Title: authenticate
Published: April 25, 2014
Last modified: February 24, 2026

---

# apply_filters( ‘authenticate’, null|WP_User|WP_Error $user, string $username, string $password )

## In this article

 * [Description](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#description)
 * [Parameters](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#parameters)
 * [More Information](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#more-information)
 * [Source](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#source)
 * [Related](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#related)
 * [Changelog](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#changelog)
 * [User Contributed Notes](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#user-contributed-notes)

[ Back to top](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#wp--skip-link--target)

Filters whether a set of user login credentials are valid.

## 󠀁[Description](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#description)󠁿

A [WP_User](https://developer.wordpress.org/reference/classes/wp_user/) object is
returned if the credentials authenticate a user.
[WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)
or null otherwise.

## 󠀁[Parameters](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#parameters)󠁿

 `$user`null|[WP_User](https://developer.wordpress.org/reference/classes/wp_user/)
|[WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)

[WP_User](https://developer.wordpress.org/reference/classes/wp_user/) if the user
is authenticated.
 [WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)
or null otherwise.

`$username`string

Username or email address.

`$password`string

User password.

## 󠀁[More Information](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#more-information)󠁿

The authenticate filter hook is used to perform additional validation/authentication
any time a user logs in to WordPress.

The [wp_authenticate_user](https://developer.wordpress.org/reference/hooks/wp_authenticate_user/)
filter can also be used if you want to perform any additional validation after WordPress’s
basic validation, but before a user is logged in.

The default authenticate filters in /wp-includes/default-filters.php

    ```php
    add_filter( 'authenticate', 'wp_authenticate_username_password',  20, 3 );
    add_filter( 'authenticate', 'wp_authenticate_email_password',     20, 3 );
    add_filter( 'authenticate', 'wp_authenticate_spam_check',         99    );
    ```

## 󠀁[Source](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#source)󠁿

    ```php
    $user = apply_filters( 'authenticate', null, $username, $password );
    ```

[View all references](https://developer.wordpress.org/reference/files/wp-includes/pluggable.php/)
[View on Trac](https://core.trac.wordpress.org/browser/tags/6.9.4/src/wp-includes/pluggable.php#L702)
[View on GitHub](https://github.com/WordPress/wordpress-develop/blob/6.9.4/src/wp-includes/pluggable.php#L702-L702)

## 󠀁[Related](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#related)󠁿

| Used by | Description | 
| [wp_authenticate()](https://developer.wordpress.org/reference/functions/wp_authenticate/)`wp-includes/pluggable.php` |

Authenticates a user, confirming the login credentials are valid.

  |

## 󠀁[Changelog](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#changelog)󠁿

| Version | Description | 
| [4.5.0](https://developer.wordpress.org/reference/since/4.5.0/) | `$username` now accepts an email address. | 
| [2.8.0](https://developer.wordpress.org/reference/since/2.8.0/) | Introduced. |

## 󠀁[User Contributed Notes](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#user-contributed-notes)󠁿

 1.   [Skip to note 4 content](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#comment-content-1745)
 2.    [Rahul Prajapati](https://profiles.wordpress.org/rahulsprajapati/)  [  10 years ago  ](https://developer.wordpress.org/reference/hooks/authenticate/#comment-1745)
 3.  [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%23comment-1745)
     Vote results for this note: 1[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%23comment-1745)
 4.  ==Examples==
      The basic usage is as follows…
 5.      ```php
         add_filter( 'authenticate', 'myplugin_auth_signon', 30, 3 );
         function myplugin_auth_signon( $user, $username, $password ) {
              return $user;
         }
         ```
     
 6.  This hook passes three parameters, $user, $username and $password. In order to
     generate an error on login, you will need to return a [WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)
     object.
 7.   [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%3Freplytocom%3D1745%23feedback-editor-1745)
 8.   [Skip to note 5 content](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#comment-content-5442)
 9.    [Dragi Postolovski](https://profiles.wordpress.org/dragipostolovski/)  [  4 years ago  ](https://developer.wordpress.org/reference/hooks/authenticate/#comment-5442)
 10. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%23comment-5442)
     Vote results for this note: -1[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%23comment-5442)
 11.     ```php
         function wpdocs_authenticate_user( $user, $username, $password ) {
         	if ( empty( $username ) || empty( $password ) ) {
         		$error = new WP_Error();
         		$user  = new WP_Error( 'authentication_failed', __( 'ERROR: Invalid username or incorrect password.' ) );
         		return $error;
         	}
     
         	return $user;
         }
         add_filter( 'authenticate', 'wpdocs_authenticate_user', 10, 3 );
         ```
     
 12. Goes nicely with:
 13.     ```php
         public function wpdocs_login_form_failed( $username ) {
         	// append some information (login=failed) to the URL
         	wp_redirect( home_url() . '/?login=failed' );
         	exit;
         }
     
         add_action( 'wp_login_failed', 'wpdocs_login_form_failed' );
         ```
     
 14.  [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%3Freplytocom%3D5442%23feedback-editor-5442)
 15.  [Skip to note 6 content](https://developer.wordpress.org/reference/hooks/authenticate/?output_format=md#comment-content-2365)
 16.   [pronl](https://profiles.wordpress.org/pronl/)  [  9 years ago  ](https://developer.wordpress.org/reference/hooks/authenticate/#comment-2365)
 17. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%23comment-2365)
     Vote results for this note: -2[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%23comment-2365)
 18. … or simply return null.
 19. WordPress will assign a standard [WP_Error](https://developer.wordpress.org/reference/classes/wp_error/)
     object:
 20.     ```php
         if ( $user == null ) {
         	// TODO what should the error message be? (Or would these even happen?)
         	// Only needed if all authentication handlers fail to return anything.
         	$user = new WP_Error( 'authentication_failed', __( '<strong>ERROR</strong>: Invalid username, email address or incorrect password.' ) );
         }
         ```
     
 21.  [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F%3Freplytocom%3D2365%23feedback-editor-2365)

You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fhooks%2Fauthenticate%2F)
before being able to contribute a note or feedback.