OpenID For WordPress

Update: 12th October 2007 – this project is to be considered abandoned. Please see How To Set Up OpenID For WordPress Comments instead. Thanks for the support and for your interest in OpenID.

THIS IS ALL HORRIBLY OUT OF DATE. THE DOWNLOAD LINKS DON’T WORK, I KNOW. GET OVER IT. More seriously now, I am working on a new version of this that actually works as a WordPress 2.0.x plugin. It’s very nice, but it’s not finished. Watch this space. In the meantime, why not take a look at OpenID Comments For WordPress (which is based on my preliminary work, here). Thanks for all the attention, guys.

As promised, I’m releasing the first usable version (v0.4) of my WordPress OpenID plugin tool. It’s very, very messy and a little buggy. Plus, installing it requires that you hack a few PHP files… use at your own risk. You’ll need a WordPress v1.5 weblog. Download this package and decompress it to your WordPress directory. It will create an openid_icons directory, a file called openid.php (the main codebase), and a file called openidform.php (the form that appears on your blog). Edit openid.php and substitute your own weblog URL in at the appropriate places (near the top). Link in the login form wherever you like. I’ve done so in my theme’s “sidebar.php” file, with the following code: <?php include (TEMPLATEPATH . '/openidform.php'); ?> In your main index.php, add a line to include the openid.php file. This will allow logins and logouts to be processed. Something like this: <?php require_once('openid.php'); ?> In wp-comments-post.php (the comments processor), substitute the following code in under “// If the user is logged in”: // If the user is logged in get_currentuserinfo(); if ( $user_ID ) { $comment_author = addslashes($user_identity); $comment_author_email = addslashes($user_email); $comment_author_url = addslashes($user_url); } elseif ($_SESSION['sess_openid_auth_code'] != "") { $comment_author = addslashes($_SESSION['sess_openid_auth_code']); $comment_author_email = ""; $comment_author_url = addslashes($_SESSION['sess_openid_auth']); } else { if ( get_option('comment_registration') ) die( __('Sorry, you must be logged in to post a comment.') ); } Notice the extra section, relying upon $_SESSION[‘sess_openid_auth_code’]. That’s the magic bit. And it should ‘just work’. Let me know if it doesn’t; I’ll be improving the codebase over the coming weeks and I’d like to include your suggestions. If you need any help setting it up, I can probably help with that too, or even with adapting the code to work with other applications (than WordPress). Features so far:

  • Authenticate OpenID users
  • Easily authenticate OpenID users from particular servers, including members of LiveJournal, DeadJournal, and Level9
  • Authenticated OpenID users can post comments

Features to come:

  • Cookie-based “remember me”
  • Ability to authenticate WordPress users (e.g. the weblog owner) by an OpenID
  • “Friends Only” protected posts, which can only be read by certain authenticated users
  • AJAX-powered log-in (to save users from having their browsers redirected excessively, and because it can be made to look swish), where supported

If you want to help code, just drop me a message.


  1. Just testing this from OpenID.

  2. Dan Q Dan Q says:

    See! It works!

  3. I can’t seem to authenticate with my openid server to your plugin (on this website). I don’t have trouble logging into livejournal, the openid demo server, etc. But it just won’t login here. I can’t use my livejournal ID, however.

    Is this not yet implemented? Perhaps I just misread what it *could* do at this point in time?

  4. Where is “http_build_query” defined at?

  5. Dan Q Dan Q says:

    Sounds like you’re having difficulty with this PHP function:

    It only came in in PHP version 5. Sorry; forgot to check on that; will try to fix (or, at least, warn people about it) for the next version.

  6. Dan Q Dan Q says:

    In an e-mail to duck1123:

    http_build_query comes with PHP5:

    If you’re having difficulty with it, you probably don’t have PHP5 installed on your server. I’m not sure what other problems you might have as a result of this (sorry: will try to fix this bug, among others for version 0.5).

    In the meantime, there’s a block of code at:

    Which you should be able to transplant into your openid.php file (minus the “”, of course), right after the:


    lines. Hopefully that’ll fix the problem.

    I’ll make sure the next version gets tested on PHP4!

  7. I was just about to post the same thing. About 20 minutes after I posted that, I did a search. I simply pasted the sample just below that, and it’s worked so far for me. Do you pass that function any complex arrays? If so, I’ll switch to the first one. You may want to consider including that function into your code for compatability with PHP

  8. I was just about to post the same thing. About 20 minutes after I posted that, I did a search. I simply pasted the sample just below that, and it’s worked so far for me. Do you pass that function any complex arrays? If so, I’ll switch to the first one. You may want to consider including that function into your code for compatability with PHP < 5. This is great, I’ve got to hand it to you. I’ve been waiting for OpenId to come to WordPress. I plan on sending you any code / modifications that I make. Feel free to use them.

    One idea so far: You should turn the code from ‘openidform.php’ into a function, that way it matches the way that WordPress uses template tags. If you want, I can whip up some code and send it to you.

  9. Dan Q Dan Q says:

    I’d love to see any improvements you can come up with. Things to do include:

    * A few tweaks to the RegExs: e.g. LJ ids can include numbers, blah blah.
    * Need to do some tests on mannkind@livejournal’s problem, above.
    * Add that http_build_query PHP4 compatability thing. No, I don’t use any complex arrays (by their definition) and by the OpenID spec, am never likely to, but I’d rather include the bigger, more powerful http_build query for completeness (so that people feel able to use it as http_build_query if they need to).
    * Tarpitting to prevent it from being used to (slowly) DoS somebody (potentially possible ATM, if it’s hosted on a powerful server).
    * Make it into a WordPress module, for easy installation/config – don’t yet know how to do this; any help appreciated.
    * Support DH encryption between the consumer (me) and the server (OpenID holder). It’s in the OpenID spec as optional.
    * AJAX support (for faster, slicker, prettier logons, for those who support it).
    * Ability to easily make “friends only” posts, visible to only people with certain OpenIDs.
    * Ability to associate WordPress logins with OpenIDs, facilitating administrative login using OpenID.

    Etc. etc.

    I’m a busy guy, so any help you can give is much appreciated.

  10. Mannkind Mannkind says:

    Any changes? How goes openid authentication? :) I checked, but still cannot use my openid server here :(

  11. damon damon says:

    this whole thing is quite cool and seems to be working properly (though I haven’t really tested it.. it just looks right).

    I’m really looking forward to authentification on other sites being implemented. is there any hope of it soon?

  12. I’m able to login as a livejournal user on my wordpress blog, but it doesn’t seem to be allowing comments for livejournal. I’ve replaced the code as specified in ‘wp-comments-post.php’ but it doesn’t seem to make any effect. Any suggestions?

  13. VxJasonxV VxJasonxV says:

    Did you break it? :(
    I can’t logon via OpenID nor LiveJournal.

    I always get “The site you just came from seems to want to verify an identity that you, as vxjasonxv, cannot provide.” on LJ’s error page.

  14. Dan Q Dan Q says:


    You’ll get that LiveJournal error message if you enter a LiveJournal ID that you aren’t currently logged in at LiveJournal as. So, if your LiveJournal ID is “jasonv”, you must (a) be logged in at with that ID and (b) either (1) enter that ID exactly into the box or (2) enter your LiveJournal OpenID (i.e. or

    There are a few bugs in my module at the moment, mostly relating to logging in using IDs containing both letters and numbers or special characters, which I’ll fix in the next version. Have another go.

  15. Here’s the problem that I’ve found so far:
    If I put the OpenIDForm into my sidebar, I can login and have it show me great. However, as soon as I got into an individual post to leave a comment, the sidebar no longer shows me as logged in. If I try to login again, it does, but kicks me back out to the main page (instead of the comment page).

    Maybe the session information isn’t being passed from the index.php (main) to the single.php (where the comments are).

    Any thoughts on that?

  16. One suggestion would be to have the icon of the authentication type displayed next to the user’s name in the comments. I see that you’re saving the email as, since it’s kinda irrelevant with an OpenID authentication.

    Suppose you stored it as openid@, livejournal@, deadjournal@, etc. This way the email could be parsed and display the icon inline next to the name.

  17. Dan Q Dan Q says:


    Yeah, it sounds like your problem is session-related. Double-check that session_register(“sess_openid_auth_code”); appears somewhere in the headers, or something. I like your suggestion about showing authentication types as an icon.

    I’ll dig up this project and finish it one of these days.

  18. I’m trying to teach myself PHP so I can get into my themes and hacks a bit closer. I know enough now to have been able to point out the possible problem, and look for it, but not sure how to resolve it. :)

    You mention that session_register(”sess_openid_auth_code”); should appear in the header somewhere. That’s what takes the session variables from page to page correct? It’s not in either my index.php or my single.php. Is this something that WordPress inserts when the page is generated, or is that part of the theme, or is it part of your plugin?

    I looked at the default WordPress theme, and I don’t see it there either. Looking at your openid.php code I see the following two lines at the beginning:

    Then in my index.php head, I’ve got the following line as per your instruction:

    So by doing that it’s should be supporting it.

    Now, should that require_once also be part of single.php? Does declaring it in two places allow the session variables to be shared, or do they have to be passed between them somehow?

    Both index and single call out to sidebar.php in order to generate the sidebar info, and that’s where I have the code to display the login form.

    I’m glad you’re looking to finish up and polish this, as it doesn’t appear that anyone else is taking the lead to put something together. Have you considered turning it into a formal plugin? That way it can be activated and you can ensure that the require portions are written properly as well as rewriting the comment form. Then, the only involvement from the end user is to make the call to display the login form where they want it.

    FWIW, I’ve had about 7 or 8 tries at getting a comment to post here because of the security code. It’s difficult to read sometimes and appears that it is case sensitive.. Problems with distinguishing 0 or O. I’ve actually learned to copy my comment *before* submitting it, because after its invalid and you hit back, my browser looses everything I’ve typed. Happened twice to me (losing it), so now I can at least paste the comment and try again with a new code.

  19. Ok, I found out a couple things. The way my theme was setup, there were seperate index.php and single.php files, each with their own header information. Once I created a single header.php and put the include there, it made the session information available to both locations. So it is required to be included for any page which needs access to the session information.

    This *include* the wp-comments-post.php file. If you do not include the openid.php script there, your modification to save that username instead never executes, because the value of the session is always blank.

    What I’m going to try and do is to modify the comments.php further, so that if you are logged in, you aren’t presented with the option of picking your name or email. Since it overwrites it anyway, why bother allowing the visitor to select it.

    I’m also going to try and mess with the icon display. Lastly, I want to find out how to use display names rather than the display. I’ll let you know on anything that I get working.

  20. Hi, I just logged in via my site,, and encountered a few gotchas you should be aware of:

    1) First I entered This failed with a “no openid server can be found” type message. I then tried and it worked. So it looks like the plugin is not normalizing the URL correctly.

    2) was presenting me a login page even though I was already authenticated there. odd. It turns out it was because the URL that wordpress was sending me to looks like:… ( truncated )

    Note that there are two “?”. Afer I changed the second “?” to an “&”, I was able to login okay.

    So it appears that the plugin is not properly checking for the existence of a query string in the openid.server URL.

  21. Update:

    I’ve modified to use /server instead of /serverlogin?action=openid. So this helps with interoperability on that end. The old form still works however, in case you want to test it by manually pointing at that URL.

    On an unrelated matter, I notice that when logging into your blorg from the article page I am returned to the front page instead of the article page. Is that normal wordpress behavior?

  22. I was going to suggest the author check out the videntity libs. Looks like someone beat me to it :D.

    Another snafu. I notice that I’m vxjasonxv@livejournal
    This is wrong because I’m, but my identity is delegated to LiveJournal.
    However, my identity is supposed to be @livejournal ;).

  23. Garrrr, last line edit:
    My Identity is NOT supposed to be @livejournal.

  24. Hello! I’m having some problems with my OpenID. After i type in my livejournal id to wordpress and verify i get a 404 error.

    Any help would be great

  25. Dan Q Dan Q says:

    Please note: I’m now redeveloping this tool as a proper WordPress plugin. Watch this space.

  26. Dan,

    I’m excited about the “proper” wordpress plugin! Any idea when it’ll be available?

    brianellin – at – gmail

  27. Have you found a decent way to integrate the login process into the comment form? Insofar as I can tell, WordPress didn’t make it very easy to extend authentication.

    I hacked together a WP plugin as well (admittedly a while back), based around creating actual WP users for each openid commenter. This has the added advantage of the built-in profile by which the user can change their display name. Kludge at

  28. Hey y’all. I’ve successfully used this code on my site (PHP4) by including the workaround http-build-query function. A few things I encountered that may be helpful to you:

    -If you’re using the K2 style, you’ll have to make the same update to the comments-ajax.php file in the k2 directory as you did to the wp-comments-post.php file in the WP root. You’ll also have to update the comments.php file in the K2 directory so that it will display the commenting form if the user is logged in with OpenID.

    -I thought it might be nifty, if, when a user comments from LJ, their default userpic is displayed in place of a gravatar. I created a custom LJ style that does nothing but spit out the IMG tag for the default userpic, to make it easier to grab a user’s userpic. So if you parse an LJ commenter’s get_comment_author(), and grab their LJ name, you can use CURL to grab and then you’ll be able to display their userpic. For an example of this, see

  29. I’ve been having trouble with the code. I can get LJers to login and verify with LJ, but commenting doesn’t work and OpenID doesn’t either. I have trouble with the trust root for openIDers. I’m patiently awaiting your plugin. :)

  30. I’ve seen a lot of people talking about spreading OpenID, which is great, but as far as WP goes, everyone’s pointing to you, Scatman. WP 2.0 Release Candidate 3 came out last week, but unfortunately it didn’t integrate OpenID. So the pressure’s on!

    It took a lot of tries to log in here. Finally, by putting in my site, I got logged in as my identity on the server. Funny how trying my server id didn’t work.

  31. Thanks for putting work on this. It’s a great idea who’s time has come. Is the plugin WP 2.0 Compliant yet?

    It would be nice if it was smart enough to add or remove the ‘http://’ part of the OpenID where appropriate. For example, I have to manually add it to login (on LJ I don’t). Also, When listing me in comments, it seems rather useless to include it for everyone and makes it more confusing.

  32. I’ve just finished modified version of this plugin. You can download it from here.
    Main modifications:
    1. This is not a hack now.
    2. You can login from comments form.
    3. It works with PHP4.

    I’m sorry, there isn’t english verision of page with description of this plugin. If it doesn’t work or you have any suggestions about it, just write me email to snaky[at]

  33. Pretty nifty, but it doesn’t deal with delegation properly: I signed in as, and it (as you can see) thinks I’m at

  34. Shame here.. I signed in as and its think I’m at

  35. Hmm… It likes me just fine..

  36. it seems not to work.
    i’ve done everything above, but nothing happens :-(

    you can see it at

  37. Makki Makki says:

    Dead link for download

  38. Jenny Jenny says:

    ooo i cant wait. please hurry. i wanna use it!

  39. Ajay D'Souza Ajay D'Souza says:

    Just a suggestion, instead of editting core WP files see if it is possible to edit theme files.

    WP2 allows you to create a functions.php which you can put whatever functions you need to code.

    In WP1.5 you can include the functions.php to the theme.

    If you need any help wrt themes you can contact me. I’m not an expert, but can help you as much as I can :)

  40. Rebecca Rebecca says:

    This is great news Dan. Thank you for all the extra work in updating and moving this to WP 2.0 :)

  41. maxpower maxpower says:

    It’d be nice to know what OpenID actually does, over and above its features. What is the big picture, and what does openID actually do?


  42. Jeannie Jeannie says:

    I see that WP v1.5 is required. Is that to say that is the minimum requirement, or that it will not work on 2.0? I see people have implemented it recently, but that doesn’t tell me if those people are running the latest version.

    I’d really love to try this out. If anyone could answer me so I don’t possibly *really* mess up my blog I’ll be forever grateful! Thanks!

  43. flavien flavien says:

    Badly looking forward to the plugin for WP2 release!(best to include OpenID Server)

  44. rashid rashid says:

    Oh god, I am so desperate for this plugin!

    By the way, is there no other way to delegate than in html? Since i want to put the code in wordpress’ index.php

  45. Dexter Dexter says:

    For some reason I am now getting the

    “The site you just came from seems to want to verify an identity that you, as dexterian, cannot provide.”

    As are all my other LJ Friends. I’m not sure as to why this is happening and I noticed it was meant to be fixed in this current release or has it not yet been fixed?

  46. Ferienhaus Mieten Ferienhaus Mieten says:

    OpenID for wordpress is great. Thanks to Plugin Maker and helper!

  47. Alex Alex says:

    As a user, I’m a big fan of OpenID, Yadis, LID, G/PGP, etc. However, if I am not mistaken, WordPress producers desire authentication before submitting a comment to minimize spam. So what keeps any jerk from creating an identity at some distributed id-server and spamming freely? Perhaps someone will propose distributed karma points for identities, servers, and/or … oh dear no.

  48. says:

    I just get to know about OpenID. Great idea!

  49. HelloWorld HelloWorld says:

    Peace people

    We love you

  50. says:

    Just checking if it will work. :)

  51. naisioxerloro naisioxerloro says:

    Good design, who make it?

  52. Dan Q Dan Q says:

    Design is mine. Background photo courtesy Christof Wittwer, used with permission.

  53. Statto Statto says:

    JTA’s had the exact same comment: I assume it’s spam.

  54. punkito punkito says:

    It’s pity

  55. raymond raymond says:

    Testing openid

  56. Lueng Lueng says:

    Not download!

  57. piri piri says:


Comments are closed.

Reply on your own site

Reply by email

I'd love to hear what you think. Send an email to; be sure to let me know if you're happy for your comment to appear on the Web!