Just a quick note that in a standard WordPress authentication flow, you can use the
authenticate filter to add additional validation. In my last project, I had to limit user login to only active users, but you are free to implement any kind of check.
As you can see from the official documentation, the filter accepts three arguments,
$password. To halt the login process for the failed validation, you can simply return
null where the pluggable
wp_authenticate will automatically return a generic failed login message, or you can optionally supply your
WP_Error instance with a custom error message of your liking.
Let’s say, for example, you want to limit the login only for users with a certain email domain, you can do something like this:
Bonus if you’re using PHP 8, you can use the built-in function