#native_company# #native_desc#

WordPress as CMS: Implement Custom Authentication

By Sachin Khosla
on December 6, 2011

WordPress is not a blogging platform anymore. It has graduated to become a robust yet flexible CMS. The reason for WordPress’s popularity as a CMS is its wealth of freely available resources such as free themes, plugins, and so on, which let anyone customize their website with just a few clicks.

However, when using WordPress as a CMS, you might need to customize a website function for which there are no plugins. One such scenario is when you need to implement custom authentication beyond what WordPress offers with its default login system. In this article, I explore this use case and explain how to build custom authentication criteria into the built-in WordPress login system.

Custom Development with WordPress Authenticate Filter

Versions 2.8 and later of WordPress have an authenticate filter, which gets executed before WordPress authentication is processed. Unfortunately, this has not been documented well and as the WordPress Codex says, it still needs more updating.

Using this authenticate filter, let us implement the functionality to allow only administrators to log in and display an error/notice for everyone else. You might utilize this kind of functionality in various scenarios. For example, you want only administrators to access the backend when your website is under maintenance.

Here is the code:

add_filter( 'authenticate', 'add_login_validation', 10, 3 );

function add_login_validation($user, $username, $password) {

// get the user's data by login

$user = get_userdatabylogin( $username );

// get the Database object

global $wpdb;

$property = $wpdb->prefix."capabilities";

// get user's capabilities

$caps = $user->$property;

// iterate through the capabilities to check if

// he is administrator or no

if(!empty($caps)) {

foreach($caps as $key => $role) {

// when found not an admin, raise an error

if($key!='' && $key!='administrator') {

$user = new WP_Error( 'denied', __("You are not permitted. Click here to contact the <a href="mailto:[email protected]">administrator</a>.") );

remove_action('authenticate', 'wp_authenticate_username_password', 20);




return $user;


The first line (add_filter( 'authenticate', 'add_login_validation', 10, 3 );) adds a hook into the authenticate filter. Specifically, it adds the function add_login_validation to the authenticate filter with the priority 10 and 3 arguments, which are null, username and password.

The function add_login_validation simply checks the user’s capabilities based on the username entered. If the capability list contains the administrator string that means the user’s role is admin and he or she is allowed to log in to the website. If the user’s role is anything other than administrator, an error is raised and the user is not allowed to log in.

I have specified an error message that will be shown to the user (“You are not permitted. Click here to contact the administrator.”). You can change as per your requirements.

Implementing the Custom WordPress Authentication

Implementing this authentication check is pretty easy in WordPress. Using an FTP client, browse to the active theme folder of your WordPress blog. You will find a functions.php file in the folder. If it does not exist, create one. Simply paste the above code at the end of the file.

Now try to log in as a user other than administrator. The site will not grant you access. If you want to turn this off, simply comment the code in functions.php or delete the lines of code added.

Alternatively, you can create one plugin for the same purpose and activate it from the backend. This will allow you to easily distribute the code.

Feel free to extend this code to add your own authentication rules.

Comment and Contribute

Your comment has been submitted and is pending approval.


Sachin Khosla