I am trying to understand why it runs even if the form is not submitted on wp-login page load.
That’s just how it works.
If the current action is login which is the default action, then wp_signon() is always called on page load regardless the login form was submitted or not, and thus your function runs because wp_signon() calls wp_authenticate() which fires the authenticate hook.
So yes, this is an expected behavior:
Any time, the login page is loaded, this message is always displayed
even though nothing is submitted
But it can be prevented.
First, set your callback priority to 20, and secondly, check if the $user (the first parameter) is already a WP_Error instance and if so, then simply return the instance. E.g.
add_filter( 'authenticate', 'custom_login', 20, 3 ); // set priority to 20 or more
function custom_login( $user, $username, $password ) {
// The user might already be authenticated, so return the user object.
if ( $user instanceof WP_User ) {
return $user;
}
// There's already an error authenticating the user, or maybe the user
// has just landed on the login page, so just return the error object.
if ( is_wp_error( $user ) ) {
return $user;
}
// ... your validation/code here.
return $user;
}
And I thought it might be worth quoting this from the filter documentation:
The
wp_authenticate_user
filter can also be used if you want to perform any additional
validation after WordPress’s basic validation, but before a user is
logged in.The default authenticate filters in /wp-includes/default-filters.php
add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_email_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );
See wp_authenticate_username_password(), wp_authenticate_email_password() and wp_authenticate_spam_check() for details about what the functions do.