Support » Networking WordPress » Why not just login automatically when user is activated?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    You mean you want people to have their account created and log in right away without activating?

    Or do you mean the second email that comes with your password is annoying?

    It’s done for security. Stops a LOT of spammers.

    After signing up user receives activation link to email.
    Then user clicks this link from email to activate his blog and username: and user sees his login and password and now user can login to his blog.
    I mean that at this step after clicking this activation link user could be logged in automatically.

    I don’t want to skip email-activation step. I want that user could be logged in in just after user and blog activation.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    The problem is that the password is sensitive data.

    Yes, logging them in instantly would make things more convenient, but putting the password in the URL is bad. This is more secure. ANd god knows we need more securre.

    I am not telling to add the password to link.
    Check out line 103:
    There you can found the $password.

    If inserting the code I posted before just after line 103 than user will be logged in automatically and security will be on the same level as before.

    thanks for this snippet! i use it in my network now.

    this is WAY better than showing the password – in plain text – on the screen in the browser after activation! (which is very far away from secure…)

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    For the love of potatoes!


    Good lord, people, just stop it right now. If you really think that’s the only way to solve the problem, then either the problem is way bigger than you think or you need to join the dev team and make WP more awesome. 99.99999% of the time? Editing core is a terrible, horrible, no good, very bad, yes I am publicly telling you that you’re doing it wrong, thing.


    If this isn’t hookable (which a quick Google seems to imply it’s not, then this may not be a very safe or good idea to do.

    Please stop editing core.

    well, the hook would be ‘wpmu_activate_user’ and – of course – i added an action to it with the snippet above. (slightly changed.) i did


    this is absolutely not recommended and i am sorry that i wasn’t clear about this before.

    this is the code i used:

    function custom_login_new_user( $user_id, $email, $meta ) {
    	$user = new WP_User( (int) $user_id );
    	$creds = array();
    	$creds['user_login'] = $user->user_login;
    	$creds['user_password'] = $meta['user_pass'];
    	$creds['remember'] = true;
    	$user = wp_signon( $creds, false );
    	if ( is_wp_error($user) ) {
    		echo $user->get_error_message();
    	} else {
    		// safe redirect to actually login the user - otherwise they would need to manually refresh the page
    		// PLUS: this clears the activation confirmation page with the plain text password printed on screen
    		wp_safe_redirect( get_home_url() );
    add_action( 'wpmu_activate_user', 'custom_login_new_user', 10, 3 );
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Why not just login automatically when user is activated?’ is closed to new replies.