Really Simple Plugins

Prevent cross site authentication for logged in users on WordPress multisite

Popular articles

Share on facebook
Share on twitter
Share on linkedin

I’m working currently on an application that depends partly on the domains to authenticate the users: several users can belong to an account, and the application can check if you’r connected to this account by retrieving the domain that is used for the log in.

WordPress Multisite is very suited for such a purpose. There’s only one thing I found a bit odd: WordPress considers you logged in on any part of the network, even when you’r only member of one of the subsites.

To prevent a cross site log in, I’ve added some code, which runs both on each request and on the authenticate hook. It’s actually very simple: it checks if the logged in user is member of the current blog. If not, you get logged out and redirected.

add_action('authenticate', array($this, 'validate_on_login'), 100, 3);

function validate_on_login(){
  if (!is_user_logged_in()) {
     return;
  }

  $user = wp_get_current_user();

  //allow only login if user is member of this blog

  if (!is_user_member_of_blog( $user->ID, get_current_blog_id() ) && !is_super_admin( $user->ID )) {
    wp_logout();
    wp_redirect(network_site_url());exit();
  }

}

Related articles

Subscribe

Vacature: Stage Development!