Using WordPress ‘auth_cookie_bad_hash’ PHP action

The auth_cookie_bad_hash WordPress PHP action fires when a bad authentication cookie hash is encountered.


add_action('auth_cookie_bad_hash', 'your_custom_function', 10, 1);

function your_custom_function($cookie_elements) {
    // Your custom code here


  • $cookie_elements (array) – An array of authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value.
    • username (string) – User’s username.
    • expiration (string) – The time the cookie expires as a UNIX timestamp.
    • token (string) – User’s session token used.
    • hmac (string) – The security hash for the cookie.
    • scheme (string) – The cookie scheme to use.

More information

See WordPress Developer Resources: auth_cookie_bad_hash


Log failed authentication attempts

Log failed authentication attempts in a log file.

add_action('auth_cookie_bad_hash', 'log_failed_auth_attempts', 10, 1);

function log_failed_auth_attempts($cookie_elements) {
    // Log the failed authentication attempt
    error_log("Failed authentication attempt: " . json_encode($cookie_elements));

Notify admin on failed authentication attempts

Send an email to the admin when a failed authentication attempt occurs.

add_action('auth_cookie_bad_hash', 'notify_admin_failed_auth', 10, 1);

function notify_admin_failed_auth($cookie_elements) {
    // Prepare the email content
    $subject = "Failed authentication attempt";
    $message = "A failed authentication attempt occurred: " . json_encode($cookie_elements);

    // Send an email to the admin
    wp_mail(get_option('admin_email'), $subject, $message);

Block IP address after multiple failed attempts

Block an IP address after a certain number of failed authentication attempts.

add_action('auth_cookie_bad_hash', 'block_ip_after_failed_attempts', 10, 1);

function block_ip_after_failed_attempts($cookie_elements) {
    // Get the IP address
    $ip = $_SERVER['REMOTE_ADDR'];

    // Check for the IP in the options table and increment the count
    $failed_attempts = get_option('failed_auth_attempts_' . $ip, 0) + 1;
    update_option('failed_auth_attempts_' . $ip, $failed_attempts);

    // Block the IP if there are more than 3 failed attempts
    if ($failed_attempts > 3) {
        wp_die("Your IP address has been temporarily blocked due to multiple failed authentication attempts.");

Add a custom message to the login page

Display a custom message on the login page when a bad authentication cookie is detected.

add_action('auth_cookie_bad_hash', 'display_custom_message_on_login_page', 10, 1);

function display_custom_message_on_login_page($cookie_elements) {
    add_filter('login_message', 'add_custom_login_message');

function add_custom_login_message() {
    return "<strong>Error:</strong> Invalid authentication cookie detected.";

Invalidate the current session

Invalidate the current session when a bad authentication cookie is encountered.

add_action('auth_cookie_bad_hash', 'invalidate_bad_auth_session', 10, 1);

function invalidate_bad_auth_session($cookie_elements) {
    // Get the user's ID
    $user_id = get_user_by('login', $cookie_elements['username'])->ID;

    //Invalidate the session by removing the session token
    if ($user_id) {
        // Get the session tokens instance
        $session_tokens = WP_Session_Tokens::get_instance($user_id);

        // Remove the session token