Add Additional Validation During WordPress Login

Just a quick note that in a standard WordPress authentication flow, you can use the authenticate filter to add additional validation. In my last project, I had to limit user login to only active users, but you are free to implement any kind of check.

As you can see from the official documentation, the filter accepts three arguments, $user, $username, and $password. To halt the login process for the failed validation, you can simply return null where the pluggable wp_authenticate will automatically return a generic failed login message, or you can optionally supply your WP_Error instance with a custom error message of your liking.

Let’s say, for example, you want to limit the login only for users with a certain email domain, you can do something like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

<?php

add_filter('authenticate', function ($user) {
    if (!$user) {
        return $user;
    }
    
    if (is_wp_error($user)) {
        return $user;
    }
    
    if (str_ends_with($user->user_email, '@example.com')) {
        return $user;
    }
    
    return new WP_Error('invalid_email_domain', __('<strong>Error</strong>: Invalid email domain supplied.'));
});

Bonus if you’re using PHP 8, you can use the built-in function str_ends_with.