current user’s password check

You can use current_user_can() to check if the user has permission to edit a specific user. If that’s what you’re trying to do. You will need to get the relevant user ID though as the 2nd argument:

if ( current_user_can( 'edit_user', $user_id ) ) {
    // Do stuff.
}

So you can send the relevant user ID through the form, maybe as a hidden field, and use that:

current_user_can( 'edit_user', $_POST['user_id'] )

Or you could just use the current user’s ID:

current_user_can( 'edit_user', get_current_user_id() )

These might seem redundant, but it is technically possible for you to not let users edit themselves, so these methods would still respect the site owner’s ability to do that.

The important point is that if you’re getting a result for wp_get_current_user() then you know the user’s signed in, so you don’t need to check the password/cookie etc. That’s already done. All you need to do is check that the current user has permission to perform certain actions.

If you are trying to check the user’s password again, then what you have should work. I did notice though that your condition is written so that if the password is correct it is being redirected to ?validation=passwordincorrect. If you want to throw an error if the password is incorrect you should change the condition to:

if ( $user && ! wp_check_password( $pass_check, $user->data->user_pass, $user->ID ) ) {

Notice the addition of !.

Also, don’t use esc_attr on the submitted password. That could change the password. If the user has entered 123<567 as the password then you need to check that, not 123&lt;567.

If you are trying to create a login form, then you should just use wp_login_form() with your own redirect.

Related Posts:

  1. How to change user password with wp-cli?
  2. Loosen/disable password policy
  3. Password Protect Custom Page
  4. Password protecting a page
  5. How to save Admin FTP password
  6. How can I change the default wordpress password hashing system to something custom?
  7. If I change the salt keys in my wp-config will all passwords break?
  8. Conditional to test if post has password protection enabled
  9. How to add Wp_error using lostpassword_post hook when validating custom field?
  10. Duplicate hash method for password in .NET
  11. Hide password protected posts
  12. Access code/password only restricts page access, no user registration..?
  13. PasswordHash not found in namespace
  14. Force all users in MU to change their passwords
  15. Reseting admin password through PHPMyadmin fails
  16. Check Password Reset Key Not Woking
  17. Reset password – set minimum length for new password
  18. How to shorten length of auto generated password sent during registration?
  19. wp_hash_password unexpected behaviour
  20. Redirect a password protected page?
  21. Lost password link is redirecting to /shop/my-account/lost-password/
  22. Change default recovery link expiration time
  23. Set content type to HTML for lost password email only
  24. Password protecting template, secured content not showing if even password is right
  25. Make post password required to publish
  26. WordPress reset password returns invalid key
  27. Add error message on password protected pages
  28. User password field is empty
  29. How to set minimum length and error message for password recovery?
  30. Why is resetting the WordPress Users password not working?
  31. Get plain password on register
  32. post_password_required() not recognizing cookie set with correct password
  33. How Authentication in wordpress works? wp_authenticate_username_password()
  34. Password protect the site (without htaccess or membership)
  35. Password Protected page not asking for a password
  36. I would like to password protect my entire WordPress site (ip validated), except for one page
  37. Custom login form for front-end user as well as admin
  38. how to remotely check a username / password from within a plugin
  39. Password changed [duplicate]
  40. How to get user password before being encrypted outside the wordpress core once add a new user from dashboard?
  41. wp_hash_password create a different hash everytime
  42. How to change password
  43. Password protect pages – allow more than one password
  44. password recovery key is invalid on custom reset
  45. Like to store multiple passwords in db table wp_posts field post_password?
  46. Password Protected Post is invisible until you login
  47. Protect Passwords in wp_users with stronger protection than MD5
  48. How secure is a wp-config file?
  49. How to check user’s password?
  50. How to Remove or Deactivate “Application Passwords” in WordPress
  51. What’s the algorithm to verify user password?
  52. How to change “Reset Password” text on submit button
  53. Customize retrieve password message
  54. resend user login & password with custom button
  55. WordPress admin creation through phpmyadmin not working
  56. How to show my wordpress admin username & password?
  57. Why does hashing a password result in different hashes, each time?
  58. How to initiate password reset flow by code
  59. Change password fields
  60. lostpassword_redirect filter is not used
  61. How to read third party cookie to access password protected pages
  62. Password Protect or IP to access under development WordPress site otherwise shown a placeholder page
  63. Password-protected page redirecting to frontpage when I enter the password
  64. How would I create a Password Protected Page with Content on it?
  65. wordpress custom password change problem
  66. Allow all reset password links within the past 24 hours to be valid and accepted
  67. WooCommerce Lost Password reset goes to 404
  68. Set id and password for each post
  69. I have to reset the admin password each time
  70. I need help with wp_lostpassword, wp_register and wp_login_form
  71. Create Member who can’t be changed
  72. Automatically change the page password for more than one page
  73. Sending Reset Password email via Web API
  74. $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
  75. Frontend custom forgot password page
  76. Entering a WP site with a SMS code
  77. Problem with login / reset password links in users emails
  78. Password Protect content() on homepage
  79. Function called by password_reset action passed only 1 argument instead of 2 in PHP 7.2.11
  80. Allow users from my ASP.Net MVC site to access my private WordPress site
  81. Lost Password redirect to My Account
  82. Multiple pages protected by different passwords. Possible to track multiple passwords at a time?
  83. How do I display the password field on the WordPress user registration screen?
  84. WordPress Protected Page Redirects to PDF
  85. Not able to log for the first time on a salted WordPress by creating pwd on BD
  86. Bypass a WordPress Password Protected Post or Page via a URL
  87. Password Protected Logout Button Not Working
  88. How do I password protect a page of posts on WordPress?
  89. forgot password
  90. Revise my keyword but still cannot login
  91. WordPress not taking password and username
  92. mysql update user’s password and activation key
  93. How WordPress hashes passwords
  94. Reset Password – change from name and email address. It stucks at admin. Want to change it to info
  95. check if post is set to “password protected”
  96. Override the default password length when creating or updating a user profile
  97. Why can’t I create an Application Password?
  98. FTP Password (not private key-value pair) for EC2 Instance
  99. How to Disable Pre-population of Password on Password Reset
  100. My WordPress password for admin account is changing automatically