XMPP Authentication


This plugin has two main features:

  • any reader on your website can comment if one has an Instant Messaging
    address (XMPP protocol, otherwise called Jabber. A Gmail or a LiveJournal
    account for instance are such standard IM identifiers as well);
  • a subscribed user (whatever its role) can authenticate with one’s IM
    address if they set their IM address.

This plugin is still in experimental state but is usable.

Detailed Process

The authentication part is something like openID, except that it uses your
existing IM address: you ask for authentication on a website, and it pops-up a
confirmation via IM (that you can accept, or refuse).

Considering that the IM protocol (XMPP) is very secure,
all the infrastructure to securely exchange an authentication request is
there. No need to make any new account, no need a special client, nor a
identity third party provider, and that’s really instantaneous (as instant
messaging) and more secure than HTTP or SMTP protocols.

Spam Protection

It adds an additional layer to protect against Spam by verifying an
identity using a very secure and modern protocol (XMPP), which also is instant,
hence much more reliable in any way than email for instance.

Secure and Easy Login

Many reasons to use such a plugin for login:

  • not to have to remember a new password (password-login can be disabled in
    your profile, on a per-user choice);
  • you are in a very insecure environment (for instance a cybercafe) and consider
    only your IM account to be a minimum securized. Or better, you run an IM
    client on your smartphone (or a similar tool), so you would receive the query
    on this personal item while never typing any kind of password on the insecure
    platform where you log.
  • And so on.


Publishing Account

This section contains the connection parameters of the account which will be
used as a wordpress bot. I would personnaly advice to create a dedicated account
just for it (you may also use your personal account of course, as the plugin’s
bot will create a resource identifier unique for every connection) and to
configure it to refuse any contact and communication (as noone will have to
add it to one’s roster, except you maybe for test or debugging purpose?).
The fields are:

  • The bot address (bare jid form: mybotname@myserveraddress);
  • the password.

Advanced Connection Parameters

By default xmpp-auth can use SRV records which is a recommended way to
advertize server and port from a domain name (see for instance
http://dns.vanrein.org/srv/ for details).

This is an advanced section in case your server does not use SRV AND uses a server
which is not the same as the domain from the jid or a port different from the
default one (5222).

Hence there will be very very few cases where you will have to fill this
section and if you don’t understand all what I say here, just don’t fill
anything there (if you fill even only one field, then it will be used instead
of SRV and default values).

The default values will be used if the fields are empty and no SRV is configured on
the Jabber server:

  • the XMPP server (often the same as ‘myseveraddress’ of the jid);
  • the XMPP port (usually 5222).


Features I am considering:

  • check quickstart (http://xmpp.org/extensions/inbox/quickstart.html). In
    particular, I should at least cache DNS lookups now.
  • deactivate IM features when plugin not configured.
  • For comments, use the IM avatar of the commenter instead of gravatar;
  • Make various notifications usually done by email be done by IM instead (if
  • Display the comment’s JID on the admin page (as we display the email
    address, obviously only for administrators);
  • Add Scram-* to SASL package;
  • Make the generic XMPP part a PEAR package.
  • Subscribe with XMPP JID.
  • Login with JID or username (both possible).
  • If password is disabled, it also cannot be resetted.
  • Make user choose to receive password reset or other notification through IM
    instead of email.

XMPP Features

Full Secure XML Stream with:

  • TLS (with real certificate verification, so confidentiality and
  • SASL (Digest-MD5, CRAM-MD5 and PLAIN only for now);
  • SRV records “randomization” algorithm.


You can have some news about this plugin on my freedom
You can also drop me an instant message on “hysseo” at zemarmot.net.

Have a nice life!


  • Configuration page.
  • Visitor posts a comment and receive a confirmation request by pop-up through one's IM client (here Psi+).


Will it work with any web browser and any IM client?

On the web side, the XEP-0070 uses RFC-2617, which is a common way to
authenticate to websites. On the XMPP-side, RFC-6120 and XEP-0070 have a nice
way for clients which do not understand a given feature for falling back into
a message to answer, as though it was a discussion.

So hopefully it “should” work in most case with not-too broken web browser or
IM client.
For IM clients, it should work (tested or reported by someone) with Psi,
Gajim, OneTeam… In particular, it is known not to work with Pidgin, Adium,
Swift, and the GoogleMail web interface.

I get “Warning: require_once(Auth/SASL/DigestMD5.php)” or another similar warning

You should check the Installation/dependencies section. Some PHP modules are
necessary. If you are administrator or have flexible administrators, this will
be very easily fixable (follow my instructions in the “dependencies” section).
If you use a public service, which did not install these dependencies by
default, and where you cannot have anything installed, then I am sorry but my
plugin unfortunately won’t work for you (actually for PEAR modules, you may
add them by hand, as they are pure PHP. But you would need to be developers
for the manipulation).

When configuring, I get: “Authentication failure: TLS negotiation failed.”

This means that your server uses TLS (and that’s good!) but simply I did not
package the certificate of their CA into my plugin. Please just tell me (see
“Contacts” section) your server, I will check the CA and if it is an
acceptable one, I will add its certificate.

It may also mean that the server certificate is self-signed, which is really not
secure. If many servers are this way, I may consider adding an option to
force such connection, but I would prefer not. If this happens to you, I
would rather suggest you to change the server of your bot for one where
security matters.

The new “JID” field does not appear in the comment form!

You most probably use an outdated theme which does not use recent WordPress
features about commenting (since 3.0). This is not a blocker. See the bottom
of the “Installation” tab. I provide the solutions to this issue.


Read all 1 review



  • Fix comment validation.
  • Comment validation through XMPP is now marked as “experimental”.
    Though still functional, I find the user experience crappy. I will want to
    review this deeply before considering it in release state.
  • Comment validation times out at 50 sec (was 30).
  • Transaction IDs are 6 characters. This makes them easier to copy, even on
    smaller virtual keyboard (for instance to validate on your personal smartphone
    a login made on a third-party untrusted machine).


  • Update SASL lib to Auth_SASL2 0.1.0.
  • Fix Cacert root certificate.
  • Add Let’s Encrypt root certificate.
  • Improving/experimenting the protocole from XEP-0070. It should be more
    user-friendly, while still staying secure.


  • When login is disabled, login page look is not modified.
  • When comments is disabled, I still display the JID field, but simply don’t
    process anything and without the ‘*’ of mandatory fields.
  • Localization prepared and French localization available.
  • DNS results are now cached. I use the ttl of records (maximum 1 week, as
    proposed in RFC-1035) and reorder cached data using failure and success
  • PEAR Auth_SASL coded is included in the plugin, hence the dependency is no more.
  • A patch has been sent upstream for SCRAM support.

  • After many years of inactivity, I fixed all the code and tested it against
    Wordpress 4.4.1.

  • Root certificates were also updated.


  • Profile page configuration: per-user choice to disable password, IM
    authentication, or use both.
  • IPv6 support and better DNS integration.
  • The core XMPP library has been rewritten in a much more robust, hence secure
    API. The current version had been started in 2008. My first XMPP experiment
    that I used for the plugin Jabber Feed (that I will probably soon merge with
    the current plugin) and the API was not very nice and could break more
    easily on some unexpected outputs.


  • Admins have now possibility to deactivate the plugin on a per-feature basis.
  • Experimental component support.
  • “Jabber / Google Talk” in profile renamed to “Standard IM”.


  • TLS certificates were not properly configured.
  • Various fixes.


Initial Release.
The plugin can be used to login as a user, or post comments as an unsubscribed

Contributors & Developers

This is open source software. The following people have contributed to this plugin.

Browse the code