edited this page Feb 25, 2017 · 1 revision

Howdy!

You're probably here because you were presented with an error message that looks something like this:

Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: Authorization headers are not being sent to WordPress by the web server.

Not to worry! This is often easily solvable by a minor .htaccess modification.

By default, WordPress creates a block that looks something like this in your .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

What we need to do is add this line:

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

directly after the RewriteEngine On line -- so your final block will look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Once that's done, Application Passwords and HTTP Basic Auth should work as expected.

Why does this happen?

This happens because your server is likely configured with PHP in CGI or FastCGI modes. In this mode, by default your web server thinks it's meant to handle HTTP Auth and then just pass the request on to PHP if it meets the requirements. But we need PHP to get the raw Auth header! So in this case, we're stashing it in the REMOTE_USER parameter.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.