The application_password_did_authenticate action fires after an application password was used for authentication. It’s useful for running custom code when a user is authenticated using an application password.
Usage
add_action('application_password_did_authenticate', 'my_custom_function', 10, 2);
function my_custom_function($user, $item) {
// your custom code here
}
Parameters
$user: (WP_User) The user who was authenticated.$item: (array) The application password used.
More information
See WordPress Developer Resources: application_password_did_authenticate
Examples
Log successful authentication
Log every successful authentication using an application password.
add_action('application_password_did_authenticate', 'log_successful_authentication', 10, 2);
function log_successful_authentication($user, $item) {
// Log successful authentication
error_log("User {$user->user_login} authenticated with application password {$item['name']}.");
}
Notify user on authentication
Send an email to the user when they are authenticated using an application password.
add_action('application_password_did_authenticate', 'notify_user_on_authentication', 10, 2);
function notify_user_on_authentication($user, $item) {
// Send an email to the user
wp_mail($user->user_email, 'Successful Authentication', 'You were successfully authenticated using an application password.');
}
Restrict authentication by application password name
Disallow authentication for application passwords with a specific name.
add_action('application_password_did_authenticate', 'restrict_authentication_by_name', 10, 2);
function restrict_authentication_by_name($user, $item) {
// Check if the application password name is "Restricted"
if ($item['name'] == 'Restricted') {
// Log out the user
wp_logout();
wp_die('Restricted application password used. Access denied.');
}
}
Track last authentication time
Update a user meta field with the timestamp of the last successful authentication.
add_action('application_password_did_authenticate', 'track_last_authentication_time', 10, 2);
function track_last_authentication_time($user, $item) {
// Update user meta with current timestamp
update_user_meta($user->ID, 'last_authentication_time', time());
}
Limit authentication attempts
Limit the number of successful authentication attempts using application passwords within a specific time frame.
add_action('application_password_did_authenticate', 'limit_authentication_attempts', 10, 2);
function limit_authentication_attempts($user, $item) {
$allowed_attempts = 5;
$time_frame = 3600; // 1 hour in seconds
// Get the current number of attempts
$attempts = (int) get_user_meta($user->ID, 'authentication_attempts', true);
// Check if the limit has been reached
if ($attempts >= $allowed_attempts) {
// Log out the user
wp_logout();
wp_die('Too many authentication attempts. Access denied.');
} else {
// Increment the attempts count and save it
update_user_meta($user->ID, 'authentication_attempts', $attempts + 1);
// Schedule the reset of the attempts count
wp_schedule_single_event(time() + $time_frame, 'reset_authentication_attempts', array($user->ID));
}
}
// Reset the authentication attempts count
add_action('reset_authentication_attempts', 'reset_attempts_count');
function reset_attempts_count($user_id) {
// Reset the attempts count
update_user_meta($user_id, 'authentication_attempts', 0);
}
Remember to clear scheduled events when the plugin is deactivated.
register_deactivation_hook(__FILE__, 'clear_scheduled_reset_events');
function clear_scheduled_reset_events() {
// Get all users
$users = get_users();
// Loop through users and unschedule the reset events
foreach ($users as $user) {
wp_clear_scheduled_hook('reset_authentication_attempts', array($user->ID));
}
}