How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?

Yes, WordPress checks for duplicate emails internally, but not duplicate usernames

To test this I ran this several times via wp shell:

wp_create_user( 'test', 'password', '[email protected]' );

The result on the second attempt was:

=> class WP_Error#1962 (2) {
  public $errors =>
  array(1) {
    'existing_user_email' =>
    array(1) {
      [0] =>
      string(42) "Sorry, that email address is already used!"
    }
  }
  public $error_data =>
  array(0) {
  }
}

When I tried to register a different email with the same username:

wp> wp_create_user( 'test', 'password', '[email protected]' );
=> class WP_Error#1981 (2) {
  public $errors =>
  array(1) {
    'existing_user_login' =>
    array(1) {
      [0] =>
      string(36) "Sorry, that username already exists!"
    }
  }
  public $error_data =>
  array(0) {
  }
}

I also checked the code and found this in wp_insert_user:

https://github.com/WordPress/WordPress/blob/f93ee2ca76164bcae721e4730c92ee1455fa1dd9/wp-includes/user.php#L1645-L1650

    /*
     * If there is no update, just check for `email_exists`. If there is an update,
     * check if current email and new email are the same, or not, and check `email_exists`
     * accordingly.
     */
    if ( ( ! $update || ( ! empty( $old_user_data ) && 0 !== strcasecmp( $user_email, $old_user_data->user_email ) ) )
        && ! defined( 'WP_IMPORTING' )
        && email_exists( $user_email )
    ) {
        return new WP_Error( 'existing_user_email', __( 'Sorry, that email address is already used!' ) );
    }

So What’s Causing This?

Right now there’s not enough information to diagnose this, and it doesn’t help that your usernames are emails as it makes it easy to overlook things or treat them as if they’re always the same.

My best guess at the moment is a race condition, which is more likely if you’re using load balancing.

Eitherway, even if it didn’t create multiple users, you still need to handle users double clicking or triple clicking on the signup button else they’ll get an error that the email already exists ( because they’re getting the result of the second request, and the email got used on the first )

A More Reliable Way to Check The Users

Looking at your code:

        $user_id = username_exists($email);
        if (!$user_id && email_exists($email) == false) {
            $user_id = wp_create_user($email, $password, $email);
        } else if ($user_id) {
            ... 'ERROR in Registration, user email already exists ' ...
            return $error;
        }

wp_create_user already does these checks, and returns either a user id, or an error object. In this situation:

  • You’ve doubled the number of checks
  • If user creation fails, your code never discovers this as there is no check on the result

So, lets simplify it:

$user_id = wp_create_user( $email, $password, $email );
if ( is_wp_error( $user_id ) ) {
    // it failed!
    ....
    return $error;
}

Some Other Things to keep in mind:

  • Don’t use emails as usernames, auto-generate them and use a filter to display the email when the username is shown
  • Sanitize!!! Because you only showed a constrained snippet, it’s possible that sanitising or the lack of it is involved in this, but as you won’t share the surrounding code it’s impossible to tell. It could be that your email had trailing spaces and other characters around it
  • You don’t need to use emails as usernames for that to work. WordPress will accept both the username, and the email when logging in, you don’t need to know your username if you’re logging in if you know the email
  • You don’t need to check if the email exists, wp_insert_user already does this internally
  • Your signup form may be more reliable if it ran via a PHP form submission rather than an AJAX request, eitherway you can’t make this atomic but you can try to reduce the number of steps and parallel requests
  • Disable your signup button on the first click for 5 seconds, perhaps swap it for a progress spinner
  • wp_create_user calls wp_insert_user, so use the latter. WP has a lot of “middle men” functions that try to be helpful, but usually they have subtle behaviours for backwards compat reasons that are more annoying than helpful. Cutting out these inbetweens simplifies things and gives fewer steps to debug
  • Put a nonce on your signup endpoint, if you haven’t then you’re wide open to someone creating thousands of users per minute with a quick bash script and Curl

Related Posts:

  1. Custom user profile, registration, login page with theme
  2. Subscribe to author?
  3. Is it necessary to do validation again when retrieving data from database?
  4. Associate multiple email addresses with the same user account, so they can log in with either
  5. Allowing duplicating users with same user_login and user_email
  6. Why User_login key doesn’t work with wp_update_user()
  7. User Registration Moderate
  8. first_name property missing inside register_user action hook
  9. Create Unique and Customized User ID for Website Members in WordPress
  10. Making a user platform reachable by a qr code on a pin-back-button [closed]
  11. How to store username and password to API in wordpress option DB?
  12. Is it mandatory to use $wpdb->prefix in custom tables
  13. Send user activation email when programmatically creating user
  14. Default table collation on plugin activation?
  15. Nonces can be reused multiple times? Bug / Security issue?
  16. WordPress and PHP Sessions – Security and Performance
  17. How to check username/password without signing in the user
  18. Add Custom User Capabilities Before or After the Custom User Role has Been Added?
  19. Getting wrong relationship value in $args in wp_Query?
  20. Log in from one wordpress website to another wordpress website
  21. WordPress REST API call generates nonce twice on every call
  22. What is the added “complexity” of custom tables?
  23. How is the data stored in the database?
  24. How to modify post content before writing to database?
  25. Actions or filters fired when data is saved in a custom table
  26. WP Cron doesn’t save or in post body
  27. How to use WP default post list tables in a plugin?
  28. Will WordPress username displayed somewhere in the site?
  29. Confusion on WP Nonce usage in my Plugin
  30. Generating User(s) with Settings API
  31. What for the tables ending with the meta used in database of wordpress?
  32. Creating table with plugin is not working
  33. Get the password key when using the wp_new_user_notification_email filter
  34. Check if someone is editing a post (this content is currently locked)
  35. Is there any way to check for user login and send him to login?
  36. WordPress security issue to output data from user input from theme option form
  37. How to Create database table when Plugin installed/activated, and delete database when Plugin deleted
  38. Two functions utilizing registration_errors filter
  39. How to filter users list on user_status field with get_users()
  40. I’m designing a plugin to create database indexes. Suggestions?
  41. WordPress database error for query INSERT INTO
  42. How to connect to AWS RDS external database (not for the core WordPress db)
  43. How to add custom fields to the all users page
  44. Including the necessary functions for a custom ajax registration form
  45. Secure Pages Best Practice
  46. Display custom fields in frontside user profile
  47. Are there any scripts, classes, and/or functions built-in to WP for a plugin to export/import its saved data from wp_options?
  48. Strange issue saving custom field data for a WooCommerce order
  49. Custom user login page by creating a plugin
  50. user_register not triggering with email verification
  51. Should I encrypt the response that triggers an Ajax action? Is nonce sufficient?
  52. Updating Woocommerce Settings API when WordPress Settings API saved and vise versa
  53. Is using custom table to suit business needs instead of transients a big hit to page load speed?
  54. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  55. Display list of uploaded images, filtered by user under a specific user group
  56. Is disabling test_form in wp_handle_upload a security concern?
  57. How to connect my wordpress plugin to a remote database securely?
  58. Optimising a big WordPress site
  59. wp_nonce_field displaying twice
  60. What is the best way to store a few fields?
  61. Delete data from database using row action
  62. add_submenu_page hooked function must explicitly check user capabilities – why?
  63. Alternative functions for mysql_free_result and mysql_ping in wordpress functions
  64. First and last name fields not filled when using wp_insert_user
  65. Wp-admin Custom User Management
  66. Make Database query only when option is updated
  67. Can we intercept user_login and user_pass from a wp_login_form?
  68. How to get custom post_author?
  69. Best practice for Designing a Plugin with this scenario
  70. Plugin Development: Storing and Manipulating Data That Fits JSON in Database
  71. How can I save a password securely as a settings field
  72. How do I debug an error that a plugin is causing?
  73. Update plugin settings option_name for big plugin update
  74. how to get the top 10 popular blogs
  75. WordPress database error: [Query was empty] – using $wpdb->prepare()
  76. How to grab data after wp user search is complete
  77. Using custom IDP with WP
  78. How to get inserted row IDs for bulk/batch insert with wpdb query?
  79. WordPress how do I echo SUM from a column of a MySQL table by user id AND type_operation
  80. How do I make secure API calls from my WordPress plugin?
  81. esc_attr() on hard coded string
  82. How to prevent users from deleting their accounts?
  83. Save in my custom admin page and redirect to the saved object
  84. Relational / Associate tables using native WordPress functionality
  85. Custom Registration Form and Passwords
  86. How to store in the database directly the translation?
  87. How and when would I implement some code which would take data from one part of the Db and put it in another?
  88. Experts opinions needed: How (in)secure is this approach?
  89. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  90. Associating special meaning with user id 0
  91. Hash user emails in database?
  92. What method should I use to store my plugin data (multi level menus with options on each item)
  93. How to add additional field in a table row after creating a table?
  94. WordPress plugin tables become corrupt
  95. user can login from single account detail from multiple locations(computer) at the same time [closed]
  96. Leveraging Core Functionality in Icon Upload Plugin [closed]
  97. WordPress database error: [Table ‘bitnami_wordpress.questions’ doesn’t exist]
  98. esc_url, esc_url_raw or sanitize_url?
  99. How do I modify the error code array used by “shake_error_codes” filter?
  100. multiple record insert creating many duplicate records