Automatically log into wordpress via curl

Bash/Cron: Automatically Log Into WordPress via cURL/wget!

Being able to automate menial tasks inside your WordPress admin area, for example, pressing a button once a day via a cron job, is extremely helpful to say the least.

For this example, I will use my example of a plugin made for Shipwire that wasn’t updating inventory and tracking as it was supposed to automatically.

curl --data "log=ADMIN&pwd=PASSWORD" https://DOMAIN.COM/wp-login.php -c wpcookie.txt

Line 1 cURLs the WordPress login page and gets a session cookie and saves it (-c) as wpcookie.txt

Line 2 cURLs the WordPress login page again but posting two PHP parameters (–data), the first one log (WordPress username) and pwd (WordPress password) and saves the cookie.

I made a separate user for this, specifically with shop manager role.

You now have a file called wpcookie.txt that is a logged in user and can do anything on the site.

This is such a powerful way to enhance your website – you can use it to do pretty much anything.

Here are some examples of real word usage I am currently using this for:

Shipwire by Skyverge was not updating shipping numbers automatically. I could manually log in and press the Update Tracking button every day… or I could run a cron job every 6 hours to automate this process.

# navigate to a private working directory.
cd /home/admin/web/DOMAIN.COM/private/

# get an admin session cookie
curl --data "log=USERNAME&pwd=PASSWORD" https://DOMAIN.COM/wp-login.php -c wpcookie.txt

# press the shipwire update
curl "https://DOMAIN.COM/wp-admin/admin.php?page=wc-settings&tab=shipwire&section=log&action=update_tracking" -b wpcookie.txt

# remove the cookie
rm -f wpcookie.txt

# exit the bash script

UPDATE: Even better one liner of the above for the cron tab

curl --data "log=USERNAME&pwd=PASSWORD" https://DOMAIN.COM/wp-login.php -c wpcookie.txt && curl "https://DOMAIN.COM/wp-admin/admin.php?page=wc-settings&tab=shipwire&section=log&action=update_tracking" -b wpcookie.txt

To do things with it, copy the URL of whatever you need pressed, or if it’s a button without a URL, press F12, open the Network tab, press the target button and then copy the GET request as a cURL or just the URL.

2 thoughts on “Bash/Cron: Automatically Log Into WordPress via cURL/wget!”

  1. Thank you for this code, but I ABSOLUTELY could not get it to work. It certainly seems like a great idea, but I have tried EVERY conceivable interpretation of your code and I just could not get it to work.

    Perhaps you could double check your code or perhaps you could revisit the explanation? This is what I used:

    curl –data “log=my_admin_user&pwd=my_admin_password” -c wpcookie.txt && curl -data “log=my_admin_user&pwd=my_admin_password” -c wpcookie.txt && curl “” -b wpcookie.txt

    (note: test_page is a php page)

    I intentionally used my_admin_user and my_admin_password all the way through for simplifying testing. I tried it from with a hosted CPanel cron interface and via putty. My version of WordPress requires captcha completion, but if I understand what your script does, this should not matter.

    I have tried lynx, curl, wget methods and have even tried changing scripts to convert $argv parameters to $GET values in my php (v5.6) pages so that I can cron a critical task within my WordPress (v4.1) site, all to no avail. I probably have about 30 hours and a couple of sleepless nights banging my head on this one. If you have any suggestions they would be GREATLY appreciated!!

    1. Hi Mark,
      Sorry for the very late reply, I mostly receive spam comments on this site. Here are things that could be going wrong with the setup:

      – Captcha will 100% break cURL as cURL is a command line based interaction with the website, therefore it will need to complete the Captcha or you’ll need to disable the Captcha on the login screen or for a certain IP, which is overkill. Completing the Captcha is required to finally submit the request, therefore the logged in cookie will never be made if Captcha is on.

      You can test if your cURLs are logging in properly by adding -o option.
      Adding -o will download the file, or page, and you can then open the page up in a text editor and see if it says, “Howdy, admin.”

      Another way to test this out is by running the first line to get your initial authenticated cookie and then opening the cookie and copying it your browser and refresh. If you’re logged in, you’ve been authenticated.

      Also, some admin links will have wp_nonce which is sometimes unique and you can use the above -o command to download the page first, then use more bash things like:

      # grep wp_nonce to a txt file
      grep wp_nonce >> nonce.txt

      # strip the html from the front
      replace “preceeeding_html” “” — nonce.txt

      # strip the html from the back
      replace “following_html” “” — nonce.txt

      # mynonce variable
      mynonce=$(cat nonce.txt)
      echo $mynonce

      Other possible issues (but not in your case):
      – CPanel user disallowed from using bash or other file permission/ownership related issues.
      – Using single quotes ‘ vs ” and passwords with non-a-z or non-0-9 characters. Add regex or use a simple 20 character a-z password instead.
      – Security plugins that block user empty user-agents. If this happens, just open chrome or firefox developer tools and copy your own user agent.

      I have used wget and cURL interchangably as they’re both very powerful. I will post some more writeups on both with more examples. You can use the same cookie file for both.

Leave a Reply

Your email address will not be published. Required fields are marked *