How can I be certain that a user has verified their email after registration?

I’ve tried a few different approaches for verifying the user’s email. For now, what I am doing is this:

When a user first registers, set the user’s user_metadata ’email_not_verified’ to 1.

add_action( 'user_register', 'sc_user_email_not_verified' );
function sc_user_email_not_verified( $user_id ) {
  update_user_meta( $user_id, 'email_not_verified', 1 );
}

Then, override the wp_new_user_notification function so that it adds an ’email_verification_key’ to the login url. It also saves that key as user_metadata.

function wp_new_user_notification( $user_id, $depreciated = null, $notify = '' ) {

...

$email_verification_key = wp_generate_password( 20, false );
update_user_meta( $user_id, 'email_verification_key', $email_verification_key );

$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n\r\n";
$message .= __('To set your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&mail_key=$email_verification_key&login=" . rawurlencode($user->user_login), 'login') . ">\r\n\r\n";
$message .= wp_login_url() . "\r\n";

wp_mail($user->user_email, sprintf(__('[%s] Your username and password info'), $blogname), $message);
}

Then, hook into the ‘validate_password_reset’ action to check that the email verification key from the password reset request matches the saved key. If the keys don’t match, delete the user and redirect them back to the registration form with an error of ’emailnotverified’. If the keys do match, delete the ’email_not_verified’ metadata.

add_action( 'validate_password_reset', 'sc_verify_user_email', 10, 2 );
function sc_verify_user_email( $errors, $user ) {
    if ( isset( $_REQUEST['mail_key'] ) ) {
        $email_verification_key = $_REQUEST['mail_key'];
        $saved_key              = get_user_meta( $user->ID, 'email_verification_key', true );

        if ( ! ( $email_verification_key === $saved_key ) ) {
            require_once( ABSPATH . 'wp-admin/includes/user.php' );
            wp_delete_user( $user->ID );
            wp_redirect( network_site_url( "wp-login.php?action=register&error=emailnotverified" ) );
            exit;
        } else {
            delete_user_meta( $user->ID, 'email_not_verified' );
        }
    }
}

If the email is not verified, add a message that will be displayed on the registration page when there is an ’emailnotverified’ error.

add_filter( 'login_message', 'sc_email_not_verified_message' );
function sc_email_not_verified_message() {
    $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
    $error = isset( $_REQUEST['error'] ) ? $_REQUEST['error'] : '';

    if ( 'register' === $action && 'emailnotverified' === $error ) {
        $message="<p class="message">" . __( 'Your email address could not be verified. Please try registering again.' ) . '</p>';
        return $message;
    }
}

Inside of the Single Sign On function, if the user has the ’email_not_verified’ metadata, don’t log them in to the client application. (This could happen if the user was created through a registration form that was added by a plugin.)

$current_user = wp_get_current_user();
if ( get_user_meta( $current_user->ID, 'email_not_verified', true ) ) {
    echo( 'Invalid request.' ); // This needs to be changed to a redirect.
    exit;
}

I’ve also added a checkbox to display and override the user’s email verification status on the ‘user-edit’ page.

Edit:

Hooking into the validate_password_reset action is probably not the best way to do this. It is called before the password is reset, so the email will be verified even if there are errors in the password reset process (for example if the key is expired or invalid.)

A better approach seems to be to hook into the resetpass_form action and add a hidden field to the password reset form that holds the value of the ‘mail_key’:

add_action( 'resetpass_form' 'sc_mail_key_field' );
function sc_mail_key_field() {

    if ( isset( $_REQUEST['mail_key'] ) ) { 

        $mail_key = sanitize_key( wp_unslash( $_REQUEST['mail_key'] ) );
        wp_nonce_field( 'verify_email', 'verify_email_nonce' );
        echo '<input type="hidden" name="mail_key" value="' . esc_attr( $mail_key ) . '" />';
    }
}

It is then possible to hook into the after_password_reset action to verify the saved mail key against the $_POST['mail_key'] value.

An example plugin can be found here: email address verification plugin

Related Posts:

  1. Email confirmation in user registration form without a plugin
  2. not sending correct link to set the password in registration email [closed]
  3. Not receiving any sign up mail, when user registers… Both admin & user
  4. Custom registration function not working as it should because is_mail and email_exist keep giving errors when it shouldn’t
  5. Google Apps login in wordpress
  6. How do I create a password reset link?
  7. Placeholder text for registration form
  8. Use the user_activation_key for other purposes
  9. How to set up User email verification after Signup?
  10. How to check if the user registration is allowed/active?
  11. how to disable user confirmation from administration?
  12. Custom registration form page/template
  13. Mail isn’t sent after local site registration
  14. How to disable or protect against disposable email accounts?
  15. Changing username after registration to get around the issue of having duplicate emails?
  16. Registration key
  17. User defined password at registration – registration email sends auto generated pass
  18. Advice on setting up a site with front end registration
  19. Function like is_registration_page to check if current page is registration page
  20. Payment on Registration?
  21. WordPress members-only page with link visible only to members
  22. How do I show errors after validation with a custom form frontend?
  23. How can I find users that didn’t set a password?
  24. Send custom signup approval email to different Administrators selectively
  25. Registering without e-mail adress!
  26. Batch users creation
  27. After e-junkie payment, send a http post to register user automatically?
  28. Checked checkbox?
  29. Set user password after creating user
  30. On user registration, if welcome mail sent, add post with new user as author
  31. How to bypass the username as a required field in registration and just use email address instead?
  32. Does the user_register change in multisite?
  33. Registration options and approvals
  34. user activation email doesn’t work
  35. What’s wrong with Customizing new user notification email by add_filter?
  36. Where are people registering on my website?
  37. How to disallow user to register with a specific word in the username?
  38. How to stop WordPress emailing a password
  39. Change User Registration
  40. user_register not triggering with email verification
  41. On multisite, plugins are disabled prematurely when viewing the /wp-activate.php page file
  42. Backend user creation form with additional language field
  43. Restrict certain character combinations in username during registration
  44. Register users without confirmation
  45. Override default new user registration email with custom message (non sub-domain multi-site installation)
  46. How to receive notifications when a new user registers
  47. Include “registration.php” for custom registration form?
  48. Regsitration form on External page
  49. can registration be enabled programatically?
  50. allow only lowercase user registrations
  51. How do I set user account inactive?
  52. Filter for users on custom post type
  53. Registration area + reserved area
  54. Please suggest me some plugins in WordPress networking
  55. Cannot login due to incorrect password right after registration?
  56. wordpress – user registration ( signup registration )
  57. Disable password limitations
  58. How to integrate CAPTCHA on register page? [closed]
  59. register_settings callback function erases data
  60. Custom registration fields not validating
  61. Register multiple users in one form
  62. Register through url
  63. Add ‘first name’, ‘last name’, ‘date of birth’ and ‘terms and conditions’ to register fields?
  64. How to show password fields on registration form w/o plugins
  65. Is there any way to not require email address or disable notification upon setting up a member?
  66. I want to remove the http:// that is added automaticly on the user profile adress
  67. I need a custom Login Registeration in WordPress can somebody guide me?
  68. How to enable user registration for specific country and disable registration from all other countries?
  69. Wikipedia – CMS
  70. how to change the register process
  71. remove (error:) from registration errors woocommerce
  72. Modify new user welcome email
  73. Redirection after registration
  74. Updated : how to make email optional while user registration using default wordpress form
  75. Adding email list as registered users
  76. Registration – website crashes, error 403
  77. Placeholder text for ajax loaded conditional fields in the registration form
  78. Creating custom registration and login page in wordpress
  79. Link with password is not sent to the new user
  80. How can I fetch user registration age
  81. Send a password to a user who has just registered for a member area
  82. The requested URL /wordpress/register/ was not found on this server
  83. Redirect to “Thank you” page after register new user on custom register form
  84. Updating User Meta using Theme My Login with Custom Fields
  85. WordPress doesn’t send a password (but only a username) after new user registration
  86. WordPress not sending registration mail? (works on ‘lost password’)
  87. Macros for WordPress, creating subdomains out of registrations for current domain
  88. Prevent registration except through form
  89. wordpress custom registration
  90. Multisite/Network What file to edit to change the “new blog” registration text
  91. Problem with registration page
  92. How do spam users register while I’ve only enabled registration by Gmail via Janrain?
  93. How we get the success messages
  94. wp-signup.php example template
  95. What hooks, actions or filters i can use to customize wordpress registration page and form?
  96. registration process with contact from 7? [closed]
  97. Can email address be used as user name?
  98. Website visible only to Registered users (non wp-admin)
  99. Verify user is Eventbrite attendee when creating new WordPress account
  100. Limit username to specific characters (A-Z and 0-9)

Leave a Comment