Restrict User Login for Members Only

As a membership site owner, you may want tighter control over who can log in to your website. Whether you are protecting premium content or ensuring account security, restricting logins based on membership status or our Email Confirmation Add On can help you maintain a trusted member environment.

This guide includes two recipes. One prevents users without an active membership from logging in. The other ensures that users must confirm their email address before they can log in. Both options help you enforce access rules and ensure that anyone who does not have an active membership level or a valid email address is not allowed to log into your site.

This is especially helpful for a site that is totally locked down for members only, where you only allow public access to the homepage and login screens.

Code Recipe #1: Restrict User Login to Active Members

Understanding the Code Recipe

This recipe uses the authenticate filter hook, which runs during the WordPress login process. By attaching custom logic to this filter, we can check whether a user has an active membership and stop the login if they don’t.

The function also includes checks to skip administrators and ensures the necessary Paid Memberships Pro function pmpro_getMembershipLevelsForUser() is available. If the user does not have any current membership levels, they will not be allowed to log in.

About the Code Recipe

This code recipe restricts user login attempts for any user who is not an active member of your WordPress site. Once this recipe is in place, any user who does not have a membership level will fail to authenticate. Administrators are excluded from this restriction on line 29 of this code. This is a very powerful recipe, so please use it with caution as this also blocks users who want to renew an expired or cancelled membership.

The Code Recipe

How to Customize This Code Recipe

If you need to exclude additional roles from login restrictions (such as editors or shop managers), you can modify the if ( in_array( 'administrator', $user->roles ) ) line in Recipe #1 by defining an array of allowed roles and using array_intersect() to match any of them. This allows you to add roles without removing the administrator check.

For example:

// Allow administrators and editors to bypass membership checks
$allowed_roles = array( 'administrator', 'editor' );
if ( array_intersect( $allowed_roles, $user->roles ) ) {
	return $user;
}

Code Recipe #2: Require Confirmed Email Address to Log In

Understanding the Code Recipe

This recipe uses the wp_authenticate_user filter, which runs during login after the user is identified but before they are fully authenticated. The function checks if the user has a meta key named pmpro_email_confirmation_key set to validated.

This meta key is added by the Email Confirmation Add On, which requires users to click a link in their email to confirm their address. If the key is missing or not validated, login fails with an error.

About the Code Recipe

This code recipe blocks login for users who have not confirmed their email address. It’s a lighter restriction than the first recipe and is especially helpful when combined with the Email Confirmation Add On to reduce spam or fraudulent accounts.

Users will not see a clear error message when this login is blocked unless additional messaging is added to the login form. Use this method when you want to confirm users before granting access, but still allow expired or canceled members to log in and renew.

The Code Recipe

Adding the Recipe to Your Website

You can add this recipe to your site by creating a custom plugin or using the Code Snippets plugin available for free in the WordPress repository. Read this companion article for step-by-step directions on either method.

Video: Coding with Sam Walkthrough