<?php echo esc_html($login

` element. * Default 'Log In'. * @param string $message Optional. Message to display in header. Default empty. * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance. */ function login_header($title = 'Log In', $message = '', $wp_error = null) { global $error, $interim_login, $action; // Don't index any of these forms. add_filter('wp_robots', 'wp_robots_sensitive_page'); add_action('login_head', 'wp_strict_cross_origin_referrer'); add_action('login_head', 'wp_login_viewport_meta'); if (! is_wp_error($wp_error)) { $wp_error = new WP_Error(); } // Shake it! $shake_error_codes = array('empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure'); /** * Filters the error codes array for shaking the login form. * * @since 3.0.0 * * @param array $shake_error_codes Error codes that shake the login form. */ $shake_error_codes = apply_filters('shake_error_codes', $shake_error_codes); if ($shake_error_codes && $wp_error->has_errors() && in_array($wp_error->get_error_code(), $shake_error_codes, true)) { add_action('login_footer', 'wp_shake_js', 12); } $login_title = get_bloginfo('name', 'display'); /* translators: Login screen title. 1: Login screen name, 2: Network or site name. */ $login_title = sprintf(__('%1$s ‹ %2$s — WordPress'), $title, $login_title); if (wp_is_recovery_mode()) { /* translators: %s: Login screen title. */ $login_title = sprintf(__('Recovery Mode — %s'), $login_title); } /** * Filters the title tag content for login page. * * @since 4.9.0 * * @param string $login_title The page title, with extra context added. * @param string $title The original page title. */ $login_title = apply_filters('login_title', $login_title, $title); ?> > <?php echo esc_html($login_title); ?> get_error_code()) { ?>

add('error', $error); unset($error); } if ($wp_error->has_errors()) { $errors = ''; $messages = ''; foreach ($wp_error->get_error_codes() as $code) { $severity = $wp_error->get_error_data($code); foreach ($wp_error->get_error_messages($code) as $error_message) { if ('message' === $severity) { $messages .= ' ' . $error_message . "
\n"; } else { $errors .= ' ' . $error_message . "
\n"; } } } if (! empty($errors)) { /** * Filters the error messages displayed above the login form. * * @since 2.1.0 * * @param string $errors Login error message. */ echo '

' . wp_kses_post(apply_filters('login_errors', $errors)) . "

\n"; } if (! empty($messages)) { /** * Filters instructional messages displayed above the login form. * * @since 2.5.0 * * @param string $messages Login messages. */ echo '\n"; } } } // End of login_header(). /** * Outputs the footer for the login page. * * @since 3.1.0 * * @global bool|string $interim_login Whether interim login modal is being displayed. String 'success' * upon successful login. * @global AIO_WP_Security $aio_wp_security * * @param string $input_id Which input to auto-focus. */ function login_footer($input_id = '') { global $interim_login, $aio_wp_security; // Don't allow interim logins to navigate away from the page. if (! $interim_login) { ?>

', '

'); } ?> . ?>

'language-switcher-locales', 'name' => 'wp_lang', 'selected' => determine_locale(), 'show_available_translations' => false, 'explicit_option_en_us' => true, 'languages' => $languages, ); /** * Filters default arguments for the Languages select input on the login screen. * * The arguments get passed to the wp_dropdown_languages() function. * * @since 5.9.0 * * @param array $args Arguments for the Languages select input on the login screen. */ wp_dropdown_languages(apply_filters('login_language_dropdown_args', $args)); ?>

0) { update_option('admin_email_lifespan', time() + $remind_interval); } $redirect_to = add_query_arg('admin_email_remind_later', 1, $redirect_to); wp_safe_redirect($redirect_to); exit; } if (! empty($_POST['correct-admin-email'])) { if (! check_admin_referer('confirm_admin_email', 'confirm_admin_email_nonce')) { wp_safe_redirect(wp_login_url()); exit; } /** * Filters the interval for redirecting the user to the admin email confirmation screen. * * If `0` (zero) is returned, the user will not be redirected. * * @since 5.3.0 * * @param int $interval Interval time (in seconds). Default is 6 months. */ $admin_email_check_interval = (int) apply_filters('admin_email_check_interval', 6 * MONTH_IN_SECONDS); if ($admin_email_check_interval > 0) { update_option('admin_email_lifespan', time() + $admin_email_check_interval); } wp_safe_redirect($redirect_to); exit; } login_header(__('Confirm your administration email'), '', $errors); /** * Fires before the admin email confirm form. * * @since 5.3.0 * * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid * credentials. Note that the error object may not contain any errors. */ do_action('admin_email_confirm', $errors); ?> HashPassword(wp_unslash($_POST['post_password'])), $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true); wp_safe_redirect(wp_get_referer()); exit; case 'logout': check_admin_referer('log-out'); $user = wp_get_current_user(); wp_logout(); if (! empty($_REQUEST['redirect_to'])) { $redirect_to = sanitize_url(wp_unslash($_REQUEST['redirect_to'])); $requested_redirect_to = $redirect_to; } else { $redirect_to = add_query_arg( array( 'loggedout' => 'true', 'wp_lang' => get_user_locale($user), ), wp_login_url() ); $requested_redirect_to = ''; } /** * Filters the log out redirect URL. * * @since 4.2.0 * * @param string $redirect_to The redirect destination URL. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. * @param WP_User $user The WP_User object for the user that's logging out. */ $redirect_to = apply_filters('logout_redirect', $redirect_to, $requested_redirect_to, $user); wp_safe_redirect($redirect_to); exit; case 'lostpassword': case 'retrievepassword': if ($http_post) { $errors = retrieve_password(); if (! is_wp_error($errors)) { $redirect_to = ! empty($_REQUEST['redirect_to']) ? sanitize_url(wp_unslash($_REQUEST['redirect_to'])) : 'wp-login.php?checkemail=confirm'; wp_safe_redirect($redirect_to); exit; } } if (isset($_GET['error'])) { if ('invalidkey' === $_GET['error']) { // translators: %s: 'ERROR' $errors->add('invalidkey', sprintf(__('%s: Your password reset link appears to be invalid.') . ' ' . __('Please request a new link below.'), '' . __('ERROR') . '')); } elseif ('expiredkey' === $_GET['error']) { // translators: %s: 'ERROR' $errors->add('expiredkey', sprintf(__('%s: Your password reset link has expired.') . ' ' . __('Please request a new link below.'), '' . __('ERROR') . '')); } } $lostpassword_redirect = ! empty($_REQUEST['redirect_to']) ? sanitize_url(wp_unslash($_REQUEST['redirect_to'])) : ''; /** * Filters the URL redirected to after submitting the lostpassword/retrievepassword form. * * @since 3.0.0 * * @param string $lostpassword_redirect The redirect destination URL. */ $redirect_to = apply_filters('lostpassword_redirect', $lostpassword_redirect); /** * Fires before the lost password form. * * @since 1.5.1 * @since 5.1.0 Added the `$errors` parameter. * * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid * credentials. Note that the error object may not contain any errors. */ do_action('lost_password', $errors); login_header(__('Lost Password'), '

' . __('Please enter your username or email address. You will receive an email message with instructions on how to reset your password.') . '

', $errors); // phpcs:ignore UpdraftPlus.Translation.MultipleSentence.MultipleSentenceInsideTranslationFunction -- ignore this to use WordPress translation $user_login = ''; if (isset($_POST['user_login']) && is_string($_POST['user_login'])) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized below. $user_login = wp_unslash($_POST['user_login']); // Remove slashes first if (is_email($user_login)) { // Sanitize as an email address $user_login = sanitize_email($user_login); } else { // Sanitize as a username $user_login = sanitize_user($user_login, true); } } ?>

%s', esc_url(wp_registration_url()), __('Register')); echo esc_html($login_link_separator); // This filter is documented in wp-includes/general-template.php echo wp_kses_post(apply_filters('register', $registration_url)); } ?>

get_error_code() === 'expired_key') { wp_redirect(site_url('wp-login.php?action=lostpassword&error=expiredkey')); } else { wp_redirect(site_url('wp-login.php?action=lostpassword&error=invalidkey')); } exit; } $errors = new WP_Error(); // Check if password is one or all empty spaces. if (!empty($_POST['pass1'])) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- PCP warning. Not recommended to sanitize password. $_POST['pass1'] = trim($_POST['pass1']); if (empty($_POST['pass1'])) { $errors->add('password_reset_empty_space', __('The password cannot be a space or all spaces.')); } } // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- PCP warning. Not recommended to sanitize password. if (!empty($_POST['pass1']) && trim($_POST['pass2']) !== $_POST['pass1']) { $errors->add('password_reset_mismatch', __('Error: The passwords do not match.')); } /** * Fires before the password reset procedure is validated. * * @since 3.5.0 * * @param WP_Error $errors WP Error object. * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise. */ do_action('validate_password_reset', $errors, $user); if ((! $errors->has_errors()) && isset($_POST['pass1']) && ! empty($_POST['pass1'])) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- PCP warning. Not recommended to sanitize password. reset_password($user, wp_unslash($_POST['pass1'])); setcookie($rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true); login_header(__('Password Reset'), '

' . __('Your password has been reset.') . ' ' . __('Log in') . '

'); login_footer(); exit; } wp_enqueue_script('utils'); wp_enqueue_script('user-profile'); login_header(__('Reset Password'), '

' . __('Enter your new password below or generate one.') . '

', $errors); ?>

' . __('Register For This Site') . '

', $errors); ?>

add( 'confirm', sprintf( /* translators: %s: Link to the login page. */ __('Check your email for the confirmation link, then visit the login page.'), wp_login_url() ), 'message' ); } elseif ('registered' === $_GET['checkemail']) { $errors->add( 'registered', sprintf( /* translators: %s: Link to the login page. */ __('Registration complete.') . ' ' . __('Please check your email, then visit the login page.'), wp_login_url() ), 'message' ); } // This action is documented in wp-login.php $errors = apply_filters('wp_login_errors', $errors, $redirect_to); login_header(__('Check your email'), '', $errors); login_footer(); break; case 'confirmaction': if (! isset($_GET['request_id'])) { wp_die(esc_html__('Missing request ID.')); } if (! isset($_GET['confirm_key'])) { wp_die(esc_html__('Missing confirm key.')); } $request_id = (int) $_GET['request_id']; $key = sanitize_text_field(wp_unslash($_GET['confirm_key'])); $result = wp_validate_user_request_key($request_id, $key); if (is_wp_error($result)) { // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- WP_Error is an object and cannot be escaped. wp_die($result); } /** * Fires an action hook when the account action has been confirmed by the user. * * Using this you can assume the user has agreed to perform the action by * clicking on the link in the confirmation email. * * After firing this action hook the page will redirect to wp-login a callback * redirects or exits first. * * @since 4.9.6 * * @param int $request_id Request ID. */ do_action('user_request_action_confirmed', $request_id); $message = _wp_privacy_account_request_confirmed_message($request_id); login_header(__('User action confirmed.'), $message); login_footer(); exit; case 'login': default: $secure_cookie = ''; $customize_login = isset($_REQUEST['customize-login']); if ($customize_login) { wp_enqueue_script('customize-base'); } // If the user wants SSL but the session is not SSL, force a secure cookie. if (! empty($_POST['log']) && ! force_ssl_admin()) { $user_name = sanitize_user(wp_unslash($_POST['log'])); $user = get_user_by('login', $user_name); if (! $user && strpos($user_name, '@')) { $user = get_user_by('email', $user_name); } if ($user) { if (get_user_option('use_ssl', $user->ID)) { $secure_cookie = true; force_ssl_admin(true); } } } if (isset($_REQUEST['redirect_to'])) { $redirect_to = sanitize_url(wp_unslash($_REQUEST['redirect_to'])); // Redirect to HTTPS if user wants SSL. if ($secure_cookie && false !== strpos($redirect_to, 'wp-admin')) { $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to); } } else { $redirect_to = admin_url(); } $reauth = empty($_REQUEST['reauth']) ? false : true; $user = wp_signon(array(), $secure_cookie); if (empty($_COOKIE[LOGGED_IN_COOKIE])) { if (headers_sent()) { $user = new WP_Error( 'test_cookie', sprintf( // translators: 1: 'ERROR', 2: 'this documentation'(Browser cookie documentation link), 3: 'support forums'(Support forums link) __('%1$s: Cookies are blocked due to unexpected output.') . ' ' . __('For help, please see %2$s or try the %3$s.'), '' . __('ERROR') . '', '' . __('this documentation') . '', '' . __('support forums') . '' ) ); } elseif (isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE])) { // If cookies are disabled, we can't log in even with a valid user and password. $user = new WP_Error( 'test_cookie', sprintf( // translators: 1: 'ERROR', 2: 'enable cookies'(Browser cookie documentation link) __('%1$s: Cookies are blocked or not supported by your browser.') . ' ' . __('You must %2$s to use WordPress.'), '' . __('ERROR') . '', '' . __('enable cookies') . '' ) ); } } $requested_redirect_to = isset($_REQUEST['redirect_to']) ? sanitize_url(wp_unslash($_REQUEST['redirect_to'])) : ''; /** * Filters the login redirect URL. * * @since 3.0.0 * * @param string $redirect_to The redirect destination URL. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise. */ $redirect_to = apply_filters('login_redirect', $redirect_to, $requested_redirect_to, $user); if (! is_wp_error($user) && ! $reauth) { if ($interim_login) { $message = '

' . __('You have logged in successfully.') . '

'; $interim_login = 'success'; login_header('', $message); ?> exists() && $user->has_cap('manage_options')) { $admin_email_lifespan = (int) get_option('admin_email_lifespan'); // If `0` (or anything "falsey" as it is cast to int) is returned, the user will not be redirected // to the admin email confirmation screen. // This filter is documented in wp-login.php $admin_email_check_interval = (int) apply_filters('admin_email_check_interval', 6 * MONTH_IN_SECONDS); if ($admin_email_check_interval > 0 && time() > $admin_email_lifespan) { $redirect_to = add_query_arg( array( 'action' => 'confirm_admin_email', 'wp_lang' => get_user_locale($user), ), wp_login_url($redirect_to) ); } } if ((empty($redirect_to) || 'wp-admin/' === $redirect_to || admin_url() === $redirect_to)) { // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile. if (is_multisite() && ! get_active_blog_for_user($user->ID) && ! is_super_admin($user->ID)) { $redirect_to = user_admin_url(); } elseif (is_multisite() && ! $user->has_cap('read')) { $redirect_to = get_dashboard_url($user->ID); } elseif (! $user->has_cap('edit_posts')) { $redirect_to = $user->has_cap('read') ? admin_url('profile.php') : home_url(); } wp_redirect($redirect_to); exit; } wp_safe_redirect($redirect_to); exit; } $errors = $user; // Clear errors if loggedout is set. if (! empty($_GET['loggedout']) || $reauth) { $errors = new WP_Error(); } if (empty($_POST) && $errors->get_error_codes() === array('empty_username', 'empty_password')) { $errors = new WP_Error('', ''); } if ($interim_login) { if (! $errors->has_errors()) { $errors->add('expired', __('Your session has expired. Please log in to continue where you left off.'), 'message'); // phpcs:ignore UpdraftPlus.Translation.MultipleSentence.MultipleSentenceInsideTranslationFunction -- ignore this to use WordPress translation } } else { // Some parts of this script use the main login form to display a message. if (isset($_GET['loggedout']) && sanitize_text_field(wp_unslash($_GET['loggedout']))) { $errors->add('loggedout', __('You are now logged out.'), 'message'); } elseif (isset($_GET['registration']) && 'disabled' === $_GET['registration']) { $errors->add('registerdisabled', __('Error: User registration is currently not allowed.')); } elseif (strpos($redirect_to, 'about.php?updated')) { $errors->add('updated', __('You have successfully updated WordPress! Please log back in to see what’s new.'), 'message'); } elseif (WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action) { $errors->add('enter_recovery_mode', __('Recovery Mode Initialized. Please log in to continue.'), 'message'); // phpcs:ignore UpdraftPlus.Translation.MultipleSentence.MultipleSentenceInsideTranslationFunction -- ignore this to use WordPress translation } elseif (isset($_GET['redirect_to']) && false !== strpos(sanitize_url(wp_unslash($_GET['redirect_to'])), 'wp-admin/authorize-application.php')) { $query_component = wp_parse_url(sanitize_url(wp_unslash($_GET['redirect_to'])), PHP_URL_QUERY); parse_str($query_component, $query); if (! empty($query['app_name'])) { /* translators: 1: Website name, 2: Application name. */ $message = sprintf('Please log in to %1$s to authorize %2$s to connect to your account.', get_bloginfo('name', 'display'), '' . esc_html($query['app_name']) . ''); } else { /* translators: %s: Website name. */ $message = sprintf('Please log in to %s to proceed with authorization.', get_bloginfo('name', 'display')); } $errors->add('authorize_application', $message, 'message'); } } /** * Filters the login page errors. * * @since 3.6.0 * * @param WP_Error $errors WP Error object. * @param string $redirect_to Redirect destination URL. */ $errors = apply_filters('wp_login_errors', $errors, $redirect_to); // Clear any stale cookies. if ($reauth) { wp_clear_auth_cookie(); } login_header(__('Log In'), '', $errors); if (isset($_POST['log'])) { $user_login = ('incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code()) ? esc_attr(sanitize_text_field(wp_unslash($_POST['log']))) : ''; } $rememberme = ! empty($_POST['rememberme']); $aria_describedby = ''; $has_errors = $errors->has_errors(); if ($has_errors) { $aria_describedby = ' aria-describedby="login_error"'; } if ($has_errors && 'message' === $errors->get_error_data()) { $aria_describedby = ' aria-describedby="login-message"'; } wp_enqueue_script('user-profile'); //aiowps - this check is necessary because otherwise if variables are undefined we get a warning! if (empty($user_login)) { $user_login = ''; } if (empty($error)) { $error = ''; } ?>

%s', esc_url(wp_registration_url()), __('Register')); // This filter is documented in wp-includes/general-template.php echo wp_kses_post(apply_filters('register', $registration_url)); echo esc_html($login_link_separator); } $html_link = sprintf('%s', esc_url(wp_lostpassword_url()), __('Lost your password?')); /** * Filters the link that allows the user to reset the lost password. * * @since 6.1.0 * * @param string $html_link HTML link to the lost password form. */ echo wp_kses_post(apply_filters('lost_password_html_link', $html_link)); ?>

get_error_code() === 'invalid_username') { $login_script .= 'd.value = "";'; } } $login_script .= 'd.focus(); d.select();'; $login_script .= '} catch(er) {}'; $login_script .= '}, 200);'; $login_script .= "}\n"; // End of wp_attempt_focus(). /** * Filters whether to print the call to `wp_attempt_focus()` on the login screen. * * @since 4.8.0 * * @param bool $print Whether to print the function call. Default true. */ if (apply_filters('enable_login_autofocus', true) && ! $error) { $login_script .= "wp_attempt_focus();\n"; } // Run `wpOnload()` if defined. $login_script .= "if (typeof wpOnload === 'function') { wpOnload() }"; ?>