The hashing mechanism for generating authentication headers has changed slightly. Please refer to the FAWs for an example of how things work with a double-hash in the newest version.<\/p>","0.1.0":"
First Release<\/p>"},"ratings":{"1":"1","2":0,"3":0,"4":0,"5":"2"},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":"975920","resolution":"128x128","location":"assets","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":"975920","resolution":"256x256","location":"assets","width":256,"height":256}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":"975920","resolution":"772x250","location":"assets","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.0","1.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":"831036","resolution":"1","location":"assets","width":2192,"height":1122}},"screenshots":{"1":"The new Remote Publishing Permissions area of the user profile."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[710,2061,600,14731],"plugin_category":[38,54],"plugin_contributors":[79892],"plugin_business_model":[],"class_list":["post-27019","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-oauth","plugin_tags-security","plugin_tags-xmlrpc","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-ericmann","plugin_committers-ericmann"],"banners":{"banner":"https:\/\/ps.w.org\/secure-xml-rpc\/assets\/banner-772x250.png?rev=975920","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/secure-xml-rpc\/assets\/icon-128x128.png?rev=975920","icon_2x":"https:\/\/ps.w.org\/secure-xml-rpc\/assets\/icon-256x256.png?rev=975920","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/secure-xml-rpc\/assets\/screenshot-1.png?rev=831036","caption":"The new Remote Publishing Permissions area of the user profile."}],"raw_content":"\n
Rather than sending usernames and passwords in plain text with every request, we're going to use a set of public\/secret keys to hash data and authenticate instead.<\/p>\n\n
On your WordPress profile, you will see a new \"Remote Publishing Permissions\" section listing out the applications that have permission to publish, along with their public and secret keys.<\/p>\n\n
New applications can be added whenever you want. You can also change the names of applications, or revoke publishing permission by deleting them.<\/p>\n\n
Lock graphic designed by Scott Lewis from the thenounproject.com<\/p>\n\n\n
\/secure-xml-rpc<\/code> directory to the \/wp-content\/plugins\/<\/code> directory.<\/li>\n- Activate Secure XML-RPC through the 'Plugins' menu in WordPress.<\/li>\n<\/ol>\n\n\n
\n- How do I use the new authorization?<\/dt>\n
The old username\/password paradigm can still be used, but will result in a X-Deprecated<\/code> header being returned by the server.<\/p>\n\nFrom now on, you will send an Authorization<\/code> header. This header will be the publishing application's public key, two pipe (|<\/code>) characters, and a hash of the application's secret key concatenated with the body of the request.<\/p><\/dd>\n- How do I generate the message hash?<\/dt>\n
Say your application has the following information:\n* Public Key: b730db0864b0d4453ba6a26ad6613cd4\n* Secret Key: 7647a19f5bf3e9fd001419900ad48a54<\/p>\n\n
And you want to make the following request (whitespace\/indentation added for readability, but is removed when calculating hashes):<\/p>\n\n
<?xml version=\"1.0\"?>\n<methodCall>\n <methodName>wp.getPosts<\/methodName>\n <params>\n <param>\n <value><i4>1<\/i4><\/value>\n <\/param>\n <param>\n <value><string><\/string><\/value>\n <\/param>\n <param>\n <value><string><\/string><\/value>\n <\/param>\n <\/params>\n<\/methodCall>\n<\/code><\/pre>\n\nNote that the second and third parameters (traditionally username<\/code> and password<\/code>) are empty. Usernames and passwords can still be specified, but will result in the server returning an X-Deprecated<\/code> header.<\/p>\n\nYour Authorization header would thus become:<\/p>\n\n
b730db0864b0d4453ba6a26ad6613cd4||3fac15f99f7a178f922bcc4942e62dc9001b2a45118fc3a6f3aebd77d25f4d58\n<\/code><\/pre>\n\nThe second part of the header is generated in PHP by calculating:<\/p>\n\n
hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . {request_body} ) )\n<\/code><\/pre>\n\nWordPress will read the header and log you in as usual, but you never need to send your password across the wire.<\/p>\n\n