Single Signon for WordPress Sites

Single unified login for multiple WordPress 2.8 installs in subdirectories using cookies

i used to have a single sign on working between several WordPress sites, one in the root directory, others in subdirectories, even a few installs that ran off of subdomains. basically, you could log in to one site and you’d be logged into all of these sites.

that was before the big upgrade of WP 2.5 –

that’s right, i’m sure many out there can remember the chaos that came with upgrading your WordPress blog beyond version 2.5. there was an entirely new backend to get used to, but there were also lots of small code changes that created compatibility issues in many plugins and themes. one of the major changes was the way WordPress was to handle cookies and authentication in general which was made to be more secure. as a result, coders were offered new methods of integrating logins but (at the time) there was little to no clear, accurate documentation detailing how to achieve this task.

i spent many hours last year (with WordPress 2.5 and 2.6), and then again earlier this year (with WordPress 2.7), and then again this weekend (with WordPress 2.8).. until i finally got it working with the help of a relatively new plugin and some new blog posts describing how others attempted this now seemingly daunting task.

anyway, i thought i’d share my notes as well as the steps i took to get this working with my setup. it’s currently being used on to unify the various WordPress installs into one cohesive multi-user site.

Note: These steps assume you’ve already got your WordPress sites setup using a shared user database. So, you can log into any of your sites individually with the same credentials, see all the same users under “Users” > “Authors & Users” – but you want to get it so logging into one site automatically logs you into all of your sites.

Therefore, you have already added the following to the wp-config.php files for any of the sites other than the root site:

define('CUSTOM_USER_TABLE','wp_users'); // shared user db
define('CUSTOM_USER_META_TABLE','wp_usermeta'); // shared usermeta

  1. To start with, you’re going to need to download and install this plugin: root Cookie Path. Make sure to activate the plugin on all of the sites (the root site, as well as any subdirectory sites).
  2. Once all your sites are using a root cookie, you need to open up the wp-config.php files for any non-root sites (ie: subdirectory sites).
  3. Now here’s the trickier part… go to your root site (ie: and get the following info from your Global Options page: AUTH_SALT and LOGGED_IN_SALT. You can find the Global Options page for your WordPress install at: (replace “yourdomain” with your actual domain)
  4. When you have these 2 values, you need to paste them into the wp-config.php files for every single non-root site you want to integrate. Use the following syntax:

    define('AUTH_SALT', 'some-crazy-wacky-random-long-string-of-characters');
    define('LOGGED_IN_SALT', 'some-crazy-wacky-random-long-string-of-characters');
  5. Then, you need to make sure all of your sites are using the same “secret keys”. Paste that info into the wp-config.php files for each of the non-root sites you want to integrate. You can get secret keys fresh from the WordPress API page if you haven’t already added them to your wp-config.php file. It should look something like this.

    define('AUTH_KEY', 'some-crazy-wacky-random-long-string-of-characters');
    define('SECURE_AUTH_KEY', 'some-crazy-wacky-random-long-string-of-characters');
    define('LOGGED_IN_KEY', 'some-crazy-wacky-random-long-string-of-characters');
    define('NONCE_KEY', 'some-crazy-wacky-random-long-string-of-characters');
  6. Finally, add this cookie information to the wp-config.php files for all your non-root sites:

    $baseurl = ''; // replace with the actual domain name for your root site
    $cookiehash = md5($baseurl);
    define('COOKIEHASH', $cookiehash);
    define ('AUTH_COOKIE', 'wordpress_'.COOKIEHASH);
    define ('SECURE_AUTH_COOKIE', 'wordpress_sec_'.COOKIEHASH);
    define ('LOGGED_IN_COOKIE','wordpress_logged_in_'.COOKIEHASH);
    define ('TEST_COOKIE', 'wordpress_test_cookie');

That should do it!

Note: Some people have gone ahead and modified the WordPress capabilities.php file in order to get a role assigned to newly registered users, but this step is optional and requires editing a core WordPress file (a change which wouldn’t persist from one upgrade to another). I prefer to just assign a role manually to any new user that needs access to one of the non-root sites. Or, you could find another trigger to use before calling the function that sets the new role. Still, if you want to go as far as modifying core WP files, here is the code used by Kiran: (but i haven’t tried it personally)

function _init_caps() {
global $wpdb;
// $this->cap_key = $wpdb->prefix . ‘capabilities’; /* original code */
$this->cap_key = ‘wp_capabilities’; /*modified code */
$this->caps = &$this->{$this->cap_key};
if ( ! is_array( $this->caps ) )
$this->caps = array();

Finally, here are some resources i used to help me out (most recently):

Here are some other sites (for reference) which i used earlier on this year:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s