Part of the problem is you’ve set the priority of your filter to “1” which means it will run first. Since authenticate is going to run on any login (wp-login.php or your front-end login page), you probably need to start with setting it to the default (10). Otherwise, it’s just going to hijack your wp-login.php.
Since you don’t need to do this on wp-login.php, you could also check to make sure that’s not the current page when you run your custom validation. I did that in your function by checking the global ‘pagenow’ is not ‘wp-login.php’.
function verify_user_pass( $user, $username, $password ) {
if ( $GLOBALS['pagenow'] != 'wp-login.php' ) {
$login_page = home_url( 'login/' );
if ( "" == $username || "" == $password ) {
wp_redirect( add_query_arg( 'login', 'empty', $login_page ) );
exit();
}
}
return $user;
}
add_filter( 'authenticate', 'verify_user_pass', 10, 3 );
Some other things I changed:
home_url()does not need a leading slash for slugs – it will put that in automatically.- changed your comparisons to “yoda conditions” (
"" == $username) – it’s a good habit to get into because it catches type/syntax errors (like if you mistype “=” instead of “==“). - use
add_query_arg()to add your query argument to the URL. That way it will be added properly, even if there are other query arguments in the URL. - Note that this is a filter, not an action. Therefore, you need to make sure you return what the filter hook is filtering. In the case of
authenticatethat’s the$userobject (which may also contain aWP_Errorobject). If you don’t return this at the end, you’ll break anything outside your custom process that also runs this filter (i.e. the main wp-login.php).