[ACCEPTED]-PHP, cURL post to login to WordPress-curl

Accepted answer
Score: 14

Kalium got this right -- paths in the WordPress 48 interface are relative, causing the administration 47 interface to not work properly when accessed 46 in this manner.

Your approach is concerning 45 in a few ways, so I'd like to make a few 44 quick recommendations.

Firstly, I would try 43 to find a way to remove the $username and $password variables 42 from being hard-coded. Think about how easy 41 this is to break -- if the password is updated 40 via the administration interface, for instance, the 39 hard-coded value in your code will no longer 38 be correct, and your "auto-login" will now 37 fail. Furthermore, if someone somehow comprises 36 the site and gains access to handshake.php -- well, now 35 they've got the username and password for 34 your blog.

It looks like your WordPress installation 33 rests on the same server as the handshake 32 script you've written, given the path to 31 /blog is relative (in your sample code). Accordingly, I'd 30 suggest trying to mimic the session they 29 validate against in your parent applications 28 login. I've done this several times in 27 the past -- just can't recall the specifics. So, for 26 instance, your login script would not only 25 set your login credentials, but also set 24 the session keys required for WordPress 23 authentication.

This process will involve 22 digging through a lot of WordPress's code, but 21 thats the beauty of open source! Instead 20 of using cURL and hard-coding values, try 19 to simply integrate WordPress's authentication 18 mechanism into your application's login 17 mechanism. I'd start by looking at the source 16 for wp-login.php and going from there.

If all else fails 15 and you're determined to not try to mesh 14 your session authentication mechanism with 13 that of WordPress, then you could immediately 12 fix your problem (without fixing the more 11 concerning aspects of your approach) with 10 these changes to your code:

First, add the 9 following curl_opt:

curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);  // Enables session support

Then, add this after 8 closing the cURL handler:

curl_close($ch);
// Instead of echoing the result, redirect to the administration interface, now that the valid, authenticated session has been established
header('location: blog/wordpress/wp-admin/');
die();

So, in this less 7 than ideal solution you'd use cURL to authenticate 6 the user, and then rather than attempt to 5 hijack the administration interface into 4 that current page, redirect them to the 3 regular administration interface.

I hope 2 this helps! Let me know if you need more 1 help / the solution isn't clear.

Score: 1

Check the HTML source. It sounds like WP's 6 links may be relative. Instead of making 5 this process even more complicated than 4 it already is, however, I suggest you perform 3 the login, hand the user whatever cookies 2 are required, and redirect them.

Otherwise 1 you're coding a proxy, piece by piece.

Score: 1

If your script doesn't perform all the functions 5 you need in a single execution, you may 4 need to parse out the cookie values, store 3 them in a file, and then resend on the next 2 execution. Check out the CURLOPT_COOKIEFILE 1 option.

Score: 1

Here is the code that worked for me:

The 4 key change is that I removed the parameter 3 called "testcookie" from my post string.

Note: add 2 your website instead of "mywordpress" and 1 username and password in the below code

$curl = curl_init();

//---------------- generic cURL settings start ----------------
$header     = array(
      "Referer: https://mywordpress/wp-login.php",
"Origin: https://mywordpress",
"Content-Type: application/x-www-form-urlencoded",
"Cache-Control: no-cache",
"Pragma: no-cache",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15"
      );


curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15');
curl_setopt($curl, CURLOPT_AUTOREFERER, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_COOKIESESSION, true);
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookies.txt');
//---------------- generic cURL settings end ----------------



$url = 'https://mywordpress/wp-login.php';
curl_setopt($curl, CURLOPT_URL, $url);

$post = 'log=username&pwd=password&wp-submit=Log+In&redirect_to=https%3A%2F% mywordpress%2Fwp-admin%2F';
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);

$output = curl_exec($curl);

curl_close ($curl);

echo ($output)
Score: 0

Use Zend Framework's Cookies class to manage them for you. I have 2 used this in the past for crawling secure 1 sections of a web site using cURL.

More Related questions