Howdy!
You’re probably here because you were presented with an error message that looks something like this:
Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site:
Authorizationheaders are not being sent to WordPress by the web server.
Not to worry! This is often easily solvable by a minor .htaccess modification.
By default, WordPress creates a block that looks something like this in your .htaccess file:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
What we need to do is add this line:
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
directly after the RewriteEngine On line — so your final block will look like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Once that’s done, Application Passwords and HTTP Basic Auth should work as expected.
Why does this happen?
This happens because your server is likely configured with PHP in CGI or FastCGI modes. In this mode, by default your web server thinks it’s meant to handle HTTP Auth and then just pass the request on to PHP if it meets the requirements. But we need PHP to get the raw Auth header! So in this case, we’re stashing it in the REMOTE_USER parameter.