The application_password_failed_authentication WordPress PHP action fires when an application password fails to authenticate the user.
Usage
add_action('application_password_failed_authentication', 'your_custom_function', 10, 1);
function your_custom_function($error) {
// your custom code here
}
Parameters
$error(WP_Error): The authentication error.
More information
See WordPress Developer Resources: application_password_failed_authentication
Examples
Log failed authentication attempts
Log failed authentication attempts in a custom log file.
add_action('application_password_failed_authentication', 'log_failed_auth', 10, 1);
function log_failed_auth($error) {
$log_message = date('Y-m-d H:i:s') . ' - Failed authentication: ' . $error->get_error_message() . PHP_EOL;
file_put_contents('failed_auth.log', $log_message, FILE_APPEND);
}
Notify admin of failed authentication attempts
Send an email to the administrator when there’s a failed authentication attempt.
add_action('application_password_failed_authentication', 'notify_admin_failed_auth', 10, 1);
function notify_admin_failed_auth($error) {
$admin_email = get_option('admin_email');
$subject = 'Failed Authentication Alert';
$message = 'A failed authentication attempt has occurred: ' . $error->get_error_message();
wp_mail($admin_email, $subject, $message);
}
Block IP after multiple failed attempts
Block an IP address after a specific number of failed authentication attempts.
add_action('application_password_failed_authentication', 'block_ip_after_failed_attempts', 10, 1);
function block_ip_after_failed_attempts($error) {
$ip_address = $_SERVER['REMOTE_ADDR'];
$max_attempts = 5;
// Retrieve the current failed attempts
$current_attempts = (int) get_transient('failed_attempts_' . $ip_address);
// If the maximum attempts is reached, block the IP
if ($current_attempts >= $max_attempts - 1) {
// Store the blocked IP in the database
update_option('blocked_ip_' . $ip_address, true);
// Reset the failed attempts counter
delete_transient('failed_attempts_' . $ip_address);
} else {
// Increment the failed attempts counter
set_transient('failed_attempts_' . $ip_address, ++$current_attempts, 3600);
}
}
Add a custom error message on failed authentication
Display a custom error message when authentication fails.
add_action('application_password_failed_authentication', 'custom_error_message', 10, 1);
function custom_error_message($error) {
$error->add('custom_error', __('Authentication failed due to an invalid application password.'));
}
Store failed authentication attempts in a custom database table
Save failed authentication attempts in a custom database table for analysis.
add_action('application_password_failed_authentication', 'store_failed_auth_attempts', 10, 1);
function store_failed_auth_attempts($error) {
global $wpdb;
$table_name = $wpdb->prefix . 'failed_auth_attempts';
$data = [
'error_message' => $error->get_error_message(),
'ip_address' => $_SERVER['REMOTE_ADDR'],
'timestamp' => current_time('mysql', true)
];
$wpdb->insert($table_name, $data);
}