Just a quick note that in a standard WordPress authentication flow, you can use the authenticate
filter to add additional validation. In my last project, I had to limit user login to only active users, but you are free to implement any kind of check.
As you can see from the official documentation, the filter accepts three arguments, $user
, $username
, and $password
. To halt the login process for the failed validation, you can simply return null
where the pluggable wp_authenticate
will automatically return a generic failed login message, or you can optionally supply your WP_Error
instance with a custom error message of your liking.
Let’s say, for example, you want to limit the login only for users with a certain email domain, you can do something like this:
|
|
Bonus if you’re using PHP 8, you can use the built-in function str_ends_with
.