` element. * Default 'Log In'. * @param string $message Optional. Message to display in header. Default empty. * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance. */ function login_header( $title = 'Log In', $message = '', $wp_error = null ) { global $error, $interim_login, $action; // Don't index any of these forms add_action( 'login_head', 'wp_sensitive_page_meta' ); add_action( 'login_head', 'wp_login_viewport_meta' ); if ( ! is_wp_error( $wp_error ) ) { $wp_error = new WP_Error(); } // Shake it! $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure' ); /** * Filters the error codes array for shaking the login form. * * @since 3.0.0 * * @param array $shake_error_codes Error codes that shake the login form. */ $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes ); if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes, true ) ) { add_action( 'login_head', 'wp_shake_js', 12 ); } $login_title = get_bloginfo( 'name', 'display' ); /* translators: Login screen title. 1: Login screen name, 2: Network or site name */ $login_title = sprintf( __( '%1$s ‹ %2$s — WordPress' ), $title, $login_title ); if ( wp_is_recovery_mode() ) { /* translators: %s: Login screen title. */ $login_title = sprintf( __( 'Recovery Mode — %s' ), $login_title ); } /** * Filters the title tag content for login page. * * @since 4.9.0 * * @param string $login_title The page title, with extra context added. * @param string $title The original page title. */ $login_title = apply_filters( 'login_title', $login_title, $title ); ?> > <?php echo $login_title; ?> get_error_code() ) { ?>

add( 'error', $error ); unset( $error ); } if ( $wp_error->has_errors() ) { $errors = ''; $messages = ''; foreach ( $wp_error->get_error_codes() as $code ) { $severity = $wp_error->get_error_data( $code ); foreach ( $wp_error->get_error_messages( $code ) as $error_message ) { if ( 'message' === $severity ) { $messages .= ' ' . $error_message . "
\n"; } else { $errors .= ' ' . $error_message . "
\n"; } } } if ( ! empty( $errors ) ) { /** * Filters the error messages displayed above the login form. * * @since 2.1.0 * * @param string $errors Login error message. */ echo '
' . apply_filters( 'login_errors', $errors ) . "
\n"; } if ( ! empty( $messages ) ) { /** * Filters instructional messages displayed above the login form. * * @since 2.5.0 * * @param string $messages Login messages. */ echo '

' . apply_filters( 'login_messages', $messages ) . "

\n"; } } } // End of login_header() /** * Outputs the footer for the login page. * * @since 3.1.0 * * @param string $input_id Which input to auto-focus. */ function login_footer( $input_id = '' ) { global $interim_login; // Don't allow interim logins to navigate away from the page. if ( ! $interim_login ) { ?>

', '
' ); } ?> ?>
add( 'empty_username', __( 'ERROR: Enter a username or email address.' ) ); } elseif ( strpos( $_POST['user_login'], '@' ) ) { $user_data = get_user_by( 'email', trim( wp_unslash( $_POST['user_login'] ) ) ); if ( empty( $user_data ) ) { $errors->add( 'invalid_email', __( 'ERROR: There is no account with that username or email address.' ) ); } } else { $login = trim( $_POST['user_login'] ); $user_data = get_user_by( 'login', $login ); } /** * Fires before errors are returned from a password reset request. * * @since 2.1.0 * @since 4.4.0 Added the `$errors` parameter. * * @param WP_Error $errors A WP_Error object containing any errors generated * by using invalid credentials. */ do_action( 'lostpassword_post', $errors ); if ( $errors->has_errors() ) { return $errors; } if ( ! $user_data ) { $errors->add( 'invalidcombo', __( 'ERROR: There is no account with that username or email address.' ) ); return $errors; } // Redefining user_login ensures we return the right case in the email. $user_login = $user_data->user_login; $user_email = $user_data->user_email; $key = get_password_reset_key( $user_data ); if ( is_wp_error( $key ) ) { return $key; } if ( is_multisite() ) { $site_name = get_network()->site_name; } else { /* * The blogname option is escaped with esc_html on the way into the database * in sanitize_option we want to reverse this for the plain text arena of emails. */ $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); } $message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n"; /* translators: %s: site name */ $message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n"; /* translators: %s: user login */ $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n"; $message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n"; $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n"; $message .= '<' . network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . ">\r\n"; /* translators: Password reset notification email subject. %s: Site title */ $title = sprintf( __( '[%s] Password Reset' ), $site_name ); /** * Filters the subject of the password reset email. * * @since 2.8.0 * @since 4.4.0 Added the `$user_login` and `$user_data` parameters. * * @param string $title Default email title. * @param string $user_login The username for the user. * @param WP_User $user_data WP_User object. */ $title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data ); /** * Filters the message body of the password reset mail. * * If the filtered message is empty, the password reset email will not be sent. * * @since 2.8.0 * @since 4.1.0 Added `$user_login` and `$user_data` parameters. * * @param string $message Default mail message. * @param string $key The activation key. * @param string $user_login The username for the user. * @param WP_User $user_data WP_User object. */ $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data ); if ( $message && ! wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) { /* translators: URL to support page for resetting your password */ $support = __( 'https://wordpress.org/support/article/resetting-your-password/' ); $errors->add( 'retrieve_password_email_failure', sprintf( __( 'ERROR: The email could not be sent. Your site may not be correctly configured to send emails. Get support for resetting your password.' ), esc_url( $support ) ) ); return $errors; } return true; } // // Main. // $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login'; $errors = new WP_Error(); if ( isset( $_GET['key'] ) ) { $action = 'resetpass'; } $default_actions = array( 'confirm_admin_email', 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'confirmaction', WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED, ); // Validate action so as to default to the login screen. if ( ! in_array( $action, $default_actions, true ) && false === has_filter( 'login_form_' . $action ) ) { $action = 'login'; } nocache_headers(); header( 'Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) ); if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set if ( isset( $_SERVER['PATH_INFO'] ) && ( $_SERVER['PATH_INFO'] !== $_SERVER['PHP_SELF'] ) ) { $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] ); } $url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) ); if ( $url !== get_option( 'siteurl' ) ) { update_option( 'siteurl', $url ); } } //Set a cookie now to see if they are supported by the browser. $secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) ); setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure ); if ( SITECOOKIEPATH != COOKIEPATH ) { setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); } /** * Fires when the login form is initialized. * * @since 3.2.0 */ do_action( 'login_init' ); /** * Fires before a specified login form action. * * The dynamic portion of the hook name, `$action`, refers to the action * that brought the visitor to the login form. Actions include 'postpass', * 'logout', 'lostpassword', etc. * * @since 2.8.0 */ do_action( "login_form_{$action}" ); $http_post = ( 'POST' === $_SERVER['REQUEST_METHOD'] ); $interim_login = isset( $_REQUEST['interim-login'] ); /** * Filters the separator used between login form navigation links. * * @since 4.9.0 * * @param string $login_link_separator The separator used between login form navigation links. */ $login_link_separator = apply_filters( 'login_link_separator', ' | ' ); switch ( $action ) { case 'confirm_admin_email': // Note that `is_user_logged_in()` will return false immediately after logging in // as the current user is not set, see wp-includes/pluggable.php. // However this action runs on a redirect after logging in. if ( ! is_user_logged_in() ) { wp_safe_redirect( wp_login_url() ); exit; } if ( ! empty( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; } else { $redirect_to = admin_url(); } if ( current_user_can( 'manage_options' ) ) { $admin_email = get_option( 'admin_email' ); } else { wp_safe_redirect( $redirect_to ); exit; } if ( ! empty( $_GET['remind_me_later'] ) ) { if ( ! wp_verify_nonce( $_GET['remind_me_later'], 'remind_me_later_nonce' ) ) { wp_safe_redirect( wp_login_url() ); exit; } // "Remind me later" is a bit ambiguous. Three days later? update_option( 'admin_email_lifespan', time() + 3 * DAY_IN_SECONDS ); wp_safe_redirect( $redirect_to ); exit; } if ( ! empty( $_POST['correct-admin-email'] ) ) { if ( ! check_admin_referer( 'confirm_admin_email', 'confirm_admin_email_nonce' ) ) { wp_safe_redirect( wp_login_url() ); exit; } /** * Filters the interval for redirecting the user to the admin email confirmation screen. * If `0` (zero) is returned, the user will not be redirected. * * @since 5.3.0 * * @param int Interval time (in seconds). */ $admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS ); if ( $admin_email_check_interval > 0 ) { update_option( 'admin_email_lifespan', time() + $admin_email_check_interval ); } wp_safe_redirect( $redirect_to ); exit; } login_header( __( 'Confirm your admin email' ), '', $errors ); /** * Fires before the admin email confirm form. * * @since 5.3.0 * * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid credentials. Note that the error object may not contain any errors. */ do_action( 'admin_email_confirm', $errors ); ?>

administration email for this website is still correct.' ); ?> %s', esc_url( $admin_email_help_url ), __( 'Why is this important?' ) ); ?>

%s' ), esc_html( $admin_email ) ); ?>

%s', esc_url( $admin_email_help_url ), __( 'Learn more.' ) ); ?>

'confirm_admin_email', 'remind_me_later' => wp_create_nonce( 'remind_me_later_nonce' ), ), $remind_me_link ); ?>
HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ); wp_safe_redirect( wp_get_referer() ); exit(); case 'logout': check_admin_referer( 'log-out' ); $user = wp_get_current_user(); wp_logout(); if ( ! empty( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; $requested_redirect_to = $redirect_to; } else { $redirect_to = add_query_arg( array( 'loggedout' => 'true', 'wp_lang' => get_user_locale( $user ), ), wp_login_url() ); $requested_redirect_to = ''; } /** * Filters the log out redirect URL. * * @since 4.2.0 * * @param string $redirect_to The redirect destination URL. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. * @param WP_User $user The WP_User object for the user that's logging out. */ $redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user ); wp_safe_redirect( $redirect_to ); exit(); case 'lostpassword': case 'retrievepassword': if ( $http_post ) { $errors = retrieve_password(); if ( ! is_wp_error( $errors ) ) { $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm'; wp_safe_redirect( $redirect_to ); exit(); } } if ( isset( $_GET['error'] ) ) { if ( 'invalidkey' === $_GET['error'] ) { $errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) ); } elseif ( 'expiredkey' === $_GET['error'] ) { $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) ); } } $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; /** * Filters the URL redirected to after submitting the lostpassword/retrievepassword form. * * @since 3.0.0 * * @param string $lostpassword_redirect The redirect destination URL. */ $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect ); /** * Fires before the lost password form. * * @since 1.5.1 * @since 5.1.0 Added the `$errors` parameter. * * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid * credentials. Note that the error object may not contain any errors. */ do_action( 'lost_password', $errors ); login_header( __( 'Lost Password' ), '

' . __( 'Please enter your username or email address. You will receive a link to create a new password via email.' ) . '

', $errors ); $user_login = ''; if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) { $user_login = wp_unslash( $_POST['user_login'] ); } ?>

get_error_code() === 'expired_key' ) { wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) ); } else { wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) ); } exit; } $errors = new WP_Error(); if ( isset( $_POST['pass1'] ) && $_POST['pass1'] != $_POST['pass2'] ) { $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) ); } /** * Fires before the password reset procedure is validated. * * @since 3.5.0 * * @param object $errors WP Error object. * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise. */ do_action( 'validate_password_reset', $errors, $user ); if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) { reset_password( $user, $_POST['pass1'] ); setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); login_header( __( 'Password Reset' ), '

' . __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '

' ); login_footer(); exit; } wp_enqueue_script( 'utils' ); wp_enqueue_script( 'user-profile' ); login_header( __( 'Reset Password' ), '

' . __( 'Enter your new password below.' ) . '

', $errors ); ?>



' . __( 'Register For This Site' ) . '

', $errors ); ?>


ID ) ) { $secure_cookie = true; force_ssl_admin( true ); } } } if ( isset( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; // Redirect to HTTPS if user wants SSL. if ( $secure_cookie && false !== strpos( $redirect_to, 'wp-admin' ) ) { $redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to ); } } else { $redirect_to = admin_url(); } $reauth = empty( $_REQUEST['reauth'] ) ? false : true; $user = wp_signon( array(), $secure_cookie ); if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) { if ( headers_sent() ) { $user = new WP_Error( 'test_cookie', sprintf( /* translators: 1: Browser cookie documentation URL, 2: Support forums URL */ __( 'ERROR: Cookies are blocked due to unexpected output. For help, please see this documentation or try the support forums.' ), __( 'https://wordpress.org/support/article/cookies/' ), __( 'https://wordpress.org/support/forums/' ) ) ); } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) { // If cookies are disabled we can't log in even with a valid user+pass $user = new WP_Error( 'test_cookie', sprintf( /* translators: %s: Browser cookie documentation URL */ __( 'ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.' ), __( 'https://wordpress.org/support/article/cookies/#enable-cookies-in-your-browser' ) ) ); } } $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; /** * Filters the login redirect URL. * * @since 3.0.0 * * @param string $redirect_to The redirect destination URL. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise. */ $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user ); if ( ! is_wp_error( $user ) && ! $reauth ) { if ( $interim_login ) { $message = '

' . __( 'You have logged in successfully.' ) . '

'; $interim_login = 'success'; login_header( '', $message ); ?> exists() && $user->has_cap( 'manage_options' ) ) { $admin_email_lifespan = (int) get_option( 'admin_email_lifespan' ); // If `0` (or anything "falsey" as it is cast to int) is returned, the user will not be redirected // to the admin email confirmation screen. /** This filter is documented in wp-login.php */ $admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 180 * DAY_IN_SECONDS ); if ( $admin_email_check_interval > 0 && time() > $admin_email_lifespan ) { $redirect_to = add_query_arg( 'action', 'confirm_admin_email', wp_login_url( $redirect_to ) ); } } if ( ( empty( $redirect_to ) || $redirect_to === 'wp-admin/' || $redirect_to == admin_url() ) ) { // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile. if ( is_multisite() && ! get_active_blog_for_user( $user->ID ) && ! is_super_admin( $user->ID ) ) { $redirect_to = user_admin_url(); } elseif ( is_multisite() && ! $user->has_cap( 'read' ) ) { $redirect_to = get_dashboard_url( $user->ID ); } elseif ( ! $user->has_cap( 'edit_posts' ) ) { $redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url(); } wp_redirect( $redirect_to ); exit; } wp_safe_redirect( $redirect_to ); exit; } $errors = $user; // Clear errors if loggedout is set. if ( ! empty( $_GET['loggedout'] ) || $reauth ) { $errors = new WP_Error(); } if ( empty( $_POST ) && $errors->get_error_codes() === array( 'empty_username', 'empty_password' ) ) { $errors = new WP_Error( '', '' ); } if ( $interim_login ) { if ( ! $errors->has_errors() ) { $errors->add( 'expired', __( 'Your session has expired. Please log in to continue where you left off.' ), 'message' ); } } else { // Some parts of this script use the main login form to display a message. if ( isset( $_GET['loggedout'] ) && $_GET['loggedout'] ) { $errors->add( 'loggedout', __( 'You are now logged out.' ), 'message' ); } elseif ( isset( $_GET['registration'] ) && 'disabled' === $_GET['registration'] ) { $errors->add( 'registerdisabled', __( 'User registration is currently not allowed.' ) ); } elseif ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) { $errors->add( 'confirm', __( 'Check your email for the confirmation link.' ), 'message' ); } elseif ( isset( $_GET['checkemail'] ) && 'newpass' === $_GET['checkemail'] ) { $errors->add( 'newpass', __( 'Check your email for your new password.' ), 'message' ); } elseif ( isset( $_GET['checkemail'] ) && 'registered' === $_GET['checkemail'] ) { $errors->add( 'registered', __( 'Registration complete. Please check your email.' ), 'message' ); } elseif ( strpos( $redirect_to, 'about.php?updated' ) ) { $errors->add( 'updated', __( 'You have successfully updated WordPress! Please log back in to see what’s new.' ), 'message' ); } elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) { $errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' ); } } /** * Filters the login page errors. * * @since 3.6.0 * * @param object $errors WP Error object. * @param string $redirect_to Redirect destination URL. */ $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to ); // Clear any stale cookies. if ( $reauth ) { wp_clear_auth_cookie(); } login_header( __( 'Log In' ), '', $errors ); if ( isset( $_POST['log'] ) ) { $user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : ''; } $rememberme = ! empty( $_POST['rememberme'] ); if ( $errors->has_errors() ) { $aria_describedby_error = ' aria-describedby="login_error"'; } else { $aria_describedby_error = ''; } ?>

get_error_code() === 'invalid_username' ) { $login_script .= 'd.value = "";'; } } $login_script .= 'd.focus(); d.select();'; $login_script .= '} catch( er ) {}'; $login_script .= '}, 200);'; $login_script .= "}\n"; // End of wp_attempt_focus(). /** * Filters whether to print the call to `wp_attempt_focus()` on the login screen. * * @since 4.8.0 * * @param bool $print Whether to print the function call. Default true. */ if ( apply_filters( 'enable_login_autofocus', true ) && ! $error ) { $login_script .= "wp_attempt_focus();\n"; } // Run `wpOnload()` if defined. $login_script .= "if ( typeof wpOnload === 'function' ) { wpOnload() }"; ?>