Title: wp_authenticate
Published: April 25, 2014
Last modified: February 24, 2026

---

# wp_authenticate( string $username, string $password ): 󠀁[WP_User](https://developer.wordpress.org/reference/classes/wp_user/)󠁿|󠀁[WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)󠁿

## In this article

 * [Parameters](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#parameters)
 * [Return](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#return)
 * [More Information](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#more-information)
 * [Source](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#source)
 * [Hooks](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#hooks)
 * [Related](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#related)
 * [Changelog](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#changelog)
 * [User Contributed Notes](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#user-contributed-notes)

[ Back to top](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#wp--skip-link--target)

Authenticates a user, confirming the login credentials are valid.

## 󠀁[Parameters](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#parameters)󠁿

 `$username`stringrequired

User’s username or email address.

`$password`stringrequired

User’s password.

## 󠀁[Return](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#return)󠁿

 [WP_User](https://developer.wordpress.org/reference/classes/wp_user/)|[WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)
[WP_User](https://developer.wordpress.org/reference/classes/wp_user/) object if 
the credentials are valid, otherwise [WP_Error](https://developer.wordpress.org/reference/classes/wp_error/).

## 󠀁[More Information](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#more-information)󠁿

 * This is a plugabble function, which means that a plug-in can override this function.
 * Not to be confused with the [wp_authenticate](https://developer.wordpress.org/reference/hooks/wp_authenticate/)
   action hook.

## 󠀁[Source](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#source)󠁿

    ```php
    function wp_authenticate(
    	$username,
    	#[\SensitiveParameter]
    	$password
    ) {
    	$username = sanitize_user( $username );
    	$password = trim( $password );

    	/**
    	 * Filters whether a set of user login credentials are valid.
    	 *
    	 * A WP_User object is returned if the credentials authenticate a user.
    	 * WP_Error or null otherwise.
    	 *
    	 * @since 2.8.0
    	 * @since 4.5.0 `$username` now accepts an email address.
    	 *
    	 * @param null|WP_User|WP_Error $user     WP_User if the user is authenticated.
    	 *                                        WP_Error or null otherwise.
    	 * @param string                $username Username or email address.
    	 * @param string                $password User password.
    	 */
    	$user = apply_filters( 'authenticate', null, $username, $password );

    	if ( null === $user || false === $user ) {
    		/*
    		 * TODO: What should the error message be? (Or would these even happen?)
    		 * Only needed if all authentication handlers fail to return anything.
    		 */
    		$user = new WP_Error( 'authentication_failed', __( '<strong>Error:</strong> Invalid username, email address or incorrect password.' ) );
    	}

    	$ignore_codes = array( 'empty_username', 'empty_password' );

    	if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes, true ) ) {
    		$error = $user;

    		/**
    		 * Fires after a user login has failed.
    		 *
    		 * @since 2.5.0
    		 * @since 4.5.0 The value of `$username` can now be an email address.
    		 * @since 5.4.0 The `$error` parameter was added.
    		 *
    		 * @param string   $username Username or email address.
    		 * @param WP_Error $error    A WP_Error object with the authentication failure details.
    		 */
    		do_action( 'wp_login_failed', $username, $error );
    	}

    	return $user;
    }
    ```

[View all references](https://developer.wordpress.org/reference/files/wp-includes/pluggable.php/)
[View on Trac](https://core.trac.wordpress.org/browser/tags/6.9.4/src/wp-includes/pluggable.php#L680)
[View on GitHub](https://github.com/WordPress/wordpress-develop/blob/6.9.4/src/wp-includes/pluggable.php#L680-L731)

## 󠀁[Hooks](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#hooks)󠁿

 [apply_filters( ‘authenticate’, null|WP_User|WP_Error $user, string $username, string $password )](https://developer.wordpress.org/reference/hooks/authenticate/)

Filters whether a set of user login credentials are valid.

 [do_action( ‘wp_login_failed’, string $username, WP_Error $error )](https://developer.wordpress.org/reference/hooks/wp_login_failed/)

Fires after a user login has failed.

## 󠀁[Related](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#related)󠁿

| Uses | Description | 
| [sanitize_user()](https://developer.wordpress.org/reference/functions/sanitize_user/)`wp-includes/formatting.php` |

Sanitizes a username, stripping out unsafe characters.

  | 
| [__()](https://developer.wordpress.org/reference/functions/__/)`wp-includes/l10n.php` |

Retrieves the translation of $text.

  | 
| [apply_filters()](https://developer.wordpress.org/reference/functions/apply_filters/)`wp-includes/plugin.php` |

Calls the callback functions that have been added to a filter hook.

  | 
| [do_action()](https://developer.wordpress.org/reference/functions/do_action/)`wp-includes/plugin.php` |

Calls the callback functions that have been added to an action hook.

  | 
| [is_wp_error()](https://developer.wordpress.org/reference/functions/is_wp_error/)`wp-includes/load.php` |

Checks whether the given variable is a WordPress Error.

  | 
| [WP_Error::__construct()](https://developer.wordpress.org/reference/classes/wp_error/__construct/)`wp-includes/class-wp-error.php` |

Initializes the error.

  |

[Show 4 more](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#)
[Show less](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#)

| Used by | Description | 
| [user_pass_ok()](https://developer.wordpress.org/reference/functions/user_pass_ok/)`wp-includes/deprecated.php` |

Check that the user login name and password is correct.

  | 
| [wp_signon()](https://developer.wordpress.org/reference/functions/wp_signon/)`wp-includes/user.php` |

Authenticates and logs a user in with ‘remember’ capability.

  | 
| [wp_login()](https://developer.wordpress.org/reference/functions/wp_login/)`wp-includes/pluggable-deprecated.php` |

Checks a users login information and logs them in if it checks out. This function is deprecated.

  | 
| [wp_xmlrpc_server::login()](https://developer.wordpress.org/reference/classes/wp_xmlrpc_server/login/)`wp-includes/class-wp-xmlrpc-server.php` |

Logs user in.

  |

## 󠀁[Changelog](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#changelog)󠁿

| Version | Description | 
| [4.5.0](https://developer.wordpress.org/reference/since/4.5.0/) | `$username` now accepts an email address. | 
| [2.5.0](https://developer.wordpress.org/reference/since/2.5.0/) | Introduced. |

## 󠀁[User Contributed Notes](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#user-contributed-notes)󠁿

 1.  [Skip to note 2 content](https://developer.wordpress.org/reference/functions/wp_authenticate/?output_format=md#comment-content-5330)
 2.   [Md. Zubaer Ahammed](https://profiles.wordpress.org/zubaer_ahammed/)  [  5 years ago  ](https://developer.wordpress.org/reference/functions/wp_authenticate/#comment-5330)
 3. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fwp_authenticate%2F%23comment-5330)
    Vote results for this note: 1[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fwp_authenticate%2F%23comment-5330)
 4. Check whether credentials are valid or not for a defined user.
 5.     ```php
        $user = wp_authenticate($username, $password);
        if(!is_wp_error($user)) {
        	$first_name = $user->first_name;
        	echo "Login credentials are valid. First name is $first_name";
        } else {
        	echo "Invalid login credentials.";
        }
        ```
    
 6.  [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fwp_authenticate%2F%3Freplytocom%3D5330%23feedback-editor-5330)

You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fwp_authenticate%2F)
before being able to contribute a note or feedback.