Main problem with your code is that you use wp_login action. The wp_login action hook is triggered when a user logs in by the wp_signon() function. It is the very last action taken in the function, immediately following the wp_set_auth_cookie() call.
So first of all – the user is already authenticated and his auth cookie is already set – so he’s basically logged in.
Another problem is that your action is called before any HTML is printed – so if you echo anything in it, then this output will be printed before opening <html> tag.
If you want to prevent user from logging in and display some errors, you should use authenticate filter instead.
It is called during authenticating user:
/**
* Filters whether a set of user login credentials are valid.
*
* A WP_User object is returned if the credentials authenticate a user.
* WP_Error or null otherwise.
*
* @since 2.8.0
* @since 4.5.0 `$username` now accepts an email address.
*
* @param null|WP_User|WP_Error $user WP_User if the user is authenticated.
* WP_Error or null otherwise.
* @param string $username Username or email address.
* @param string $password User password
*/
$user = apply_filters( 'authenticate', null, $username, $password );
So you can use it like so:
function userLockedControl( $user, $username, $password ) {
// ... rest of your code here
if ($user_is_locked == 0 ) {
return new WP_Error( 'broke', __( "I've fallen and can't get up", "my_textdomain" ) ); // you don't need all those functions returning errors and so one - just return an instance of the WP_Error instead of WP_User
}
}
add_filter( 'authenticate', 'userLockedControl', 10, 3 );