Basic PHP authentication for HM Dev and Staging environments.

Installs: 117 103

Dependents: 2

Suggesters: 0

Security: 0

Stars: 1

Watchers: 23

Forks: 1

Open Issues: 2


1.1.7 2022-03-12 16:04 UTC

This package is auto-updated.

Last update: 2024-05-17 13:25:25 UTC


Human Made Logo

PHP Basic Auth

GitHub release (latest by date) GitHub Build Status

Basic PHP authentication for Human Made Dev and Staging environments.

screenshot of prompt in google chrome Authentication prompt in Google Chrome

screenshot of prompt in firefox Authentication prompt in Firefox

Installation & Setup

The composer file is set up to assume you want to install this package with other WordPress must-use vendor plugins. These setup instructions assume that all your composer-required must-use plugins are stored in a main /mu-plugins/vendor directory and that you are using a loader.php file to require them. You may need to adjust the configuration if your environment is different.

After installation and setup, an option to override the default basic auth setting (detected by environment) will exist on the General settings page. This option allows you to disable the basic auth on dev or staging environments from the WordPress application. By default the option will detect the environment and be checked if no setting is saved.

screenshot of new setting

Step 1

Install the plugin via composer.

composer require humanmade/php-basic-auth

Step 2

Add 'vendor/php-basic-auth/plugin.php' to the array of must-use plugins in the loader.php file in the root of your /mu-plugins directory. Make sure it is the first item in the array.

The final result should look something like this:

 * Plugin Name: HM MU Plugin Loader
 * Description: Loads the MU plugins required to run the site
 * Author: Human Made Limited
 * Author URI:
 * Version: 1.0
 * @package HM

if ( defined( 'WP_INSTALLING' ) && WP_INSTALLING ) {

// Plugins to be loaded for any site.
$global_mu_plugins = [
	/* ... other must-use plugins here ... */

Step 3

Define a HM_BASIC_AUTH_USER and HM_BASIC_AUTH_PW wherever constants are defined in your project. This could be your main wp-config.php file or a separate .config/constants.php file.

Note: While not required, it's best to check that you are in a development environment before defining HM_BASIC_AUTH_USER and HM_BASIC_AUTH_PW to prevent the constant declarations from being defined in all environments. This adds an additional layer of protection against basic auth accidentally being loaded in production.

You may also want to disable basic authentication on local environments.

Your constant declarations should look something like this:

// Check if we're in a dev environment but not local.
if (
	// HM_DEV is defined and true.
	( defined( 'HM_DEV' ) && HM_DEV ) &&
	// HM_LOCAL_DEV is either undefined or false.
	( ! defined( 'HM_LOCAL_DEV' ) || defined( 'HM_LOCAL_DEV' ) && ! HM_LOCAL_DEV )
) {
	// Set Basic Auth user and password for dev environments.
	define( 'HM_BASIC_AUTH_USER', 'myusername' );
	define( 'HM_BASIC_AUTH_PW', 'mypassword' );

Step 4 (optional)

If you do not want to load the basic authentication check on local environments, and you have not already defined HM_LOCAL_DEV in your wp-config-local.php file, you should do that now.

 * Set the environment to local dev.
defined( 'HM_LOCAL_DEV' ) or define( 'HM_LOCAL_DEV', true );

You should also add these lines to your wp-config-local.sample.php.



  • Fix unit tests
  • Update composer test script to use composer-installed version of phpunit
  • Bail early if credentials aren't defined
  • Allow production environments to possibly enable auth


  • Fixed bug where the hmauth_filter_dev_env is ignored if credentials are already set.
  • Added screenshots of the prompt in Chrome and Firefox to the readme.


  • Added an exclusion for WP_INSTALLING which was resulting in a bug that was failing Altis healthchecks.


  • Added an action hook to the is_development_environment check, to allow actions to be hooked in before checking the environment.


  • Required composer/installers so custom install paths can be defined.


  • Fixed a bug where the environment settings were getting short-circuited if the option was unset.


  • Flipped the logic of the admin setting from checking to disable basic authentication to checking to enable basic authentication, and defaulting to environment-based settings.
  • Added a is_development_environment function which includes an added check for HM_ENV_TYPE as well as arbitrary definitions that could be added by a filter.
  • Updated "Basic Realm" to use the site name rather than "Access Denied"
  • Disabled basic auth if any of the following WordPress constants are defined and true: WP_CLI, DOING_AJAX, DOING_CRON.
  • Added unit tests
  • Added Travis CI integration


  • Initial release


Created by Human Made to force authentication to view development and staging environments while still allowing those environments to be viewed in a logged-out state.

Maintained by Chris Reynolds.

Made with ❤️ by Human Made