The auth_cookie_bad_hash WordPress PHP action fires when a bad authentication cookie hash is encountered.
Usage
add_action('auth_cookie_bad_hash', 'your_custom_function', 10, 1);
function your_custom_function($cookie_elements) {
// Your custom code here
}
Parameters
- $cookie_elements (array) – An array of authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value.
- username (string) – User’s username.
- expiration (string) – The time the cookie expires as a UNIX timestamp.
- token (string) – User’s session token used.
- hmac (string) – The security hash for the cookie.
- scheme (string) – The cookie scheme to use.
More information
See WordPress Developer Resources: auth_cookie_bad_hash
Examples
Log failed authentication attempts
Log failed authentication attempts in a log file.
add_action('auth_cookie_bad_hash', 'log_failed_auth_attempts', 10, 1);
function log_failed_auth_attempts($cookie_elements) {
// Log the failed authentication attempt
error_log("Failed authentication attempt: " . json_encode($cookie_elements));
}
Notify admin on failed authentication attempts
Send an email to the admin when a failed authentication attempt occurs.
add_action('auth_cookie_bad_hash', 'notify_admin_failed_auth', 10, 1);
function notify_admin_failed_auth($cookie_elements) {
// Prepare the email content
$subject = "Failed authentication attempt";
$message = "A failed authentication attempt occurred: " . json_encode($cookie_elements);
// Send an email to the admin
wp_mail(get_option('admin_email'), $subject, $message);
}
Block IP address after multiple failed attempts
Block an IP address after a certain number of failed authentication attempts.
add_action('auth_cookie_bad_hash', 'block_ip_after_failed_attempts', 10, 1);
function block_ip_after_failed_attempts($cookie_elements) {
// Get the IP address
$ip = $_SERVER['REMOTE_ADDR'];
// Check for the IP in the options table and increment the count
$failed_attempts = get_option('failed_auth_attempts_' . $ip, 0) + 1;
update_option('failed_auth_attempts_' . $ip, $failed_attempts);
// Block the IP if there are more than 3 failed attempts
if ($failed_attempts > 3) {
wp_die("Your IP address has been temporarily blocked due to multiple failed authentication attempts.");
}
}
Add a custom message to the login page
Display a custom message on the login page when a bad authentication cookie is detected.
add_action('auth_cookie_bad_hash', 'display_custom_message_on_login_page', 10, 1);
function display_custom_message_on_login_page($cookie_elements) {
add_filter('login_message', 'add_custom_login_message');
}
function add_custom_login_message() {
return "<strong>Error:</strong> Invalid authentication cookie detected.";
}
Invalidate the current session
Invalidate the current session when a bad authentication cookie is encountered.
add_action('auth_cookie_bad_hash', 'invalidate_bad_auth_session', 10, 1);
function invalidate_bad_auth_session($cookie_elements) {
// Get the user's ID
$user_id = get_user_by('login', $cookie_elements['username'])->ID;
//Invalidate the session by removing the session token
if ($user_id) {
// Get the session tokens instance
$session_tokens = WP_Session_Tokens::get_instance($user_id);
// Remove the session token
$session_tokens->destroy($cookie_elements['token']);
}
}