Using WordPress ‘application_password_did_authenticate’ PHP action

The application_password_did_authenticate action fires after an application password was used for authentication. It’s useful for running custom code when a user is authenticated using an application password.


add_action('application_password_did_authenticate', 'my_custom_function', 10, 2);

function my_custom_function($user, $item) {
    // your custom code here


  • $user: (WP_User) The user who was authenticated.
  • $item: (array) The application password used.

More information

See WordPress Developer Resources: application_password_did_authenticate


Log successful authentication

Log every successful authentication using an application password.

add_action('application_password_did_authenticate', 'log_successful_authentication', 10, 2);

function log_successful_authentication($user, $item) {
    // Log successful authentication
    error_log("User {$user->user_login} authenticated with application password {$item['name']}.");

Notify user on authentication

Send an email to the user when they are authenticated using an application password.

add_action('application_password_did_authenticate', 'notify_user_on_authentication', 10, 2);

function notify_user_on_authentication($user, $item) {
    // Send an email to the user
    wp_mail($user->user_email, 'Successful Authentication', 'You were successfully authenticated using an application password.');

Restrict authentication by application password name

Disallow authentication for application passwords with a specific name.

add_action('application_password_did_authenticate', 'restrict_authentication_by_name', 10, 2);

function restrict_authentication_by_name($user, $item) {
    // Check if the application password name is "Restricted"
    if ($item['name'] == 'Restricted') {
        // Log out the user
        wp_die('Restricted application password used. Access denied.');

Track last authentication time

Update a user meta field with the timestamp of the last successful authentication.

add_action('application_password_did_authenticate', 'track_last_authentication_time', 10, 2);

function track_last_authentication_time($user, $item) {
    // Update user meta with current timestamp
    update_user_meta($user->ID, 'last_authentication_time', time());

Limit authentication attempts

Limit the number of successful authentication attempts using application passwords within a specific time frame.

add_action('application_password_did_authenticate', 'limit_authentication_attempts', 10, 2);

function limit_authentication_attempts($user, $item) {
    $allowed_attempts = 5;
    $time_frame = 3600; // 1 hour in seconds

    // Get the current number of attempts
    $attempts = (int) get_user_meta($user->ID, 'authentication_attempts', true);

    // Check if the limit has been reached
    if ($attempts >= $allowed_attempts) {
        // Log out the user
        wp_die('Too many authentication attempts. Access denied.');
    } else {
        // Increment the attempts count and save it
        update_user_meta($user->ID, 'authentication_attempts', $attempts + 1);

        // Schedule the reset of the attempts count
        wp_schedule_single_event(time() + $time_frame, 'reset_authentication_attempts', array($user->ID));

// Reset the authentication attempts count
add_action('reset_authentication_attempts', 'reset_attempts_count');

function reset_attempts_count($user_id) {
// Reset the attempts count
update_user_meta($user_id, 'authentication_attempts', 0);

Remember to clear scheduled events when the plugin is deactivated.

register_deactivation_hook(__FILE__, 'clear_scheduled_reset_events');

function clear_scheduled_reset_events() {
    // Get all users
    $users = get_users();

    // Loop through users and unschedule the reset events
    foreach ($users as $user) {
        wp_clear_scheduled_hook('reset_authentication_attempts', array($user->ID));