I was recently tasked with providing the capability for the user to register themselves on a WordPress site with their preferred password. By default, WordPress only requires the user to set up the username and email when registering to the site. Password will be set up by the user later by following the password reset URL provided after the successful registration.
To implement this, a few steps need to be done:
- Add the password field to the registration form
- Validate the password field upon form submission
- Use the provided password for the registered user
Let’s go through them one by one.
Add the password field
This is fairly easy to do. WordPress has a
register_form action hook that we can use to add additional HTML content to the registration form. There is a nice password field interaction available when you’re resetting the password, so we will reuse the same functionality on the registration page.
Add these lines into the theme’s
The HTML for the password field is taken from the password reset page. You can find the related source code inside the
As you can see, I add a special helper function to detect if we are currently on the registration page and check if the script isn’t enqueued yet. If it’s not, then we’ll enqueue it. The helper function is pretty basic and uses the
$GLOBALS['pagenow] value for the detection.
Now, if we load the registration page, we’ll see the password field is available with the correct interactivity as well as password strength checker.
Validate the password field
By default, the
user-profile script will validate the password field on the client-side. If it’s weak, then a checkbox will appear to confirm the use of a weak password. Unless the password field is filled in, the submit button will be disabled. It kind of acts as the first level of validation for us.
registration_errors filter to do our custom validation.
The first argument passed to the filter is an instance of the
WP_Error object, so all we need to do is to implement our validation, then push additional error into the class. What I have in the code snippet above is pretty simple, so feel free to extend this with a more robust validation if needed.
Use the supplied password
If we take a closer look at how WordPress registers a user in
wp-includes/user.php, we can see that WordPress will automatically generate a user password.
Luckily, there is a filter that we can hook to inside the
wp_generate_password function with the name of
random_password. We can use this to our advantage by replacing the generated password with the one supplied by the user during the registration process.
We reuse the helper function again to make sure we only override this during the registration.
Bonus: Disable/Modify the Sent Email
WordPress will send a “Login Details” email to the user, instructing them to reset their password after the account is created. For our case, this doesn’t make sense, so we have two options here:
- Change the message to a more suitable context
- Disable that email entirely
We can change the message by hooking into the
wp_new_user_notification_email that holds the data that will be passed to the
Instead of asking the user to reset the password, we can mention that the password will be whatever they have set during the registration. If you want to disable this email entirely, simply set the
message to an empty string and the email will not be sent out.