` element.
* Defaults to 'Log In'.
* @param string $message Optional. Message to display in header. Default empty.
* @param WP_Error|null $wp_error Optional. The error to pass. Defaults to a WP_Error instance.
*/
function login_header( $title = null, $message = '', $wp_error = null ) {
global $error, $interim_login, $action;
if ( null === $title ) {
$title = __( 'Log In' );
}
// Don't index any of these forms.
add_filter( 'wp_robots', 'wp_robots_sensitive_page' );
add_action( 'login_head', 'wp_strict_cross_origin_referrer' );
add_action( 'login_head', 'wp_login_viewport_meta' );
if ( ! is_wp_error( $wp_error ) ) {
$wp_error = new WP_Error();
}
// Shake it!
$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure' );
/**
* Filters the error codes array for shaking the login form.
*
* @since 3.0.0
*
* @param string[] $shake_error_codes Error codes that shake the login form.
*/
$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes, true ) ) {
add_action( 'login_footer', 'wp_shake_js', 12 );
}
$login_title = get_bloginfo( 'name', 'display' );
/* translators: Login screen title. 1: Login screen name, 2: Network or site name. */
$login_title = sprintf( __( '%1$s ‹ %2$s — WordPress' ), $title, $login_title );
if ( wp_is_recovery_mode() ) {
/* translators: %s: Login screen title. */
$login_title = sprintf( __( 'Recovery Mode — %s' ), $login_title );
}
/**
* Filters the title tag content for login page.
*
* @since 4.9.0
*
* @param string $login_title The page title, with extra context added.
* @param string $title The original page title.
*/
$login_title = apply_filters( 'login_title', $login_title, $title );
?>
>
get_error_code() ) {
ob_start();
?>
add( 'error', $error );
unset( $error );
}
if ( $wp_error->has_errors() ) {
$error_list = array();
$messages = '';
foreach ( $wp_error->get_error_codes() as $code ) {
$severity = $wp_error->get_error_data( $code );
foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
if ( 'message' === $severity ) {
$messages .= '
' . $error_message . '
';
} else {
$error_list[] = $error_message;
}
}
}
if ( ! empty( $error_list ) ) {
$errors = '';
if ( count( $error_list ) > 1 ) {
$errors .= '
';
foreach ( $error_list as $item ) {
$errors .= '- ' . $item . '
';
}
$errors .= '
';
} else {
$errors .= '
' . $error_list[0] . '
';
}
/**
* Filters the error messages displayed above the login form.
*
* @since 2.1.0
*
* @param string $errors Login error messages.
*/
$errors = apply_filters( 'login_errors', $errors );
wp_admin_notice(
$errors,
array(
'type' => 'error',
'id' => 'login_error',
'paragraph_wrap' => false,
)
);
}
if ( ! empty( $messages ) ) {
/**
* Filters instructional messages displayed above the login form.
*
* @since 2.5.0
*
* @param string $messages Login messages.
*/
$messages = apply_filters( 'login_messages', $messages );
wp_admin_notice(
$messages,
array(
'type' => 'info',
'id' => 'login-message',
'additional_classes' => array( 'message' ),
'paragraph_wrap' => false,
)
);
}
}
} // End of login_header().
/**
* Outputs the footer for the login page.
*
* @since 3.1.0
*
* @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
* upon successful login.
*
* @param string $input_id Which input to auto-focus.
*/
function login_footer( $input_id = '' ) {
global $interim_login;
// Don't allow interim logins to navigate away from the page.
if ( ! $interim_login ) {
?>
%s',
esc_url( home_url( '/' ) ),
sprintf(
/* translators: %s: Site title. */
_x( '← Go to %s', 'site' ),
get_bloginfo( 'title', 'display' )
)
);
/**
* Filters the "Go to site" link displayed in the login page footer.
*
* @since 5.7.0
*
* @param string $link HTML link to the home URL of the current site.
*/
echo apply_filters( 'login_site_html_link', $html_link );
?>
', '
' );
}
?>
. ?>
0 ) {
update_option( 'admin_email_lifespan', time() + $remind_interval );
}
$redirect_to = add_query_arg( 'admin_email_remind_later', 1, $redirect_to );
wp_safe_redirect( $redirect_to );
exit;
}
if ( ! empty( $_POST['correct-admin-email'] ) ) {
if ( ! check_admin_referer( 'confirm_admin_email', 'confirm_admin_email_nonce' ) ) {
wp_safe_redirect( wp_login_url() );
exit;
}
/**
* Filters the interval for redirecting the user to the admin email confirmation screen.
*
* If `0` (zero) is returned, the user will not be redirected.
*
* @since 5.3.0
*
* @param int $interval Interval time (in seconds). Default is 6 months.
*/
$admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS );
if ( $admin_email_check_interval > 0 ) {
update_option( 'admin_email_lifespan', time() + $admin_email_check_interval );
}
wp_safe_redirect( $redirect_to );
exit;
}
login_header( __( 'Confirm your administration email' ), '', $errors );
/**
* Fires before the admin email confirm form.
*
* @since 5.3.0
*
* @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid
* credentials. Note that the error object may not contain any errors.
*/
do_action( 'admin_email_confirm', $errors );
?>
HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
wp_safe_redirect( wp_get_referer() );
exit;
case 'logout':
check_admin_referer( 'log-out' );
$user = wp_get_current_user();
wp_logout();
if ( ! empty( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {
$redirect_to = $_REQUEST['redirect_to'];
$requested_redirect_to = $redirect_to;
} else {
$redirect_to = add_query_arg(
array(
'loggedout' => 'true',
'wp_lang' => get_user_locale( $user ),
),
wp_login_url()
);
$requested_redirect_to = '';
}
/**
* Filters the log out redirect URL.
*
* @since 4.2.0
*
* @param string $redirect_to The redirect destination URL.
* @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
* @param WP_User $user The WP_User object for the user that's logging out.
*/
$redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user );
wp_safe_redirect( $redirect_to );
exit;
case 'lostpassword':
case 'retrievepassword':
if ( $http_post ) {
$errors = retrieve_password();
if ( ! is_wp_error( $errors ) ) {
$redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
wp_safe_redirect( $redirect_to );
exit;
}
}
if ( isset( $_GET['error'] ) ) {
if ( 'invalidkey' === $_GET['error'] ) {
$errors->add( 'invalidkey', __( 'Error: Your password reset link appears to be invalid. Please request a new link below.' ) );
} elseif ( 'expiredkey' === $_GET['error'] ) {
$errors->add( 'expiredkey', __( 'Error: Your password reset link has expired. Please request a new link below.' ) );
}
}
$lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
/**
* Filters the URL redirected to after submitting the lostpassword/retrievepassword form.
*
* @since 3.0.0
*
* @param string $lostpassword_redirect The redirect destination URL.
*/
$redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
/**
* Fires before the lost password form.
*
* @since 1.5.1
* @since 5.1.0 Added the `$errors` parameter.
*
* @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid
* credentials. Note that the error object may not contain any errors.
*/
do_action( 'lost_password', $errors );
login_header(
__( 'Lost Password' ),
wp_get_admin_notice(
__( 'Please enter your username or email address. You will receive an email message with instructions on how to reset your password.' ),
array(
'type' => 'info',
'additional_classes' => array( 'message' ),
)
),
$errors
);
$user_login = '';
if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
$user_login = wp_unslash( $_POST['user_login'] );
}
?>
%s', esc_url( wp_registration_url() ), __( 'Register' ) );
echo esc_html( $login_link_separator );
/** This filter is documented in wp-includes/general-template.php */
echo apply_filters( 'register', $registration_url );
}
?>
get_error_code() === 'expired_key' ) {
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
} else {
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
}
exit;
}
$errors = new WP_Error();
// Check if password is one or all empty spaces.
if ( ! empty( $_POST['pass1'] ) ) {
$_POST['pass1'] = trim( $_POST['pass1'] );
if ( empty( $_POST['pass1'] ) ) {
$errors->add( 'password_reset_empty_space', __( 'The password cannot be a space or all spaces.' ) );
}
}
// Check if password fields do not match.
if ( ! empty( $_POST['pass1'] ) && trim( $_POST['pass2'] ) !== $_POST['pass1'] ) {
$errors->add( 'password_reset_mismatch', __( 'Error: The passwords do not match.' ) );
}
/**
* Fires before the password reset procedure is validated.
*
* @since 3.5.0
*
* @param WP_Error $errors WP Error object.
* @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise.
*/
do_action( 'validate_password_reset', $errors, $user );
if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) {
reset_password( $user, $_POST['pass1'] );
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
login_header(
__( 'Password Reset' ),
wp_get_admin_notice(
__( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '',
array(
'type' => 'info',
'additional_classes' => array( 'message', 'reset-pass' ),
)
)
);
login_footer();
exit;
}
wp_enqueue_script( 'utils' );
wp_enqueue_script( 'user-profile' );
login_header(
__( 'Reset Password' ),
wp_get_admin_notice(
__( 'Enter your new password below or generate one.' ),
array(
'type' => 'info',
'additional_classes' => array( 'message', 'reset-pass' ),
)
),
$errors
);
?>
%s', esc_url( wp_registration_url() ), __( 'Register' ) );
echo esc_html( $login_link_separator );
/** This filter is documented in wp-includes/general-template.php */
echo apply_filters( 'register', $registration_url );
}
?>
'info',
'additional_classes' => array( 'message', 'register' ),
)
),
$errors
);
?>
%s', esc_url( wp_lostpassword_url() ), __( 'Lost your password?' ) );
/** This filter is documented in wp-login.php */
echo apply_filters( 'lost_password_html_link', $html_link );
?>
add(
'confirm',
sprintf(
/* translators: %s: Link to the login page. */
__( 'Check your email for the confirmation link, then visit the login page.' ),
wp_login_url()
),
'message'
);
} elseif ( 'registered' === $_GET['checkemail'] ) {
$errors->add(
'registered',
sprintf(
/* translators: %s: Link to the login page. */
__( 'Registration complete. Please check your email, then visit the login page.' ),
wp_login_url()
),
'message'
);
}
/** This action is documented in wp-login.php */
$errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
login_header( __( 'Check your email' ), '', $errors );
login_footer();
break;
case 'confirmaction':
if ( ! isset( $_GET['request_id'] ) ) {
wp_die( __( 'Missing request ID.' ) );
}
if ( ! isset( $_GET['confirm_key'] ) ) {
wp_die( __( 'Missing confirm key.' ) );
}
$request_id = (int) $_GET['request_id'];
$key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
$result = wp_validate_user_request_key( $request_id, $key );
if ( is_wp_error( $result ) ) {
wp_die( $result );
}
/**
* Fires an action hook when the account action has been confirmed by the user.
*
* Using this you can assume the user has agreed to perform the action by
* clicking on the link in the confirmation email.
*
* After firing this action hook the page will redirect to wp-login a callback
* redirects or exits first.
*
* @since 4.9.6
*
* @param int $request_id Request ID.
*/
do_action( 'user_request_action_confirmed', $request_id );
$message = _wp_privacy_account_request_confirmed_message( $request_id );
login_header( __( 'User action confirmed.' ), $message );
login_footer();
exit;
case 'login':
default:
$secure_cookie = '';
$customize_login = isset( $_REQUEST['customize-login'] );
if ( $customize_login ) {
wp_enqueue_script( 'customize-base' );
}
// If the user wants SSL but the session is not SSL, force a secure cookie.
if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) {
$user_name = sanitize_user( wp_unslash( $_POST['log'] ) );
$user = get_user_by( 'login', $user_name );
if ( ! $user && strpos( $user_name, '@' ) ) {
$user = get_user_by( 'email', $user_name );
}
if ( $user ) {
if ( get_user_option( 'use_ssl', $user->ID ) ) {
$secure_cookie = true;
force_ssl_admin( true );
}
}
}
if ( isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {
$redirect_to = $_REQUEST['redirect_to'];
// Redirect to HTTPS if user wants SSL.
if ( $secure_cookie && str_contains( $redirect_to, 'wp-admin' ) ) {
$redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to );
}
} else {
$redirect_to = admin_url();
}
$reauth = empty( $_REQUEST['reauth'] ) ? false : true;
$user = wp_signon( array(), $secure_cookie );
if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
if ( headers_sent() ) {
$user = new WP_Error(
'test_cookie',
sprintf(
/* translators: 1: Browser cookie documentation URL, 2: Support forums URL. */
__( 'Error: Cookies are blocked due to unexpected output. For help, please see this documentation or try the support forums.' ),
__( 'https://developer.wordpress.org/advanced-administration/wordpress/cookies/' ),
__( 'https://wordpress.org/support/forums/' )
)
);
} elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) {
// If cookies are disabled, the user can't log in even with a valid username and password.
$user = new WP_Error(
'test_cookie',
sprintf(
/* translators: %s: Browser cookie documentation URL. */
__( 'Error: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.' ),
__( 'https://developer.wordpress.org/advanced-administration/wordpress/cookies/#enable-cookies-in-your-browser' )
)
);
}
}
$requested_redirect_to = isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
/**
* Filters the login redirect URL.
*
* @since 3.0.0
*
* @param string $redirect_to The redirect destination URL.
* @param string $requested_redirect_to The requested redirect destination URL passed as a parameter.
* @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise.
*/
$redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
if ( ! is_wp_error( $user ) && ! $reauth ) {
if ( $interim_login ) {
$message = '' . __( 'You have logged in successfully.' ) . '
';
$interim_login = 'success';
login_header( '', $message );
?>
exists() && $user->has_cap( 'manage_options' ) ) {
$admin_email_lifespan = (int) get_option( 'admin_email_lifespan' );
/*
* If `0` (or anything "falsey" as it is cast to int) is returned, the user will not be redirected
* to the admin email confirmation screen.
*/
/** This filter is documented in wp-login.php */
$admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS );
if ( $admin_email_check_interval > 0 && time() > $admin_email_lifespan ) {
$redirect_to = add_query_arg(
array(
'action' => 'confirm_admin_email',
'wp_lang' => get_user_locale( $user ),
),
wp_login_url( $redirect_to )
);
}
}
if ( ( empty( $redirect_to ) || 'wp-admin/' === $redirect_to || admin_url() === $redirect_to ) ) {
// If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile.
if ( is_multisite() && ! get_active_blog_for_user( $user->ID ) && ! is_super_admin( $user->ID ) ) {
$redirect_to = user_admin_url();
} elseif ( is_multisite() && ! $user->has_cap( 'read' ) ) {
$redirect_to = get_dashboard_url( $user->ID );
} elseif ( ! $user->has_cap( 'edit_posts' ) ) {
$redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url();
}
wp_redirect( $redirect_to );
exit;
}
wp_safe_redirect( $redirect_to );
exit;
}
$errors = $user;
// Clear errors if loggedout is set.
if ( ! empty( $_GET['loggedout'] ) || $reauth ) {
$errors = new WP_Error();
}
if ( empty( $_POST ) && $errors->get_error_codes() === array( 'empty_username', 'empty_password' ) ) {
$errors = new WP_Error( '', '' );
}
if ( $interim_login ) {
if ( ! $errors->has_errors() ) {
$errors->add( 'expired', __( 'Your session has expired. Please log in to continue where you left off.' ), 'message' );
}
} else {
// Some parts of this script use the main login form to display a message.
if ( isset( $_GET['loggedout'] ) && $_GET['loggedout'] ) {
$errors->add( 'loggedout', __( 'You are now logged out.' ), 'message' );
} elseif ( isset( $_GET['registration'] ) && 'disabled' === $_GET['registration'] ) {
$errors->add( 'registerdisabled', __( 'Error: User registration is currently not allowed.' ) );
} elseif ( str_contains( $redirect_to, 'about.php?updated' ) ) {
$errors->add( 'updated', __( 'You have successfully updated WordPress! Please log back in to see what’s new.' ), 'message' );
} elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) {
$errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' );
} elseif ( isset( $_GET['redirect_to'] ) && is_string( $_GET['redirect_to'] )
&& str_contains( $_GET['redirect_to'], 'wp-admin/authorize-application.php' )
) {
$query_component = wp_parse_url( $_GET['redirect_to'], PHP_URL_QUERY );
$query = array();
if ( $query_component ) {
parse_str( $query_component, $query );
}
if ( ! empty( $query['app_name'] ) ) {
/* translators: 1: Website name, 2: Application name. */
$message = sprintf( 'Please log in to %1$s to authorize %2$s to connect to your account.', get_bloginfo( 'name', 'display' ), '' . esc_html( $query['app_name'] ) . '' );
} else {
/* translators: %s: Website name. */
$message = sprintf( 'Please log in to %s to proceed with authorization.', get_bloginfo( 'name', 'display' ) );
}
$errors->add( 'authorize_application', $message, 'message' );
}
}
/**
* Filters the login page errors.
*
* @since 3.6.0
*
* @param WP_Error $errors WP Error object.
* @param string $redirect_to Redirect destination URL.
*/
$errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
// Clear any stale cookies.
if ( $reauth ) {
wp_clear_auth_cookie();
}
login_header( __( 'Log In' ), '', $errors );
if ( isset( $_POST['log'] ) ) {
$user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? wp_unslash( $_POST['log'] ) : '';
}
$rememberme = ! empty( $_POST['rememberme'] );
$aria_describedby = '';
$has_errors = $errors->has_errors();
if ( $has_errors ) {
$aria_describedby = ' aria-describedby="login_error"';
}
if ( $has_errors && 'message' === $errors->get_error_data() ) {
$aria_describedby = ' aria-describedby="login-message"';
}
wp_enqueue_script( 'user-profile' );
?>
%s', esc_url( wp_registration_url() ), __( 'Register' ) );
/** This filter is documented in wp-includes/general-template.php */
echo apply_filters( 'register', $registration_url );
echo esc_html( $login_link_separator );
}
$html_link = sprintf( '%s', esc_url( wp_lostpassword_url() ), __( 'Lost your password?' ) );
/**
* Filters the link that allows the user to reset the lost password.
*
* @since 6.1.0
*
* @param string $html_link HTML link to the lost password form.
*/
echo apply_filters( 'lost_password_html_link', $html_link );
?>
get_error_code() === 'invalid_username' ) {
$login_script .= 'd.value = "";';
}
}
$login_script .= 'd.focus(); d.select();';
$login_script .= '} catch( er ) {}';
$login_script .= '}, 200);';
$login_script .= "}\n"; // End of wp_attempt_focus().
/**
* Filters whether to print the call to `wp_attempt_focus()` on the login screen.
*
* @since 4.8.0
*
* @param bool $print Whether to print the function call. Default true.
*/
if ( apply_filters( 'enable_login_autofocus', true ) && ! $error ) {
$login_script .= "wp_attempt_focus();\n";
}
// Run `wpOnload()` if defined.
$login_script .= "if ( typeof wpOnload === 'function' ) { wpOnload() }";
wp_print_inline_script_tag( $login_script );
if ( $interim_login ) {
ob_start();
?>