I’m working currently on an application that depends partly on the domains to authenticate the users: several users can belong to an account, and the application can check if you’r connected to this account by retrieving the domain that is used for the log in.

WordPress Multisite is very suited for such a purpose. There’s only one thing I found a bit odd: WordPress considers you logged in on any part of the network, even when you’r only member of one of the subsites.

To prevent a cross site log in, I’ve added some code, which runs both on each request and on the authenticate hook. It’s actually very simple: it checks if the logged in user is member of the current blog. If not, you get logged out and redirected.

add_action('authenticate', array($this, 'validate_on_login'), 100, 3);

function validate_on_login(){
  if (!is_user_logged_in()) {
     return;
  }

  $user = wp_get_current_user();

  //allow only login if user is member of this blog

  if (!is_user_member_of_blog( $user->ID, get_current_blog_id() ) && !is_super_admin( $user->ID )) {
    wp_logout();
    wp_redirect(network_site_url());exit();
  }

}

10 Responses

  1. Thanks for sharing this informative piece of writing about preventing cross site authentication issues for logged in users on WordPress multi-site environment. This post is very helpful indeed.

    1. Hi,

      you can try to enable debugging in WordPress by adding the following to your wp-config.php file:

      define(‘WP_DEBUG’, true);
      define(‘WP_DEBUG_LOG’, true);

      this will write any PHP related errors to a debug.log file in your /wp-content/ folder and should provide more information about the exact cause of your issue.

      1. I get the following error
        Fatal error: Uncaught Error: Using $this when not in object context in

        1. Hi,

          $this can only be used within a class, you are likely implementing this code outside of a class. To fix this, remove the $this reference.

          add_action(‘authenticate’, array($this, ‘validate_on_login’), 100, 3);

          Becomes

          add_action(‘authenticate’, ‘validate_on_login’, 100, 3);

          1. I get the following error
            Parse error: syntax error, unexpected ‘validate_on_login’ (T_STRING) in

  2. In wordpress 5.9 work this code.
    add_filter( ‘authenticate’, ‘validate_on_login_wp_multisite’, 90, 3);
    function validate_on_login_wp_multisite($error, $username, $password ){
    if (!empty($username) && !empty($password)) {
    $the_user = get_user_by(’email’, $username) ?? get_user_by(‘login’, $username);
    if (!empty($the_user)) {
    $the_user_ID = $the_user->ID;
    if (!is_user_member_of_blog($the_user_ID, get_current_blog_id() ) &&
    !is_super_admin( $the_user_ID )) {
    return new WP_Error( ‘authentication_failed’, __( ‘ERROR: This user is not part of this site.’ ) );
    }
    }
    }
    return $error;
    }

Leave a Reply

Your email address will not be published. Required fields are marked *