/wp-login.php

  1. <?php 
  2. /** 
  3. * WordPress User Page 
  4. * 
  5. * Handles authentication, registering, resetting passwords, forgot password,  
  6. * and other user handling. 
  7. * 
  8. * @package WordPress 
  9. */ 
  10.  
  11. /** Make sure that the WordPress bootstrap has run before continuing. */ 
  12. require( dirname(__FILE__) . '/wp-load.php' ); 
  13.  
  14. // Redirect to https login if forced to use SSL 
  15. if ( force_ssl_admin() && ! is_ssl() ) { 
  16. if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) { 
  17. wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) ); 
  18. exit(); 
  19. } else { 
  20. wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); 
  21. exit(); 
  22.  
  23. /** 
  24. * Output the login page header. 
  25. * 
  26. * @param string $title Optional. WordPress login Page title to display in the `<title>` element. 
  27. * Default 'Log In'. 
  28. * @param string $message Optional. Message to display in header. Default empty. 
  29. * @param WP_Error $wp_error Optional. The error to pass. Default empty. 
  30. */ 
  31. function login_header( $title = 'Log In', $message = '', $wp_error = '' ) { 
  32. global $error, $interim_login, $action; 
  33.  
  34. // Don't index any of these forms 
  35. add_action( 'login_head', 'wp_no_robots' ); 
  36.  
  37. add_action( 'login_head', 'wp_login_viewport_meta' ); 
  38.  
  39. if ( empty($wp_error) ) 
  40. $wp_error = new WP_Error(); 
  41.  
  42. // Shake it! 
  43. $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' ); 
  44. /** 
  45. * Filters the error codes array for shaking the login form. 
  46. * 
  47. * @since 3.0.0 
  48. * 
  49. * @param array $shake_error_codes Error codes that shake the login form. 
  50. */ 
  51. $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes ); 
  52.  
  53. if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) ) 
  54. add_action( 'login_head', 'wp_shake_js', 12 ); 
  55.  
  56. $separator = is_rtl() ? ' › ' : ' ‹ '; 
  57.  
  58. ?><!DOCTYPE html> 
  59. <!--[if IE 8]> 
  60. <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>> 
  61. <![endif]--> 
  62. <!--[if !(IE 8) ]><!--> 
  63. <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>> 
  64. <!--<![endif]--> 
  65. <head> 
  66. <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" /> 
  67. <title><?php echo get_bloginfo( 'name', 'display' ) . $separator . $title; ?></title> 
  68. <?php 
  69.  
  70. wp_enqueue_style( 'login' ); 
  71.  
  72. /** 
  73. * Remove all stored post data on logging out. 
  74. * This could be added by add_action('login_head'...) like wp_shake_js(),  
  75. * but maybe better if it's not removable by plugins 
  76. */ 
  77. if ( 'loggedout' == $wp_error->get_error_code() ) { 
  78. ?> 
  79. <script>if("sessionStorage" in window) {try{for(var key in sessionStorage) {if(key.indexOf("wp-autosave-")!=-1) {sessionStorage.removeItem(key)}}}catch(e) {}};</script> 
  80. <?php 
  81.  
  82. /** 
  83. * Enqueue scripts and styles for the login page. 
  84. * 
  85. * @since 3.1.0 
  86. */ 
  87. do_action( 'login_enqueue_scripts' ); 
  88.  
  89. /** 
  90. * Fires in the login page header after scripts are enqueued. 
  91. * 
  92. * @since 2.1.0 
  93. */ 
  94. do_action( 'login_head' ); 
  95.  
  96. if ( is_multisite() ) { 
  97. $login_header_url = network_home_url(); 
  98. $login_header_title = get_network()->site_name; 
  99. } else { 
  100. $login_header_url = __( 'https://wordpress.org/' ); 
  101. $login_header_title = __( 'Powered by WordPress' ); 
  102.  
  103. /** 
  104. * Filters link URL of the header logo above login form. 
  105. * 
  106. * @since 2.1.0 
  107. * 
  108. * @param string $login_header_url Login header logo URL. 
  109. */ 
  110. $login_header_url = apply_filters( 'login_headerurl', $login_header_url ); 
  111.  
  112. /** 
  113. * Filters the title attribute of the header logo above login form. 
  114. * 
  115. * @since 2.1.0 
  116. * 
  117. * @param string $login_header_title Login header logo title attribute. 
  118. */ 
  119. $login_header_title = apply_filters( 'login_headertitle', $login_header_title ); 
  120.  
  121. $classes = array( 'login-action-' . $action, 'wp-core-ui' ); 
  122. if ( is_rtl() ) 
  123. $classes[] = 'rtl'; 
  124. if ( $interim_login ) { 
  125. $classes[] = 'interim-login'; 
  126. ?> 
  127. <style type="text/css">html{background-color: transparent;}</style> 
  128. <?php 
  129.  
  130. if ( 'success' === $interim_login ) 
  131. $classes[] = 'interim-login-success'; 
  132. $classes[] =' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) ); 
  133.  
  134. /** 
  135. * Filters the login page body classes. 
  136. * 
  137. * @since 3.5.0 
  138. * 
  139. * @param array $classes An array of body classes. 
  140. * @param string $action The action that brought the visitor to the login page. 
  141. */ 
  142. $classes = apply_filters( 'login_body_class', $classes, $action ); 
  143.  
  144. ?> 
  145. </head> 
  146. <body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>"> 
  147. <?php 
  148. /** 
  149. * Fires in the login page header after the body tag is opened. 
  150. * 
  151. * @since 4.6.0 
  152. */ 
  153. do_action( 'login_header' ); 
  154. ?> 
  155. <div id="login"> 
  156. <h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>" tabindex="-1"><?php bloginfo( 'name' ); ?></a></h1> 
  157. <?php 
  158.  
  159. unset( $login_header_url, $login_header_title ); 
  160.  
  161. /** 
  162. * Filters the message to display above the login form. 
  163. * 
  164. * @since 2.1.0 
  165. * 
  166. * @param string $message Login message text. 
  167. */ 
  168. $message = apply_filters( 'login_message', $message ); 
  169. if ( !empty( $message ) ) 
  170. echo $message . "\n"; 
  171.  
  172. // In case a plugin uses $error rather than the $wp_errors object 
  173. if ( !empty( $error ) ) { 
  174. $wp_error->add('error', $error); 
  175. unset($error); 
  176.  
  177. if ( $wp_error->get_error_code() ) { 
  178. $errors = ''; 
  179. $messages = ''; 
  180. foreach ( $wp_error->get_error_codes() as $code ) { 
  181. $severity = $wp_error->get_error_data( $code ); 
  182. foreach ( $wp_error->get_error_messages( $code ) as $error_message ) { 
  183. if ( 'message' == $severity ) 
  184. $messages .= ' ' . $error_message . "<br />\n"; 
  185. else 
  186. $errors .= ' ' . $error_message . "<br />\n"; 
  187. if ( ! empty( $errors ) ) { 
  188. /** 
  189. * Filters the error messages displayed above the login form. 
  190. * 
  191. * @since 2.1.0 
  192. * 
  193. * @param string $errors Login error message. 
  194. */ 
  195. echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n"; 
  196. if ( ! empty( $messages ) ) { 
  197. /** 
  198. * Filters instructional messages displayed above the login form. 
  199. * 
  200. * @since 2.5.0 
  201. * 
  202. * @param string $messages Login messages. 
  203. */ 
  204. echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n"; 
  205. } // End of login_header() 
  206.  
  207. /** 
  208. * Outputs the footer for the login page. 
  209. * 
  210. * @param string $input_id Which input to auto-focus 
  211. */ 
  212. function login_footer($input_id = '') { 
  213. global $interim_login; 
  214.  
  215. // Don't allow interim logins to navigate away from the page. 
  216. if ( ! $interim_login ): ?> 
  217. <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>"><?php 
  218. /** translators: %s: site title */ 
  219. printf( _x( '← Back to %s', 'site' ), get_bloginfo( 'title', 'display' ) ); 
  220. ?></a></p> 
  221. <?php endif; ?> 
  222.  
  223. </div> 
  224.  
  225. <?php if ( !empty($input_id) ) : ?> 
  226. <script type="text/javascript"> 
  227. try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e) {} 
  228. if(typeof wpOnload=='function')wpOnload(); 
  229. </script> 
  230. <?php endif; ?> 
  231.  
  232. <?php 
  233. /** 
  234. * Fires in the login page footer. 
  235. * 
  236. * @since 3.1.0 
  237. */ 
  238. do_action( 'login_footer' ); ?> 
  239. <div class="clear"></div> 
  240. </body> 
  241. </html> 
  242. <?php 
  243.  
  244. /** 
  245. * @since 3.0.0 
  246. */ 
  247. function wp_shake_js() { 
  248. ?> 
  249. <script type="text/javascript"> 
  250. addLoadEvent = function(func) {if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function') {wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function() {oldonload();func();}}}; 
  251. function s(id, pos) {g(id).left=pos+'px';} 
  252. function g(id) {return document.getElementById(id).style;} 
  253. function shake(id, a, d) {c=a.shift();s(id, c);if(a.length>0) {setTimeout(function() {shake(id, a, d);}, d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e) {}}} 
  254. addLoadEvent(function() { var p=new Array(15, 30, 15, 0, -15, -30, -15, 0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i, p, 20);}); 
  255. </script> 
  256. <?php 
  257.  
  258. /** 
  259. * @since 3.7.0 
  260. */ 
  261. function wp_login_viewport_meta() { 
  262. ?> 
  263. <meta name="viewport" content="width=device-width" /> 
  264. <?php 
  265.  
  266. /** 
  267. * Handles sending password retrieval email to user. 
  268. * 
  269. * @return bool|WP_Error True: when finish. WP_Error on error 
  270. */ 
  271. function retrieve_password() { 
  272. $errors = new WP_Error(); 
  273.  
  274. if ( empty( $_POST['user_login'] ) ) { 
  275. $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.')); 
  276. } elseif ( strpos( $_POST['user_login'], '@' ) ) { 
  277. $user_data = get_user_by( 'email', trim( wp_unslash( $_POST['user_login'] ) ) ); 
  278. if ( empty( $user_data ) ) 
  279. $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.')); 
  280. } else { 
  281. $login = trim($_POST['user_login']); 
  282. $user_data = get_user_by('login', $login); 
  283.  
  284. /** 
  285. * Fires before errors are returned from a password reset request. 
  286. * 
  287. * @since 2.1.0 
  288. * @since 4.4.0 Added the `$errors` parameter. 
  289. * 
  290. * @param WP_Error $errors A WP_Error object containing any errors generated 
  291. * by using invalid credentials. 
  292. */ 
  293. do_action( 'lostpassword_post', $errors ); 
  294.  
  295. if ( $errors->get_error_code() ) 
  296. return $errors; 
  297.  
  298. if ( !$user_data ) { 
  299. $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or email.')); 
  300. return $errors; 
  301.  
  302. // Redefining user_login ensures we return the right case in the email. 
  303. $user_login = $user_data->user_login; 
  304. $user_email = $user_data->user_email; 
  305. $key = get_password_reset_key( $user_data ); 
  306.  
  307. if ( is_wp_error( $key ) ) { 
  308. return $key; 
  309.  
  310. $message = __('Someone has requested a password reset for the following account:') . "\r\n\r\n"; 
  311. $message .= network_home_url( '/' ) . "\r\n\r\n"; 
  312. $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n"; 
  313. $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n"; 
  314. $message .= __('To reset your password, visit the following address:') . "\r\n\r\n"; 
  315. $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n"; 
  316.  
  317. if ( is_multisite() ) { 
  318. $blogname = get_network()->site_name; 
  319. } else { 
  320. /** 
  321. * The blogname option is escaped with esc_html on the way into the database 
  322. * in sanitize_option we want to reverse this for the plain text arena of emails. 
  323. */ 
  324. $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES); 
  325.  
  326. /** translators: Password reset email subject. 1: Site name */ 
  327. $title = sprintf( __('[%s] Password Reset'), $blogname ); 
  328.  
  329. /** 
  330. * Filters the subject of the password reset email. 
  331. * 
  332. * @since 2.8.0 
  333. * @since 4.4.0 Added the `$user_login` and `$user_data` parameters. 
  334. * 
  335. * @param string $title Default email title. 
  336. * @param string $user_login The username for the user. 
  337. * @param WP_User $user_data WP_User object. 
  338. */ 
  339. $title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data ); 
  340.  
  341. /** 
  342. * Filters the message body of the password reset mail. 
  343. * 
  344. * @since 2.8.0 
  345. * @since 4.1.0 Added `$user_login` and `$user_data` parameters. 
  346. * 
  347. * @param string $message Default mail message. 
  348. * @param string $key The activation key. 
  349. * @param string $user_login The username for the user. 
  350. * @param WP_User $user_data WP_User object. 
  351. */ 
  352. $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data ); 
  353.  
  354. if ( $message && !wp_mail( $user_email, wp_specialchars_decode( $title ), $message ) ) 
  355. wp_die( __('The email could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.') ); 
  356.  
  357. return true; 
  358.  
  359. // 
  360. // Main 
  361. // 
  362.   
  363. $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; 
  364. $errors = new WP_Error(); 
  365.  
  366. if ( isset($_GET['key']) ) 
  367. $action = 'resetpass'; 
  368.  
  369. // validate action so as to default to the login screen 
  370. if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) ) 
  371. $action = 'login'; 
  372.  
  373. nocache_headers(); 
  374.  
  375. header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset')); 
  376.  
  377. if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set 
  378. if ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF']) ) 
  379. $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] ); 
  380.  
  381. $url = dirname( set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] ) ); 
  382. if ( $url != get_option( 'siteurl' ) ) 
  383. update_option( 'siteurl', $url ); 
  384.  
  385. //Set a cookie now to see if they are supported by the browser. 
  386. $secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) ); 
  387. setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure ); 
  388. if ( SITECOOKIEPATH != COOKIEPATH ) 
  389. setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); 
  390.  
  391. /** 
  392. * Fires when the login form is initialized. 
  393. * 
  394. * @since 3.2.0 
  395. */ 
  396. do_action( 'login_init' ); 
  397. /** 
  398. * Fires before a specified login form action. 
  399. * 
  400. * The dynamic portion of the hook name, `$action`, refers to the action 
  401. * that brought the visitor to the login form. Actions include 'postpass',  
  402. * 'logout', 'lostpassword', etc. 
  403. * 
  404. * @since 2.8.0 
  405. */ 
  406. do_action( "login_form_{$action}" ); 
  407.  
  408. $http_post = ('POST' == $_SERVER['REQUEST_METHOD']); 
  409. $interim_login = isset($_REQUEST['interim-login']); 
  410.  
  411. switch ($action) { 
  412.  
  413. case 'postpass' : 
  414. if ( ! array_key_exists( 'post_password', $_POST ) ) { 
  415. wp_safe_redirect( wp_get_referer() ); 
  416. exit(); 
  417.  
  418. $hasher = new PasswordHash( 8, true ); 
  419.  
  420. /** 
  421. * Filters the life span of the post password cookie. 
  422. * 
  423. * By default, the cookie expires 10 days from creation. To turn this 
  424. * into a session cookie, return 0. 
  425. * 
  426. * @since 3.7.0 
  427. * 
  428. * @param int $expires The expiry time, as passed to setcookie(). 
  429. */ 
  430. $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS ); 
  431. $referer = wp_get_referer(); 
  432. if ( $referer ) { 
  433. $secure = ( 'https' === parse_url( $referer, PHP_URL_SCHEME ) ); 
  434. } else { 
  435. $secure = false; 
  436. setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ); 
  437.  
  438. wp_safe_redirect( wp_get_referer() ); 
  439. exit(); 
  440.  
  441. case 'logout' : 
  442. check_admin_referer('log-out'); 
  443.  
  444. $user = wp_get_current_user(); 
  445.  
  446. wp_logout(); 
  447.  
  448. if ( ! empty( $_REQUEST['redirect_to'] ) ) { 
  449. $redirect_to = $requested_redirect_to = $_REQUEST['redirect_to']; 
  450. } else { 
  451. $redirect_to = 'wp-login.php?loggedout=true'; 
  452. $requested_redirect_to = ''; 
  453.  
  454. /** 
  455. * Filters the log out redirect URL. 
  456. * 
  457. * @since 4.2.0 
  458. * 
  459. * @param string $redirect_to The redirect destination URL. 
  460. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. 
  461. * @param WP_User $user The WP_User object for the user that's logging out. 
  462. */ 
  463. $redirect_to = apply_filters( 'logout_redirect', $redirect_to, $requested_redirect_to, $user ); 
  464. wp_safe_redirect( $redirect_to ); 
  465. exit(); 
  466.  
  467. case 'lostpassword' : 
  468. case 'retrievepassword' : 
  469.  
  470. if ( $http_post ) { 
  471. $errors = retrieve_password(); 
  472. if ( !is_wp_error($errors) ) { 
  473. $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm'; 
  474. wp_safe_redirect( $redirect_to ); 
  475. exit(); 
  476.  
  477. if ( isset( $_GET['error'] ) ) { 
  478. if ( 'invalidkey' == $_GET['error'] ) { 
  479. $errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.' ) ); 
  480. } elseif ( 'expiredkey' == $_GET['error'] ) { 
  481. $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) ); 
  482.  
  483. $lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; 
  484. /** 
  485. * Filters the URL redirected to after submitting the lostpassword/retrievepassword form. 
  486. * 
  487. * @since 3.0.0 
  488. * 
  489. * @param string $lostpassword_redirect The redirect destination URL. 
  490. */ 
  491. $redirect_to = apply_filters( 'lostpassword_redirect', $lostpassword_redirect ); 
  492.  
  493. /** 
  494. * Fires before the lost password form. 
  495. * 
  496. * @since 1.5.1 
  497. */ 
  498. do_action( 'lost_password' ); 
  499.  
  500. login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors); 
  501.  
  502. $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : ''; 
  503.  
  504. ?> 
  505.  
  506. <form name="lostpasswordform" id="lostpasswordform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>" method="post"> 
  507. <p> 
  508. <label for="user_login" ><?php _e( 'Username or Email Address' ); ?><br /> 
  509. <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label> 
  510. </p> 
  511. <?php 
  512. /** 
  513. * Fires inside the lostpassword form tags, before the hidden fields. 
  514. * 
  515. * @since 2.1.0 
  516. */ 
  517. do_action( 'lostpassword_form' ); ?> 
  518. <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" /> 
  519. <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Get New Password'); ?>" /></p> 
  520. </form> 
  521.  
  522. <p id="nav"> 
  523. <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e('Log in') ?></a> 
  524. <?php 
  525. if ( get_option( 'users_can_register' ) ) : 
  526. $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); 
  527.  
  528. /** This filter is documented in wp-includes/general-template.php */ 
  529. echo ' | ' . apply_filters( 'register', $registration_url ); 
  530. endif; 
  531. ?> 
  532. </p> 
  533.  
  534. <?php 
  535. login_footer('user_login'); 
  536. break; 
  537.  
  538. case 'resetpass' : 
  539. case 'rp' : 
  540. list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) ); 
  541. $rp_cookie = 'wp-resetpass-' . COOKIEHASH; 
  542. if ( isset( $_GET['key'] ) ) { 
  543. $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) ); 
  544. setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); 
  545. wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) ); 
  546. exit; 
  547.  
  548. if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) { 
  549. list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 ); 
  550. $user = check_password_reset_key( $rp_key, $rp_login ); 
  551. if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) { 
  552. $user = false; 
  553. } else { 
  554. $user = false; 
  555.  
  556. if ( ! $user || is_wp_error( $user ) ) { 
  557. setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); 
  558. if ( $user && $user->get_error_code() === 'expired_key' ) 
  559. wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) ); 
  560. else 
  561. wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) ); 
  562. exit; 
  563.  
  564. $errors = new WP_Error(); 
  565.  
  566. if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] ) 
  567. $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) ); 
  568.  
  569. /** 
  570. * Fires before the password reset procedure is validated. 
  571. * 
  572. * @since 3.5.0 
  573. * 
  574. * @param object $errors WP Error object. 
  575. * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise. 
  576. */ 
  577. do_action( 'validate_password_reset', $errors, $user ); 
  578.  
  579. if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) { 
  580. reset_password($user, $_POST['pass1']); 
  581. setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); 
  582. login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' ); 
  583. login_footer(); 
  584. exit; 
  585.  
  586. wp_enqueue_script('utils'); 
  587. wp_enqueue_script('user-profile'); 
  588.  
  589. login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors ); 
  590.  
  591. ?> 
  592. <form name="resetpassform" id="resetpassform" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=resetpass', 'login_post' ) ); ?>" method="post" autocomplete="off"> 
  593. <input type="hidden" id="user_login" value="<?php echo esc_attr( $rp_login ); ?>" autocomplete="off" /> 
  594.  
  595. <div class="user-pass1-wrap"> 
  596. <p> 
  597. <label for="pass1"><?php _e( 'New password' ) ?></label> 
  598. </p> 
  599.  
  600. <div class="wp-pwd"> 
  601. <span class="password-input-wrapper"> 
  602. <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input" size="20" value="" autocomplete="off" aria-describedby="pass-strength-result" /> 
  603. </span> 
  604. <div id="pass-strength-result" class="hide-if-no-js" aria-live="polite"><?php _e( 'Strength indicator' ); ?></div> 
  605. </div> 
  606. </div> 
  607.  
  608. <p class="user-pass2-wrap"> 
  609. <label for="pass2"><?php _e( 'Confirm new password' ) ?></label><br /> 
  610. <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off" /> 
  611. </p> 
  612.  
  613. <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p> 
  614. <br class="clear" /> 
  615.  
  616. <?php 
  617. /** 
  618. * Fires following the 'Strength indicator' meter in the user password reset form. 
  619. * 
  620. * @since 3.9.0 
  621. * 
  622. * @param WP_User $user User object of the user whose password is being reset. 
  623. */ 
  624. do_action( 'resetpass_form', $user ); 
  625. ?> 
  626. <input type="hidden" name="rp_key" value="<?php echo esc_attr( $rp_key ); ?>" /> 
  627. <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Reset Password'); ?>" /></p> 
  628. </form> 
  629.  
  630. <p id="nav"> 
  631. <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> 
  632. <?php 
  633. if ( get_option( 'users_can_register' ) ) : 
  634. $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); 
  635.  
  636. /** This filter is documented in wp-includes/general-template.php */ 
  637. echo ' | ' . apply_filters( 'register', $registration_url ); 
  638. endif; 
  639. ?> 
  640. </p> 
  641.  
  642. <?php 
  643. login_footer('user_pass'); 
  644. break; 
  645.  
  646. case 'register' : 
  647. if ( is_multisite() ) { 
  648. /** 
  649. * Filters the Multisite sign up URL. 
  650. * 
  651. * @since 3.0.0 
  652. * 
  653. * @param string $sign_up_url The sign up URL. 
  654. */ 
  655. wp_redirect( apply_filters( 'wp_signup_location', network_site_url( 'wp-signup.php' ) ) ); 
  656. exit; 
  657.  
  658. if ( !get_option('users_can_register') ) { 
  659. wp_redirect( site_url('wp-login.php?registration=disabled') ); 
  660. exit(); 
  661.  
  662. $user_login = ''; 
  663. $user_email = ''; 
  664. if ( $http_post ) { 
  665. $user_login = isset( $_POST['user_login'] ) ? $_POST['user_login'] : ''; 
  666. $user_email = isset( $_POST['user_email'] ) ? $_POST['user_email'] : ''; 
  667. $errors = register_new_user($user_login, $user_email); 
  668. if ( !is_wp_error($errors) ) { 
  669. $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered'; 
  670. wp_safe_redirect( $redirect_to ); 
  671. exit(); 
  672.  
  673. $registration_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; 
  674. /** 
  675. * Filters the registration redirect URL. 
  676. * 
  677. * @since 3.0.0 
  678. * 
  679. * @param string $registration_redirect The redirect destination URL. 
  680. */ 
  681. $redirect_to = apply_filters( 'registration_redirect', $registration_redirect ); 
  682. login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors); 
  683. ?> 
  684. <form name="registerform" id="registerform" action="<?php echo esc_url( site_url( 'wp-login.php?action=register', 'login_post' ) ); ?>" method="post" novalidate="novalidate"> 
  685. <p> 
  686. <label for="user_login"><?php _e('Username') ?><br /> 
  687. <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label> 
  688. </p> 
  689. <p> 
  690. <label for="user_email"><?php _e('Email') ?><br /> 
  691. <input type="email" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( wp_unslash( $user_email ) ); ?>" size="25" /></label> 
  692. </p> 
  693. <?php 
  694. /** 
  695. * Fires following the 'Email' field in the user registration form. 
  696. * 
  697. * @since 2.1.0 
  698. */ 
  699. do_action( 'register_form' ); 
  700. ?> 
  701. <p id="reg_passmail"><?php _e( 'Registration confirmation will be emailed to you.' ); ?></p> 
  702. <br class="clear" /> 
  703. <input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" /> 
  704. <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Register'); ?>" /></p> 
  705. </form> 
  706.  
  707. <p id="nav"> 
  708. <a href="<?php echo esc_url( wp_login_url() ); ?>"><?php _e( 'Log in' ); ?></a> | 
  709. <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a> 
  710. </p> 
  711.  
  712. <?php 
  713. login_footer('user_login'); 
  714. break; 
  715.  
  716. case 'login' : 
  717. default: 
  718. $secure_cookie = ''; 
  719. $customize_login = isset( $_REQUEST['customize-login'] ); 
  720. if ( $customize_login ) 
  721. wp_enqueue_script( 'customize-base' ); 
  722.  
  723. // If the user wants ssl but the session is not ssl, force a secure cookie. 
  724. if ( !empty($_POST['log']) && !force_ssl_admin() ) { 
  725. $user_name = sanitize_user($_POST['log']); 
  726. $user = get_user_by( 'login', $user_name ); 
  727.  
  728. if ( ! $user && strpos( $user_name, '@' ) ) { 
  729. $user = get_user_by( 'email', $user_name ); 
  730.  
  731. if ( $user ) { 
  732. if ( get_user_option('use_ssl', $user->ID) ) { 
  733. $secure_cookie = true; 
  734. force_ssl_admin(true); 
  735.  
  736. if ( isset( $_REQUEST['redirect_to'] ) ) { 
  737. $redirect_to = $_REQUEST['redirect_to']; 
  738. // Redirect to https if user wants ssl 
  739. if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') ) 
  740. $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to); 
  741. } else { 
  742. $redirect_to = admin_url(); 
  743.  
  744. $reauth = empty($_REQUEST['reauth']) ? false : true; 
  745.  
  746. $user = wp_signon( array(), $secure_cookie ); 
  747.  
  748. if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) { 
  749. if ( headers_sent() ) { 
  750. /** translators: 1: Browser cookie documentation URL, 2: Support forums URL */ 
  751. $user = new WP_Error( 'test_cookie', sprintf( __( '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For help, please see <a href="%1$s">this documentation</a> or try the <a href="%2$s">support forums</a>.' ),  
  752. __( 'https://codex.wordpress.org/Cookies' ), __( 'https://wordpress.org/support/' ) ) ); 
  753. } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) { 
  754. // If cookies are disabled we can't log in even with a valid user+pass 
  755. /** translators: 1: Browser cookie documentation URL */ 
  756. $user = new WP_Error( 'test_cookie', sprintf( __( '<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),  
  757. __( 'https://codex.wordpress.org/Cookies' ) ) ); 
  758.  
  759. $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; 
  760. /** 
  761. * Filters the login redirect URL. 
  762. * 
  763. * @since 3.0.0 
  764. * 
  765. * @param string $redirect_to The redirect destination URL. 
  766. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. 
  767. * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise. 
  768. */ 
  769. $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user ); 
  770.  
  771. if ( !is_wp_error($user) && !$reauth ) { 
  772. if ( $interim_login ) { 
  773. $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 
  774. $interim_login = 'success'; 
  775. login_header( '', $message ); ?> 
  776. </div> 
  777. <?php 
  778. /** This action is documented in wp-login.php */ 
  779. do_action( 'login_footer' ); ?> 
  780. <?php if ( $customize_login ) : ?> 
  781. <script type="text/javascript">setTimeout( function() { new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> 
  782. <?php endif; ?> 
  783. </body></html> 
  784. <?php exit; 
  785.  
  786. if ( ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) { 
  787. // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile. 
  788. if ( is_multisite() && !get_active_blog_for_user($user->ID) && !is_super_admin( $user->ID ) ) 
  789. $redirect_to = user_admin_url(); 
  790. elseif ( is_multisite() && !$user->has_cap('read') ) 
  791. $redirect_to = get_dashboard_url( $user->ID ); 
  792. elseif ( !$user->has_cap('edit_posts') ) 
  793. $redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url(); 
  794.  
  795. wp_redirect( $redirect_to ); 
  796. exit(); 
  797. wp_safe_redirect($redirect_to); 
  798. exit(); 
  799.  
  800. $errors = $user; 
  801. // Clear errors if loggedout is set. 
  802. if ( !empty($_GET['loggedout']) || $reauth ) 
  803. $errors = new WP_Error(); 
  804.  
  805. if ( $interim_login ) { 
  806. if ( ! $errors->get_error_code() ) 
  807. $errors->add( 'expired', __( 'Your session has expired. Please log in to continue where you left off.' ), 'message' ); 
  808. } else { 
  809. // Some parts of this script use the main login form to display a message 
  810. if ( isset($_GET['loggedout']) && true == $_GET['loggedout'] ) 
  811. $errors->add('loggedout', __('You are now logged out.'), 'message'); 
  812. elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) 
  813. $errors->add('registerdisabled', __('User registration is currently not allowed.')); 
  814. elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) 
  815. $errors->add('confirm', __('Check your email for the confirmation link.'), 'message'); 
  816. elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) 
  817. $errors->add('newpass', __('Check your email for your new password.'), 'message'); 
  818. elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) 
  819. $errors->add('registered', __('Registration complete. Please check your email.'), 'message'); 
  820. elseif ( strpos( $redirect_to, 'about.php?updated' ) ) 
  821. $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to see what’s new.' ), 'message' ); 
  822.  
  823. /** 
  824. * Filters the login page errors. 
  825. * 
  826. * @since 3.6.0 
  827. * 
  828. * @param object $errors WP Error object. 
  829. * @param string $redirect_to Redirect destination URL. 
  830. */ 
  831. $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to ); 
  832.  
  833. // Clear any stale cookies. 
  834. if ( $reauth ) 
  835. wp_clear_auth_cookie(); 
  836.  
  837. login_header(__('Log In'), '', $errors); 
  838.  
  839. if ( isset($_POST['log']) ) 
  840. $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : ''; 
  841. $rememberme = ! empty( $_POST['rememberme'] ); 
  842.  
  843. if ( ! empty( $errors->errors ) ) { 
  844. $aria_describedby_error = ' aria-describedby="login_error"'; 
  845. } else { 
  846. $aria_describedby_error = ''; 
  847. ?> 
  848.  
  849. <form name="loginform" id="loginform" action="<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>" method="post"> 
  850. <p> 
  851. <label for="user_login"><?php _e( 'Username or Email Address' ); ?><br /> 
  852. <input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" /></label> 
  853. </p> 
  854. <p> 
  855. <label for="user_pass"><?php _e( 'Password' ); ?><br /> 
  856. <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby_error; ?> class="input" value="" size="20" /></label> 
  857. </p> 
  858. <?php 
  859. /** 
  860. * Fires following the 'Password' field in the login form. 
  861. * 
  862. * @since 2.1.0 
  863. */ 
  864. do_action( 'login_form' ); 
  865. ?> 
  866. <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" <?php checked( $rememberme ); ?> /> <?php esc_html_e( 'Remember Me' ); ?></label></p> 
  867. <p class="submit"> 
  868. <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Log In'); ?>" /> 
  869. <?php if ( $interim_login ) { ?> 
  870. <input type="hidden" name="interim-login" value="1" /> 
  871. <?php } else { ?> 
  872. <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" /> 
  873. <?php } ?> 
  874. <?php if ( $customize_login ) : ?> 
  875. <input type="hidden" name="customize-login" value="1" /> 
  876. <?php endif; ?> 
  877. <input type="hidden" name="testcookie" value="1" /> 
  878. </p> 
  879. </form> 
  880.  
  881. <?php if ( ! $interim_login ) { ?> 
  882. <p id="nav"> 
  883. <?php if ( ! isset( $_GET['checkemail'] ) || ! in_array( $_GET['checkemail'], array( 'confirm', 'newpass' ) ) ) : 
  884. if ( get_option( 'users_can_register' ) ) : 
  885. $registration_url = sprintf( '<a href="%s">%s</a>', esc_url( wp_registration_url() ), __( 'Register' ) ); 
  886.  
  887. /** This filter is documented in wp-includes/general-template.php */ 
  888. echo apply_filters( 'register', $registration_url ) . ' | '; 
  889. endif; 
  890. ?> 
  891. <a href="<?php echo esc_url( wp_lostpassword_url() ); ?>"><?php _e( 'Lost your password?' ); ?></a> 
  892. <?php endif; ?> 
  893. </p> 
  894. <?php } ?> 
  895.  
  896. <script type="text/javascript"> 
  897. function wp_attempt_focus() { 
  898. setTimeout( function() { try{ 
  899. <?php if ( $user_login ) { ?> 
  900. d = document.getElementById('user_pass'); 
  901. d.value = ''; 
  902. <?php } else { ?> 
  903. d = document.getElementById('user_login'); 
  904. <?php if ( 'invalid_username' == $errors->get_error_code() ) { ?> 
  905. if( d.value != '' ) 
  906. d.value = ''; 
  907. <?php 
  908. }?> 
  909. d.focus(); 
  910. d.select(); 
  911. } catch(e) {} 
  912. }, 200); 
  913.  
  914. <?php if ( !$error ) { ?> 
  915. wp_attempt_focus(); 
  916. <?php } ?> 
  917. if(typeof wpOnload=='function')wpOnload(); 
  918. <?php if ( $interim_login ) { ?> 
  919. (function() { 
  920. try { 
  921. var i, links = document.getElementsByTagName('a'); 
  922. for ( i in links ) { 
  923. if ( links[i].href ) 
  924. links[i].target = '_blank'; 
  925. } catch(e) {} 
  926. }()); 
  927. <?php } ?> 
  928. </script> 
  929.  
  930. <?php 
  931. login_footer(); 
  932. break; 
  933. } // end action switch 
.