Hacking Authentication in WordPress MU & BuddyPress
Most every university uses LDAP or some other authentication technology to reduce the number of systems that users have to maintain their passwords in. When Plymouth State University first deployed WordPress MU (when it was still in pre-release beta), we integrated with LDAP. Eventually we migrated to single sign-on via CAS (Central Authentication Service) and I took over maintenance of the wpCAS plugin.
Running WordPress as a client to other authentication systems is easy, but WordPress offers a number of user-facing features that get lost when doing that.
So when we went looking for ways to improve the security of our password assignment and reset process, we decided to make WordPress the center of the system. Using WordPress saved us the trouble of building our own and the many eyes of the WordPress development community help ensure the overall security of the system.
WordPress now powers the authentication, password recovery, and profile management for the university, replacing the authentication features of our commercial portal system. Now we’re taking advantage of WP’s plugin architecture to easily add new features (like sending password reset codes by SMS), but this approach also offers a neat way to sneak more social features into the tools our users depend on daily.
I’ll be discussing the evolution of WordPress authentication at Plymouth State, including the custom plugins and hacks we developed to make it work, in my session on User Authentication with MU in Existing Ecosystems at WordCamp New York.