I would like to implement a plugin that requires new users to reply to an email, to verify their email address, on registration. I am already doing extensive codex research, but I am very new and would appreciate some hints, especially regarding keeping the user inactive until they have verified their email. The rest I think I will manage on my own.
Leave a Reply
You must be logged in to post a comment.
I had a very similar problem which I solved the other day. In my case I wanted to allow users to choose their own password, and then activate their account via email. There’s alot to this, so I’ll just outline how to I achieved the e-mail verification.
First, I used
user_register
(runs when a user is registered) and created a key (e.g. hashed the time, user’s email address and random string etc) and stored this key in the usermeta table. This will be deleted when the user activates their account.To prevent an non-activated user from logging in, I added extra checks to the log-in, using the hook
authenticate
. For instance:Edit
As per the comments, the
authenticate
filter should return anWP_Error
object for failure, otherwise, return null.wp_authenticate_username_password
runs after this function, and if passed aWP_User
object it doesn’t perform any authentication checks, and assumes they have been done.The edited code returns whatever was passed to it, or an
WP_Error
object if the activation key exists (i.e. the user has yet to activate their account).(you can use
shake_error_codes
to cause the log-in box to shake if the key is found if you like :D).Then, in your plug-in, you will need to override
wp_new_user_notification
(which is a pluggable function present in/wp_includes/pluggable.php
). This function sends the email to the new user and to the admin.Copy the function into your plugin, inside
and then adapt it, so it retrieves and includes the activation key in the message to the user.
For the project I was working, I made a link from the activation key that the user could click to activate their account. E.g if their key was 01234ABCDE:
http://www.example.com?confirm=01234ABCDE.
Using the filter query_vars I registered the variable ‘confirm’ with WordPress. Then with the
template_include
filter, whenever that variable is set (e.g. as above) I redirect the user toconfirm.php
(a template file sitting in my theme directory).This template attempts to retrieve the user with the corresponding key. If it finds them, it deletes the key. They are now activated and able to log-in. If it doesn’t it displays an error message (key doesn’t exist or account has been activated). If there are multiple users with the same activation key (they shouldn’t be!) it throws up an error also.