WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

wp_authenticate()

wp_authenticate( string $username, string $password ): WP_User|WP_Error

In this article

Back to top

Authenticates a user, confirming the login credentials are valid.

Parameters

$usernamestringrequired
User’s username or email address.
$passwordstringrequired
User’s password.

Return

WP_User|WP_Error WP_User object if the credentials are valid, otherwise WP_Error.

More Information

  • This is a plugabble function, which means that a plug-in can override this function.
  • Not to be confused with the wp_authenticate action hook.

Source

function wp_authenticate(	$username,	#[\SensitiveParameter]	$password ) {	$username = sanitize_user( $username );	$password = trim( $password );	/** * Filters whether a set of user login credentials are valid. * * A WP_User object is returned if the credentials authenticate a user. * WP_Error or null otherwise. * * @since 2.8.0 * @since 4.5.0 `$username` now accepts an email address. * * @param null|WP_User|WP_Error $user WP_User if the user is authenticated. * WP_Error or null otherwise. * @param string $username Username or email address. * @param string $password User password. */	$user = apply_filters( 'authenticate', null, $username, $password );	if ( null === $user || false === $user ) {	/* * TODO: What should the error message be? (Or would these even happen?) * Only needed if all authentication handlers fail to return anything. */	$user = new WP_Error( 'authentication_failed', __( '<strong>Error:</strong> Invalid username, email address or incorrect password.' ) );	}	$ignore_codes = array( 'empty_username', 'empty_password' );	if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes, true ) ) {	$error = $user;	/** * Fires after a user login has failed. * * @since 2.5.0 * @since 4.5.0 The value of `$username` can now be an email address. * @since 5.4.0 The `$error` parameter was added. * * @param string $username Username or email address. * @param WP_Error $error A WP_Error object with the authentication failure details. */	do_action( 'wp_login_failed', $username, $error );	}	return $user; }

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘authenticate’, null|WP_User|WP_Error $user, string $username, string $password )

Filters whether a set of user login credentials are valid.

do_action( ‘wp_login_failed’, string $username, WP_Error $error )

Fires after a user login has failed.

UsesDescription
sanitize_user()wp-includes/formatting.php

Sanitizes a username, stripping out unsafe characters.

apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

do_action()wp-includes/plugin.php

Calls the callback functions that have been added to an action hook.

is_wp_error()wp-includes/load.php

Checks whether the given variable is a WordPress Error.

WP_Error::__construct()wp-includes/class-wp-error.php

Initializes the error.

Show 3 moreShow less
Used byDescription
user_pass_ok()wp-includes/deprecated.php

Check that the user login name and password is correct.

wp_signon()wp-includes/user.php

Authenticates and logs a user in with ‘remember’ capability.

wp_login()wp-includes/pluggable-deprecated.php

Checks a users login information and logs them in if it checks out. This function is deprecated.

wp_xmlrpc_server::login()wp-includes/class-wp-xmlrpc-server.php

Logs user in.

Changelog

VersionDescription
4.5.0$username now accepts an email address.
2.5.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.