[ Index ]

PHP Cross Reference of WordPress

title

Body

[close]

/ -> wp-login.php (source)

   1  <?php
   2  /**
   3   * WordPress User Page
   4   *
   5   * Handles authentication, registering, resetting passwords, forgot password,
   6   * and other user handling.
   7   *
   8   * @package WordPress
   9   */
  10  
  11  /** Make sure that the WordPress bootstrap has run before continuing. */
  12  require( dirname( __FILE__ ) . '/wp-load.php' );
  13  
  14  // Redirect to HTTPS login if forced to use SSL.
  15  if ( force_ssl_admin() && ! is_ssl() ) {
  16      if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
  17          wp_safe_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
  18          exit();
  19      } else {
  20          wp_safe_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  21          exit();
  22      }
  23  }
  24  
  25  /**
  26   * Output the login page header.
  27   *
  28   * @since 2.1.0
  29   *
  30   * @global string      $error         Login error message set by deprecated pluggable wp_login() function
  31   *                                    or plugins replacing it.
  32   * @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
  33   *                                    upon successful login.
  34   * @global string      $action        The action that brought the visitor to the login page.
  35   *
  36   * @param string   $title    Optional. WordPress login Page title to display in the `<title>` element.
  37   *                           Default 'Log In'.
  38   * @param string   $message  Optional. Message to display in header. Default empty.
  39   * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance.
  40   */
  41  function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
  42      global $error, $interim_login, $action;
  43  
  44      // Don't index any of these forms
  45      add_action( 'login_head', 'wp_sensitive_page_meta' );
  46  
  47      add_action( 'login_head', 'wp_login_viewport_meta' );
  48  
  49      if ( ! is_wp_error( $wp_error ) ) {
  50          $wp_error = new WP_Error();
  51      }
  52  
  53      // Shake it!
  54      $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure' );
  55      /**
  56       * Filters the error codes array for shaking the login form.
  57       *
  58       * @since 3.0.0
  59       *
  60       * @param array $shake_error_codes Error codes that shake the login form.
  61       */
  62      $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
  63  
  64      if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes, true ) ) {
  65          add_action( 'login_head', 'wp_shake_js', 12 );
  66      }
  67  
  68      $login_title = get_bloginfo( 'name', 'display' );
  69  
  70      /* translators: Login screen title. 1: Login screen name, 2: Network or site name. */
  71      $login_title = sprintf( __( '%1$s &lsaquo; %2$s &#8212; WordPress' ), $title, $login_title );
  72  
  73      if ( wp_is_recovery_mode() ) {
  74          /* translators: %s: Login screen title. */
  75          $login_title = sprintf( __( 'Recovery Mode &#8212; %s' ), $login_title );
  76      }
  77  
  78      /**
  79       * Filters the title tag content for login page.
  80       *
  81       * @since 4.9.0
  82       *
  83       * @param string $login_title The page title, with extra context added.
  84       * @param string $title       The original page title.
  85       */
  86      $login_title = apply_filters( 'login_title', $login_title, $title );
  87  
  88      ?><!DOCTYPE html>
  89      <!--[if IE 8]>
  90          <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
  91      <![endif]-->
  92      <!--[if !(IE 8) ]><!-->
  93          <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
  94      <!--<![endif]-->
  95      <head>
  96      <meta http-equiv="Content-Type" content="<?php bloginfo( 'html_type' ); ?>; charset=<?php bloginfo( 'charset' ); ?>" />
  97      <title><?php echo $login_title; ?></title>
  98      <?php
  99  
 100      wp_enqueue_style( 'login' );
 101  
 102      /*
 103       * Remove all stored post data on logging out.
 104       * This could be added by add_action('login_head'...) like wp_shake_js(),
 105       * but maybe better if it's not removable by plugins.
 106       */
 107      if ( 'loggedout' === $wp_error->get_error_code() ) {
 108          ?>
 109          <script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
 110          <?php
 111      }
 112  
 113      /**
 114       * Enqueue scripts and styles for the login page.
 115       *
 116       * @since 3.1.0
 117       */
 118      do_action( 'login_enqueue_scripts' );
 119  
 120      /**
 121       * Fires in the login page header after scripts are enqueued.
 122       *
 123       * @since 2.1.0
 124       */
 125      do_action( 'login_head' );
 126  
 127      $login_header_url = __( 'https://wordpress.org/' );
 128  
 129      /**
 130       * Filters link URL of the header logo above login form.
 131       *
 132       * @since 2.1.0
 133       *
 134       * @param string $login_header_url Login header logo URL.
 135       */
 136      $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
 137  
 138      $login_header_title = '';
 139  
 140      /**
 141       * Filters the title attribute of the header logo above login form.
 142       *
 143       * @since 2.1.0
 144       * @deprecated 5.2.0 Use {@see 'login_headertext'} instead.
 145       *
 146       * @param string $login_header_title Login header logo title attribute.
 147       */
 148      $login_header_title = apply_filters_deprecated(
 149          'login_headertitle',
 150          array( $login_header_title ),
 151          '5.2.0',
 152          'login_headertext',
 153          __( 'Usage of the title attribute on the login logo is not recommended for accessibility reasons. Use the link text instead.' )
 154      );
 155  
 156      $login_header_text = empty( $login_header_title ) ? __( 'Powered by WordPress' ) : $login_header_title;
 157  
 158      /**
 159       * Filters the link text of the header logo above the login form.
 160       *
 161       * @since 5.2.0
 162       *
 163       * @param string $login_header_text The login header logo link text.
 164       */
 165      $login_header_text = apply_filters( 'login_headertext', $login_header_text );
 166  
 167      $classes = array( 'login-action-' . $action, 'wp-core-ui' );
 168  
 169      if ( is_rtl() ) {
 170          $classes[] = 'rtl';
 171      }
 172  
 173      if ( $interim_login ) {
 174          $classes[] = 'interim-login';
 175  
 176          ?>
 177          <style type="text/css">html{background-color: transparent;}</style>
 178          <?php
 179  
 180          if ( 'success' === $interim_login ) {
 181              $classes[] = 'interim-login-success';
 182          }
 183      }
 184  
 185      $classes[] = ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
 186  
 187      /**
 188       * Filters the login page body classes.
 189       *
 190       * @since 3.5.0
 191       *
 192       * @param array  $classes An array of body classes.
 193       * @param string $action  The action that brought the visitor to the login page.
 194       */
 195      $classes = apply_filters( 'login_body_class', $classes, $action );
 196  
 197      ?>
 198      </head>
 199      <body class="login no-js <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
 200      <script type="text/javascript">
 201          document.body.className = document.body.className.replace('no-js','js');
 202      </script>
 203      <?php
 204      /**
 205       * Fires in the login page header after the body tag is opened.
 206       *
 207       * @since 4.6.0
 208       */
 209      do_action( 'login_header' );
 210  
 211      ?>
 212      <div id="login">
 213          <h1><a href="<?php echo esc_url( $login_header_url ); ?>"><?php echo $login_header_text; ?></a></h1>
 214      <?php
 215      /**
 216       * Filters the message to display above the login form.
 217       *
 218       * @since 2.1.0
 219       *
 220       * @param string $message Login message text.
 221       */
 222      $message = apply_filters( 'login_message', $message );
 223  
 224      if ( ! empty( $message ) ) {
 225          echo $message . "\n";
 226      }
 227  
 228      // In case a plugin uses $error rather than the $wp_errors object.
 229      if ( ! empty( $error ) ) {
 230          $wp_error->add( 'error', $error );
 231          unset( $error );
 232      }
 233  
 234      if ( $wp_error->has_errors() ) {
 235          $errors   = '';
 236          $messages = '';
 237  
 238          foreach ( $wp_error->get_error_codes() as $code ) {
 239              $severity = $wp_error->get_error_data( $code );
 240              foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
 241                  if ( 'message' === $severity ) {
 242                      $messages .= '    ' . $error_message . "<br />\n";
 243                  } else {
 244                      $errors .= '    ' . $error_message . "<br />\n";
 245                  }
 246              }
 247          }
 248  
 249          if ( ! empty( $errors ) ) {
 250              /**
 251               * Filters the error messages displayed above the login form.
 252               *
 253               * @since 2.1.0
 254               *
 255               * @param string $errors Login error message.
 256               */
 257              echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
 258          }
 259  
 260          if ( ! empty( $messages ) ) {
 261              /**
 262               * Filters instructional messages displayed above the login form.
 263               *
 264               * @since 2.5.0
 265               *
 266               * @param string $messages Login messages.
 267               */
 268              echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
 269          }
 270      }
 271  } // End of login_header()
 272  
 273  /**
 274   * Outputs the footer for the login page.
 275   *
 276   * @since 3.1.0
 277   *
 278   * @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
 279   *                                    upon successful login.
 280   *
 281   * @param string $input_id Which input to auto-focus.
 282   */
 283  function login_footer( $input_id = '' ) {
 284      global $interim_login;
 285  
 286      // Don't allow interim logins to navigate away from the page.
 287      if ( ! $interim_login ) {
 288          ?>
 289          <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>">
 290          <?php
 291  
 292          /* translators: %s: Site title. */
 293          printf( _x( '&larr; Back to %s', 'site' ), get_bloginfo( 'title', 'display' ) );
 294  
 295          ?>
 296          </a></p>
 297          <?php
 298  
 299          the_privacy_policy_link( '<div class="privacy-policy-page-link">', '</div>' );
 300      }
 301  
 302      ?>
 303      </div><?php // End of <div id="login"> ?>
 304  
 305      <?php
 306  
 307      if ( ! empty( $input_id ) ) {
 308          ?>
 309          <script type="text/javascript">
 310          try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
 311          if(typeof wpOnload=='function')wpOnload();
 312          </script>
 313          <?php
 314      }
 315  
 316      /**
 317       * Fires in the login page footer.
 318       *
 319       * @since 3.1.0
 320       */
 321      do_action( 'login_footer' );
 322  
 323      ?>
 324      <div class="clear"></div>
 325      </body>
 326      </html>
 327      <?php
 328  }
 329  
 330  /**
 331   * Outputs the Javascript to handle the form shaking.
 332   *
 333   * @since 3.0.0
 334   */
 335  function wp_shake_js() {
 336      ?>
 337      <script type="text/javascript">
 338      addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
 339      function s(id,pos){g(id).left=pos+'px';}
 340      function g(id){return document.getElementById(id).style;}
 341  	function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
 342      addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
 343      </script>
 344      <?php
 345  }
 346  
 347  /**
 348   * Outputs the viewport meta tag.
 349   *
 350   * @since 3.7.0
 351   */
 352  function wp_login_viewport_meta() {
 353      ?>
 354      <meta name="viewport" content="width=device-width" />
 355      <?php
 356  }
 357  
 358  /**
 359   * Handles sending password retrieval email to user.
 360   *
 361   * @since 2.5.0
 362   *
 363   * @return bool|WP_Error True: when finish. WP_Error on error
 364   */
 365  function retrieve_password() {
 366      $errors    = new WP_Error();
 367      $user_data = false;
 368  
 369      if ( empty( $_POST['user_login'] ) || ! is_string( $_POST['user_login'] ) ) {
 370          $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Enter a username or email address.' ) );
 371      } elseif ( strpos( $_POST['user_login'], '@' ) ) {
 372          $user_data = get_user_by( 'email', trim( wp_unslash( $_POST['user_login'] ) ) );
 373          if ( empty( $user_data ) ) {
 374              $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
 375          }
 376      } else {
 377          $login     = trim( wp_unslash( $_POST['user_login'] ) );
 378          $user_data = get_user_by( 'login', $login );
 379      }
 380  
 381      /**
 382       * Fires before errors are returned from a password reset request.
 383       *
 384       * @since 2.1.0
 385       * @since 4.4.0 Added the `$errors` parameter.
 386       * @since 5.4.0 Added the `$user_data` parameter.
 387       *
 388       * @param WP_Error $errors A WP_Error object containing any errors generated
 389       *                         by using invalid credentials.
 390       * @param WP_User|false    WP_User object if found, false if the user does not exist.
 391       */
 392      do_action( 'lostpassword_post', $errors, $user_data );
 393  
 394      if ( $errors->has_errors() ) {
 395          return $errors;
 396      }
 397  
 398      if ( ! $user_data ) {
 399          $errors->add( 'invalidcombo', __( '<strong>ERROR</strong>: There is no account with that username or email address.' ) );
 400          return $errors;
 401      }
 402  
 403      // Redefining user_login ensures we return the right case in the email.
 404      $user_login = $user_data->user_login;
 405      $user_email = $user_data->user_email;
 406      $key        = get_password_reset_key( $user_data );
 407  
 408      if ( is_wp_error( $key ) ) {
 409          return $key;
 410      }
 411  
 412      if ( is_multisite() ) {
 413          $site_name = get_network()->site_name;
 414      } else {
 415          /*
 416           * The blogname option is escaped with esc_html on the way into the database
 417           * in sanitize_option we want to reverse this for the plain text arena of emails.
 418           */
 419          $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
 420      }
 421  
 422      $message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n";
 423      /* translators: %s: Site name. */
 424      $message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
 425      /* translators: %s: User login. */
 426      $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
 427      $message .= __( 'If this was a mistake, just ignore this email and nothing will happen.' ) . "\r\n\r\n";
 428      $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
 429      $message .= '<' . network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . ">\r\n";
 430  
 431      /* translators: Password reset notification email subject. %s: Site title. */
 432      $title = sprintf( __( '[%s] Password Reset' ), $site_name );
 433  
 434      /**
 435       * Filters the subject of the password reset email.
 436       *
 437       * @since 2.8.0
 438       * @since 4.4.0 Added the `$user_login` and `$user_data` parameters.
 439       *
 440       * @param string  $title      Default email title.
 441       * @param string  $user_login The username for the user.
 442       * @param WP_User $user_data  WP_User object.
 443       */
 444      $title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data );
 445  
 446      /**
 447       * Filters the message body of the password reset mail.
 448       *
 449       * If the filtered message is empty, the password reset email will not be sent.
 450       *
 451       * @since 2.8.0
 452       * @since 4.1.0 Added `$user_login` and `$user_data` parameters.
 453       *
 454       * @param string  $message    Default mail message.
 455       * @param string  $key        The activation key.
 456       * @param string  $user_login The username for the user.
 457       * @param WP_User $user_data  WP_User object.
 458       */
 459      $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data );
 460  
 461      if ( $message && ! wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) {
 462          $errors->add(
 463              'retrieve_password_email_failure',
 464              sprintf(
 465                  /* translators: %s: Documentation URL. */
 466                  __( '<strong>ERROR</strong>: The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ),
 467                  esc_url( __( 'https://wordpress.org/support/article/resetting-your-password/' ) )
 468              )
 469          );
 470          return $errors;
 471      }
 472  
 473      return true;
 474  }
 475  
 476  //
 477  // Main.
 478  //
 479  
 480  $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : 'login';
 481  $errors = new WP_Error();
 482  
 483  if ( isset( $_GET['key'] ) ) {
 484      $action = 'resetpass';
 485  }
 486  
 487  $default_actions = array(
 488      'confirm_admin_email',
 489      'postpass',
 490      'logout',
 491      'lostpassword',
 492      'retrievepassword',
 493      'resetpass',
 494      'rp',
 495      'register',
 496      'login',
 497      'confirmaction',
 498      WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED,
 499  );
 500  
 501  // Validate action so as to default to the login screen.
 502  if ( ! in_array( $action, $default_actions, true ) && false === has_filter( 'login_form_' . $action ) ) {
 503      $action = 'login';
 504  }
 505  
 506  nocache_headers();
 507  
 508  header( 'Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) );
 509  
 510  if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set
 511      if ( isset( $_SERVER['PATH_INFO'] ) && ( $_SERVER['PATH_INFO'] !== $_SERVER['PHP_SELF'] ) ) {
 512          $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
 513      }
 514  
 515      $url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) );
 516  
 517      if ( $url !== get_option( 'siteurl' ) ) {
 518          update_option( 'siteurl', $url );
 519      }
 520  }
 521  
 522  //Set a cookie now to see if they are supported by the browser.
 523  $secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
 524  setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
 525  
 526  if ( SITECOOKIEPATH != COOKIEPATH ) {
 527      setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
 528  }
 529  
 530  /**
 531   * Fires when the login form is initialized.
 532   *
 533   * @since 3.2.0
 534   */
 535  do_action( 'login_init' );
 536  
 537  /**
 538   * Fires before a specified login form action.
 539   *
 540   * The dynamic portion of the hook name, `$action`, refers to the action
 541   * that brought the visitor to the login form. Actions include 'postpass',
 542   * 'logout', 'lostpassword', etc.
 543   *
 544   * @since 2.8.0
 545   */
 546  do_action( "login_form_{$action}" );
 547  
 548  $http_post     = ( 'POST' === $_SERVER['REQUEST_METHOD'] );
 549  $interim_login = isset( $_REQUEST['interim-login'] );
 550  
 551  /**
 552   * Filters the separator used between login form navigation links.
 553   *
 554   * @since 4.9.0
 555   *
 556   * @param string $login_link_separator The separator used between login form navigation links.
 557   */
 558  $login_link_separator = apply_filters( 'login_link_separator', ' | ' );
 559  
 560  switch ( $action ) {
 561  
 562      case 'confirm_admin_email':
 563          // Note that `is_user_logged_in()` will return false immediately after logging in
 564          // as the current user is not set, see wp-includes/pluggable.php.
 565          // However this action runs on a redirect after logging in.
 566          if ( ! is_user_logged_in() ) {
 567              wp_safe_redirect( wp_login_url() );
 568              exit;
 569          }
 570  
 571          if ( ! empty( $_REQUEST['redirect_to'] ) ) {
 572              $redirect_to = $_REQUEST['redirect_to'];
 573          } else {
 574              $redirect_to = admin_url();
 575          }
 576  
 577          if ( current_user_can( 'manage_options' ) ) {
 578              $admin_email = get_option( 'admin_email' );
 579          } else {
 580              wp_safe_redirect( $redirect_to );
 581              exit;
 582          }
 583  
 584          if ( ! empty( $_GET['remind_me_later'] ) ) {
 585              if ( ! wp_verify_nonce( $_GET['remind_me_later'], 'remind_me_later_nonce' ) ) {
 586                  wp_safe_redirect( wp_login_url() );
 587                  exit;
 588              }
 589  
 590              // "Remind me later" is a bit ambiguous. Three days later?
 591              update_option( 'admin_email_lifespan', time() + 3 * DAY_IN_SECONDS );
 592  
 593              wp_safe_redirect( $redirect_to );
 594              exit;
 595          }
 596  
 597          if ( ! empty( $_POST['correct-admin-email'] ) ) {
 598              if ( ! check_admin_referer( 'confirm_admin_email', 'confirm_admin_email_nonce' ) ) {
 599                  wp_safe_redirect( wp_login_url() );
 600                  exit;
 601              }
 602  
 603              /**
 604               * Filters the interval for redirecting the user to the admin email confirmation screen.
 605               * If `0` (zero) is returned, the user will not be redirected.
 606               *
 607               * @since 5.3.0
 608               *
 609               * @param int $interval Interval time (in seconds).
 610               */
 611              $admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS );
 612  
 613              if ( $admin_email_check_interval > 0 ) {
 614                  update_option( 'admin_email_lifespan', time() + $admin_email_check_interval );
 615              }
 616  
 617              wp_safe_redirect( $redirect_to );
 618              exit;
 619          }
 620  
 621          login_header( __( 'Confirm your administration email' ), '', $errors );
 622  
 623          /**
 624          * Fires before the admin email confirm form.
 625          *
 626          * @since 5.3.0
 627          *
 628          * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid credentials. Note that the error object may not contain any errors.
 629          */
 630          do_action( 'admin_email_confirm', $errors );
 631  
 632          ?>
 633  
 634          <form class="admin-email-confirm-form" name="admin-email-confirm-form" action="<?php echo esc_url( site_url( 'wp-login.php?action=confirm_admin_email', 'login_post' ) ); ?>" method="post">
 635              <?php
 636              /**
 637              * Fires inside the admin-email-confirm-form form tags, before the hidden fields.
 638              *
 639              * @since 5.3.0
 640              */
 641              do_action( 'admin_email_confirm_form' );
 642  
 643              wp_nonce_field( 'confirm_admin_email', 'confirm_admin_email_nonce' );
 644  
 645              ?>
 646              <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
 647  
 648              <h1 class="admin-email__heading">
 649                  <?php _e( 'Administration email verification' ); ?>
 650              </h1>
 651              <p class="admin-email__details">
 652                  <?php _e( 'Please verify that the <strong>administration email</strong> for this website is still correct.' ); ?>
 653                  <?php
 654  
 655                  /* translators: URL to the WordPress help section about admin email. */
 656                  $admin_email_help_url = __( 'https://wordpress.org/support/article/settings-general-screen/#email-address' );
 657  
 658                  /* translators: accessibility text */
 659                  $accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) );
 660  
 661                  printf(
 662                      '<a href="%s" rel="noopener noreferrer" target="_blank">%s%s</a>',
 663                      esc_url( $admin_email_help_url ),
 664                      __( 'Why is this important?' ),
 665                      $accessibility_text
 666                  );
 667  
 668                  ?>
 669              </p>
 670              <p class="admin-email__details">
 671                  <?php
 672  
 673                  printf(
 674                      /* translators: %s: Admin email address. */
 675                      __( 'Current administration email: %s' ),
 676                      '<strong>' . esc_html( $admin_email ) . '</strong>'
 677                  );
 678  
 679                  ?>
 680              </p>
 681              <p class="admin-email__details">
 682                  <?php _e( 'This email may be different from your personal email address.' ); ?>
 683              </p>
 684  
 685              <div class="admin-email__actions">
 686                  <div class="admin-email__actions-primary">
 687                      <?php
 688  
 689                      $change_link = admin_url( 'options-general.php' );
 690                      $change_link = add_query_arg( 'highlight', 'confirm_admin_email', $change_link );
 691  
 692                      ?>
 693                      <a class="button button-large" href="<?php echo esc_url( $change_link ); ?>"><?php _e( 'Update' ); ?></a>
 694                      <input type="submit" name="correct-admin-email" id="correct-admin-email" class="button button-primary button-large" value="<?php esc_attr_e( 'The email is correct' ); ?>" />
 695                  </div>
 696                  <div class="admin-email__actions-secondary">
 697                      <?php
 698  
 699                      $remind_me_link = wp_login_url( $redirect_to );
 700                      $remind_me_link = add_query_arg(
 701                          array(
 702                              'action'          => 'confirm_admin_email',
 703                              'remind_me_later' => wp_create_nonce( 'remind_me_later_nonce' ),
 704                          ),
 705                          $remind_me_link
 706                      );
 707  
 708                      ?>
 709                      <a href="<?php echo esc_url( $remind_me_link ); ?>"><?php _e( 'Remind me later' ); ?></a>
 710                  </div>
 711              </div>
 712          </form>
 713  
 714          <?php
 715  
 716          login_footer();
 717          break;
 718  
 719      case 'postpass':
 720          if ( ! array_key_exists( 'post_password', $_POST ) ) {
 721              wp_safe_redirect( wp_get_referer() );
 722              exit;
 723          }
 724  
 725          require_once  ABSPATH . WPINC . '/class-phpass.php';
 726          $hasher = new PasswordHash( 8, true );
 727  
 728          /**
 729           * Filters the life span of the post password cookie.
 730           *
 731           * By default, the cookie expires 10 days from creation. To turn this
 732           * into a session cookie, return 0.
 733           *
 734           * @since 3.7.0
 735           *
 736           * @param int $expires The expiry time, as passed to setcookie().
 737           */
 738          $expire  = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
 739          $referer = wp_get_referer();
 740  
 741          if ( $referer ) {
 742              $secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) );
 743          } else {
 744              $secure = false;
 745          }
 746  
 747          setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
 748  
 749          wp_safe_redirect( wp_get_referer() );
 750          exit();
 751  
 752      case 'logout':
 753          check_admin_referer( 'log-out' );
 754  
 755          $user = wp_get_current_user();
 756  
 757          wp_logout();
 758  
 759          if ( ! empty( $_REQUEST['redirect_to'] ) ) {
 760              $redirect_to           = $_REQUEST['redirect_to'];
 761              $requested_redirect_to = $redirect_to;
 762          } else {
 763              $redirect_to = add_query_arg(
 764                  array(
 765                      'loggedout' => 'true',
 766                      'wp_lang'   => get_user_locale( $user ),
 767                  ),
 768                  wp_login_url()
 769              );
 770  
 771              $requested_redirect_to = '';
 772          }
 773  
 774          /**
 775           * Filters the log out redirect URL.
 776           *
 777           * @since 4.2.0
 778           *
 779           * @param string  $redirect_to           The redirect destination URL.
 780           * @param string  $requested_redirect_to The requested redirect destination URL passed as a parameter.
 781           * @param WP_User $user                  The WP_User object for the user that's logging out.
 782           */
 783          $redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user );
 784  
 785          wp_safe_redirect( $redirect_to );
 786          exit();
 787  
 788      case 'lostpassword':
 789      case 'retrievepassword':
 790          if ( $http_post ) {
 791              $errors = retrieve_password();
 792  
 793              if ( ! is_wp_error( $errors ) ) {
 794                  $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
 795                  wp_safe_redirect( $redirect_to );
 796                  exit();
 797              }
 798          }
 799  
 800          if ( isset( $_GET['error'] ) ) {
 801              if ( 'invalidkey' === $_GET['error'] ) {
 802                  $errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) );
 803              } elseif ( 'expiredkey' === $_GET['error'] ) {
 804                  $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
 805              }
 806          }
 807  
 808          $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
 809          /**
 810           * Filters the URL redirected to after submitting the lostpassword/retrievepassword form.
 811           *
 812           * @since 3.0.0
 813           *
 814           * @param string $lostpassword_redirect The redirect destination URL.
 815           */
 816          $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect );
 817  
 818          /**
 819           * Fires before the lost password form.
 820           *
 821           * @since 1.5.1
 822           * @since 5.1.0 Added the `$errors` parameter.
 823           *
 824           * @param WP_Error $errors A `WP_Error` object containing any errors generated by using invalid
 825           *                         credentials. Note that the error object may not contain any errors.
 826           */
 827          do_action( 'lost_password', $errors );
 828  
 829          login_header( __( 'Lost Password' ), '<p class="message">' . __( 'Please enter your username or email address. You will receive a link to create a new password via email.' ) . '</p>', $errors );
 830  
 831          $user_login = '';
 832  
 833          if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
 834              $user_login = wp_unslash( $_POST['user_login'] );
 835          }
 836  
 837          ?>
 838  
 839          <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post">
 840              <p>
 841                  <label for="user_login"><?php _e( 'Username or Email Address' ); ?></label>
 842                  <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" />
 843              </p>
 844              <?php
 845  
 846              /**
 847               * Fires inside the lostpassword form tags, before the hidden fields.
 848               *
 849               * @since 2.1.0
 850               */
 851              do_action( 'lostpassword_form' );
 852  
 853              ?>
 854              <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
 855              <p class="submit">
 856                  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Get New Password' ); ?>" />
 857              </p>
 858          </form>
 859  
 860          <p id="nav">
 861              <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
 862              <?php
 863  
 864              if ( get_option( 'users_can_register' ) ) {
 865                  $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
 866  
 867                  echo esc_html( $login_link_separator );
 868  
 869                  /** This filter is documented in wp-includes/general-template.php */
 870                  echo apply_filters( 'register', $registration_url );
 871              }
 872  
 873              ?>
 874          </p>
 875          <?php
 876  
 877          login_footer( 'user_login' );
 878          break;
 879  
 880      case 'resetpass':
 881      case 'rp':
 882          list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
 883          $rp_cookie       = 'wp-resetpass-' . COOKIEHASH;
 884  
 885          if ( isset( $_GET['key'] ) ) {
 886              $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
 887              setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
 888  
 889              wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
 890              exit;
 891          }
 892  
 893          if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
 894              list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
 895  
 896              $user = check_password_reset_key( $rp_key, $rp_login );
 897  
 898              if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
 899                  $user = false;
 900              }
 901          } else {
 902              $user = false;
 903          }
 904  
 905          if ( ! $user || is_wp_error( $user ) ) {
 906              setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
 907  
 908              if ( $user && $user->get_error_code() === 'expired_key' ) {
 909                  wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
 910              } else {
 911                  wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) );
 912              }
 913  
 914              exit;
 915          }
 916  
 917          $errors = new WP_Error();
 918  
 919          if ( isset( $_POST['pass1'] ) && $_POST['pass1'] != $_POST['pass2'] ) {
 920              $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) );
 921          }
 922  
 923          /**
 924           * Fires before the password reset procedure is validated.
 925           *
 926           * @since 3.5.0
 927           *
 928           * @param WP_Error         $errors WP Error object.
 929           * @param WP_User|WP_Error $user   WP_User object if the login and reset key match. WP_Error object otherwise.
 930           */
 931          do_action( 'validate_password_reset', $errors, $user );
 932  
 933          if ( ( ! $errors->has_errors() ) && isset( $_POST['pass1'] ) && ! empty( $_POST['pass1'] ) ) {
 934              reset_password( $user, $_POST['pass1'] );
 935              setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
 936              login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
 937              login_footer();
 938              exit;
 939          }
 940  
 941          wp_enqueue_script( 'utils' );
 942          wp_enqueue_script( 'user-profile' );
 943  
 944          login_header( __( 'Reset Password' ), '<p class="message reset-pass">' . __( 'Enter your new password below.' ) . '</p>', $errors );
 945  
 946          ?>
 947          <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off">
 948              <input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" />
 949  
 950              <div class="user-pass1-wrap">
 951                  <p>
 952                      <label for="pass1"><?php _e( 'New password' ); ?></label>
 953                  </p>
 954  
 955                  <div class="wp-pwd">
 956                      <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="off" aria-describedby="pass-strength-result" />
 957  
 958                      <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
 959                          <span class="dashicons dashicons-hidden" aria-hidden="true"></span>
 960                      </button>
 961                      <div id="pass-strength-result" class="hide-if-no-js" aria-live="polite"><?php _e( 'Strength indicator' ); ?></div>
 962                  </div>
 963                  <div class="pw-weak">
 964                      <input type="checkbox" name="pw_weak" id="pw-weak" class="pw-checkbox" />
 965                      <label for="pw-weak"><?php _e( 'Confirm use of weak password' ); ?></label>
 966                  </div>
 967              </div>
 968  
 969              <p class="user-pass2-wrap">
 970                  <label for="pass2"><?php _e( 'Confirm new password' ); ?></label>
 971                  <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off" />
 972              </p>
 973  
 974              <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p>
 975              <br class="clear" />
 976  
 977              <?php
 978  
 979              /**
 980               * Fires following the 'Strength indicator' meter in the user password reset form.
 981               *
 982               * @since 3.9.0
 983               *
 984               * @param WP_User $user User object of the user whose password is being reset.
 985               */
 986              do_action( 'resetpass_form', $user );
 987  
 988              ?>
 989              <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" />
 990              <p class="submit">
 991                  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Reset Password' ); ?>" />
 992              </p>
 993          </form>
 994  
 995          <p id="nav">
 996              <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
 997              <?php
 998  
 999              if ( get_option( 'users_can_register' ) ) {
1000                  $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
1001  
1002                  echo esc_html( $login_link_separator );
1003  
1004                  /** This filter is documented in wp-includes/general-template.php */
1005                  echo apply_filters( 'register', $registration_url );
1006              }
1007  
1008              ?>
1009          </p>
1010          <?php
1011  
1012          login_footer( 'user_pass' );
1013          break;
1014  
1015      case 'register':
1016          if ( is_multisite() ) {
1017              /**
1018               * Filters the Multisite sign up URL.
1019               *
1020               * @since 3.0.0
1021               *
1022               * @param string $sign_up_url The sign up URL.
1023               */
1024              wp_redirect( apply_filters( 'wp_signup_location', network_site_url( 'wp-signup.php' ) ) );
1025              exit;
1026          }
1027  
1028          if ( ! get_option( 'users_can_register' ) ) {
1029              wp_redirect( site_url( 'wp-login.php?registration=disabled' ) );
1030              exit();
1031          }
1032  
1033          $user_login = '';
1034          $user_email = '';
1035  
1036          if ( $http_post ) {
1037              if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
1038                  $user_login = wp_unslash( $_POST['user_login'] );
1039              }
1040  
1041              if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) {
1042                  $user_email = wp_unslash( $_POST['user_email'] );
1043              }
1044  
1045              $errors = register_new_user( $user_login, $user_email );
1046  
1047              if ( ! is_wp_error( $errors ) ) {
1048                  $redirect_to = ! empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
1049                  wp_safe_redirect( $redirect_to );
1050                  exit();
1051              }
1052          }
1053  
1054          $registration_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
1055  
1056          /**
1057           * Filters the registration redirect URL.
1058           *
1059           * @since 3.0.0
1060           *
1061           * @param string $registration_redirect The redirect destination URL.
1062           */
1063          $redirect_to = apply_filters( 'registration_redirect', $registration_redirect );
1064  
1065          login_header( __( 'Registration Form' ), '<p class="message register">' . __( 'Register For This Site' ) . '</p>', $errors );
1066  
1067          ?>
1068          <form name="registerform" id="registerform" action="<?php echo esc_url( site_url( 'wp-login.php?action=register', 'login_post' ) ); ?>" method="post" novalidate="novalidate">
1069              <p>
1070                  <label for="user_login"><?php _e( 'Username' ); ?></label>
1071                  <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( wp_unslash( $user_login ) ); ?>" size="20" autocapitalize="off" />
1072              </p>
1073              <p>
1074                  <label for="user_email"><?php _e( 'Email' ); ?></label>
1075                  <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" />
1076              </p>
1077              <?php
1078  
1079              /**
1080               * Fires following the 'Email' field in the user registration form.
1081               *
1082               * @since 2.1.0
1083               */
1084              do_action( 'register_form' );
1085  
1086              ?>
1087              <p id="reg_passmail">
1088                  <?php _e( 'Registration confirmation will be emailed to you.' ); ?>
1089              </p>
1090              <br class="clear" />
1091              <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
1092              <p class="submit">
1093                  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Register' ); ?>" />
1094              </p>
1095          </form>
1096  
1097          <p id="nav">
1098              <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a>
1099                  <?php echo esc_html( $login_link_separator ); ?>
1100              <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a>
1101          </p>
1102          <?php
1103  
1104          login_footer( 'user_login' );
1105          break;
1106  
1107      case 'confirmaction':
1108          if ( ! isset( $_GET['request_id'] ) ) {
1109              wp_die( __( 'Missing request ID.' ) );
1110          }
1111  
1112          if ( ! isset( $_GET['confirm_key'] ) ) {
1113              wp_die( __( 'Missing confirm key.' ) );
1114          }
1115  
1116          $request_id = (int) $_GET['request_id'];
1117          $key        = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
1118          $result     = wp_validate_user_request_key( $request_id, $key );
1119  
1120          if ( is_wp_error( $result ) ) {
1121              wp_die( $result );
1122          }
1123  
1124          /**
1125           * Fires an action hook when the account action has been confirmed by the user.
1126           *
1127           * Using this you can assume the user has agreed to perform the action by
1128           * clicking on the link in the confirmation email.
1129           *
1130           * After firing this action hook the page will redirect to wp-login a callback
1131           * redirects or exits first.
1132           *
1133           * @since 4.9.6
1134           *
1135           * @param int $request_id Request ID.
1136           */
1137          do_action( 'user_request_action_confirmed', $request_id );
1138  
1139          $message = _wp_privacy_account_request_confirmed_message( $request_id );
1140  
1141          login_header( __( 'User action confirmed.' ), $message );
1142          login_footer();
1143          exit;
1144  
1145      case 'login':
1146      default:
1147          $secure_cookie   = '';
1148          $customize_login = isset( $_REQUEST['customize-login'] );
1149  
1150          if ( $customize_login ) {
1151              wp_enqueue_script( 'customize-base' );
1152          }
1153  
1154          // If the user wants SSL but the session is not SSL, force a secure cookie.
1155          if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) {
1156              $user_name = sanitize_user( wp_unslash( $_POST['log'] ) );
1157              $user      = get_user_by( 'login', $user_name );
1158  
1159              if ( ! $user && strpos( $user_name, '@' ) ) {
1160                  $user = get_user_by( 'email', $user_name );
1161              }
1162  
1163              if ( $user ) {
1164                  if ( get_user_option( 'use_ssl', $user->ID ) ) {
1165                      $secure_cookie = true;
1166                      force_ssl_admin( true );
1167                  }
1168              }
1169          }
1170  
1171          if ( isset( $_REQUEST['redirect_to'] ) ) {
1172              $redirect_to = $_REQUEST['redirect_to'];
1173              // Redirect to HTTPS if user wants SSL.
1174              if ( $secure_cookie && false !== strpos( $redirect_to, 'wp-admin' ) ) {
1175                  $redirect_to = preg_replace( '|^http://|', 'https://', $redirect_to );
1176              }
1177          } else {
1178              $redirect_to = admin_url();
1179          }
1180  
1181          $reauth = empty( $_REQUEST['reauth'] ) ? false : true;
1182  
1183          $user = wp_signon( array(), $secure_cookie );
1184  
1185          if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
1186              if ( headers_sent() ) {
1187                  $user = new WP_Error(
1188                      'test_cookie',
1189                      sprintf(
1190                          /* translators: 1: Browser cookie documentation URL, 2: Support forums URL. */
1191                          __( '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ),
1192                          __( 'https://wordpress.org/support/article/cookies/' ),
1193                          __( 'https://wordpress.org/support/forums/' )
1194                      )
1195                  );
1196              } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) {
1197                  // If cookies are disabled we can't log in even with a valid user+pass
1198                  $user = new WP_Error(
1199                      'test_cookie',
1200                      sprintf(
1201                          /* translators: %s: Browser cookie documentation URL. */
1202                          __( '<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
1203                          __( 'https://wordpress.org/support/article/cookies/#enable-cookies-in-your-browser' )
1204                      )
1205                  );
1206              }
1207          }
1208  
1209          $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
1210          /**
1211           * Filters the login redirect URL.
1212           *
1213           * @since 3.0.0
1214           *
1215           * @param string           $redirect_to           The redirect destination URL.
1216           * @param string           $requested_redirect_to The requested redirect destination URL passed as a parameter.
1217           * @param WP_User|WP_Error $user                  WP_User object if login was successful, WP_Error object otherwise.
1218           */
1219          $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
1220  
1221          if ( ! is_wp_error( $user ) && ! $reauth ) {
1222              if ( $interim_login ) {
1223                  $message       = '<p class="message">' . __( 'You have logged in successfully.' ) . '</p>';
1224                  $interim_login = 'success';
1225                  login_header( '', $message );
1226  
1227                  ?>
1228                  </div>
1229                  <?php
1230  
1231                  /** This action is documented in wp-login.php */
1232                  do_action( 'login_footer' );
1233  
1234                  if ( $customize_login ) {
1235                      ?>
1236                      <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
1237                      <?php
1238                  }
1239  
1240                  ?>
1241                  </body></html>
1242                  <?php
1243  
1244                  exit;
1245              }
1246  
1247              // Check if it is time to add a redirect to the admin email confirmation screen.
1248              if ( is_a( $user, 'WP_User' ) && $user->exists() && $user->has_cap( 'manage_options' ) ) {
1249                  $admin_email_lifespan = (int) get_option( 'admin_email_lifespan' );
1250  
1251                  // If `0` (or anything "falsey" as it is cast to int) is returned, the user will not be redirected
1252                  // to the admin email confirmation screen.
1253                  /** This filter is documented in wp-login.php */
1254                  $admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS );
1255  
1256                  if ( $admin_email_check_interval > 0 && time() > $admin_email_lifespan ) {
1257                      $redirect_to = add_query_arg(
1258                          array(
1259                              'action'  => 'confirm_admin_email',
1260                              'wp_lang' => get_user_locale( $user ),
1261                          ),
1262                          wp_login_url( $redirect_to )
1263                      );
1264                  }
1265              }
1266  
1267              if ( ( empty( $redirect_to ) || $redirect_to === 'wp-admin/' || $redirect_to === admin_url() ) ) {
1268                  // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile.
1269                  if ( is_multisite() && ! get_active_blog_for_user( $user->ID ) && ! is_super_admin( $user->ID ) ) {
1270                      $redirect_to = user_admin_url();
1271                  } elseif ( is_multisite() && ! $user->has_cap( 'read' ) ) {
1272                      $redirect_to = get_dashboard_url( $user->ID );
1273                  } elseif ( ! $user->has_cap( 'edit_posts' ) ) {
1274                      $redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url();
1275                  }
1276  
1277                  wp_redirect( $redirect_to );
1278                  exit;
1279              }
1280  
1281              wp_safe_redirect( $redirect_to );
1282              exit;
1283          }
1284  
1285          $errors = $user;
1286          // Clear errors if loggedout is set.
1287          if ( ! empty( $_GET['loggedout'] ) || $reauth ) {
1288              $errors = new WP_Error();
1289          }
1290  
1291          if ( empty( $_POST ) && $errors->get_error_codes() === array( 'empty_username', 'empty_password' ) ) {
1292              $errors = new WP_Error( '', '' );
1293          }
1294  
1295          if ( $interim_login ) {
1296              if ( ! $errors->has_errors() ) {
1297                  $errors->add( 'expired', __( 'Your session has expired. Please log in to continue where you left off.' ), 'message' );
1298              }
1299          } else {
1300              // Some parts of this script use the main login form to display a message.
1301              if ( isset( $_GET['loggedout'] ) && $_GET['loggedout'] ) {
1302                  $errors->add( 'loggedout', __( 'You are now logged out.' ), 'message' );
1303              } elseif ( isset( $_GET['registration'] ) && 'disabled' === $_GET['registration'] ) {
1304                  $errors->add( 'registerdisabled', __( 'User registration is currently not allowed.' ) );
1305              } elseif ( isset( $_GET['checkemail'] ) && 'confirm' === $_GET['checkemail'] ) {
1306                  $errors->add( 'confirm', __( 'Check your email for the confirmation link.' ), 'message' );
1307              } elseif ( isset( $_GET['checkemail'] ) && 'newpass' === $_GET['checkemail'] ) {
1308                  $errors->add( 'newpass', __( 'Check your email for your new password.' ), 'message' );
1309              } elseif ( isset( $_GET['checkemail'] ) && 'registered' === $_GET['checkemail'] ) {
1310                  $errors->add( 'registered', __( 'Registration complete. Please check your email.' ), 'message' );
1311              } elseif ( strpos( $redirect_to, 'about.php?updated' ) ) {
1312                  $errors->add( 'updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what&#8217;s new.' ), 'message' );
1313              } elseif ( WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED === $action ) {
1314                  $errors->add( 'enter_recovery_mode', __( 'Recovery Mode Initialized. Please log in to continue.' ), 'message' );
1315              }
1316          }
1317  
1318          /**
1319           * Filters the login page errors.
1320           *
1321           * @since 3.6.0
1322           *
1323           * @param WP_Error $errors      WP Error object.
1324           * @param string   $redirect_to Redirect destination URL.
1325           */
1326          $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to );
1327  
1328          // Clear any stale cookies.
1329          if ( $reauth ) {
1330              wp_clear_auth_cookie();
1331          }
1332  
1333          login_header( __( 'Log In' ), '', $errors );
1334  
1335          if ( isset( $_POST['log'] ) ) {
1336              $user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
1337          }
1338  
1339          $rememberme = ! empty( $_POST['rememberme'] );
1340  
1341          if ( $errors->has_errors() ) {
1342              $aria_describedby_error = ' aria-describedby="login_error"';
1343          } else {
1344              $aria_describedby_error = '';
1345          }
1346  
1347          wp_enqueue_script( 'user-profile' );
1348          ?>
1349  
1350          <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post">
1351              <p>
1352                  <label for="user_login"><?php _e( 'Username or Email Address' ); ?></label>
1353                  <input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" />
1354              </p>
1355  
1356              <div class="user-pass-wrap">
1357                  <label for="user_pass"><?php _e( 'Password' ); ?></label>
1358                  <div class="wp-pwd">
1359                      <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby_error; ?> class="input password-input" value="" size="20" />
1360                      <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Show password' ); ?>">
1361                          <span class="dashicons dashicons-visibility" aria-hidden="true"></span>
1362                      </button>
1363                  </div>
1364              </div>
1365              <?php
1366  
1367              /**
1368               * Fires following the 'Password' field in the login form.
1369               *
1370               * @since 2.1.0
1371               */
1372              do_action( 'login_form' );
1373  
1374              ?>
1375              <p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <label for="rememberme"><?php esc_html_e( 'Remember Me' ); ?></label></p>
1376              <p class="submit">
1377                  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e( 'Log In' ); ?>" />
1378                  <?php
1379  
1380                  if ( $interim_login ) {
1381                      ?>
1382                      <input type="hidden" name="interim-login" value="1" />
1383                      <?php
1384                  } else {
1385                      ?>
1386                      <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
1387                      <?php
1388                  }
1389  
1390                  if ( $customize_login ) {
1391                      ?>
1392                      <input type="hidden" name="customize-login" value="1" />
1393                      <?php
1394                  }
1395  
1396                  ?>
1397                  <input type="hidden" name="testcookie" value="1" />
1398              </p>
1399          </form>
1400  
1401          <?php
1402  
1403          if ( ! $interim_login ) {
1404              ?>
1405              <p id="nav">
1406                  <?php
1407  
1408                  if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ), true ) ) {
1409                      if ( get_option( 'users_can_register' ) ) {
1410                          $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) );
1411  
1412                          /** This filter is documented in wp-includes/general-template.php */
1413                          echo apply_filters( 'register', $registration_url );
1414  
1415                          echo esc_html( $login_link_separator );
1416                      }
1417  
1418                      ?>
1419                      <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a>
1420                      <?php
1421                  }
1422  
1423                  ?>
1424              </p>
1425              <?php
1426          }
1427  
1428          $login_script  = 'function wp_attempt_focus() {';
1429          $login_script .= 'setTimeout( function() {';
1430          $login_script .= 'try {';
1431  
1432          if ( $user_login ) {
1433              $login_script .= 'd = document.getElementById( "user_pass" ); d.value = "";';
1434          } else {
1435              $login_script .= 'd = document.getElementById( "user_login" );';
1436  
1437              if ( $errors->get_error_code() === 'invalid_username' ) {
1438                  $login_script .= 'd.value = "";';
1439              }
1440          }
1441  
1442          $login_script .= 'd.focus(); d.select();';
1443          $login_script .= '} catch( er ) {}';
1444          $login_script .= '}, 200);';
1445          $login_script .= "}\n"; // End of wp_attempt_focus().
1446  
1447          /**
1448           * Filters whether to print the call to `wp_attempt_focus()` on the login screen.
1449           *
1450           * @since 4.8.0
1451           *
1452           * @param bool $print Whether to print the function call. Default true.
1453           */
1454          if ( apply_filters( 'enable_login_autofocus', true ) && ! $error ) {
1455              $login_script .= "wp_attempt_focus();\n";
1456          }
1457  
1458          // Run `wpOnload()` if defined.
1459          $login_script .= "if ( typeof wpOnload === 'function' ) { wpOnload() }";
1460  
1461          ?>
1462          <script type="text/javascript">
1463              <?php echo $login_script; ?>
1464          </script>
1465          <?php
1466  
1467          if ( $interim_login ) {
1468              ?>
1469              <script type="text/javascript">
1470              ( function() {
1471                  try {
1472                      var i, links = document.getElementsByTagName( 'a' );
1473                      for ( i in links ) {
1474                          if ( links[i].href ) {
1475                              links[i].target = '_blank';
1476                              links[i].rel = 'noreferrer noopener';
1477                          }
1478                      }
1479                  } catch( er ) {}
1480              }());
1481              </script>
1482              <?php
1483          }
1484  
1485          login_footer();
1486          break;
1487  } // End action switch.


Generated: Sun Dec 8 01:00:03 2019 Cross-referenced by PHPXref 0.7.1