wp_signon( array $credentials = array(), string|bool $secure_cookie = '' )

Authenticates and logs a user in with ‘remember’ capability.

Description Description

The credentials is an array that has ‘user_login’, ‘user_password’, and ‘remember’ indices. If the credentials is not given, then the log in form will be assumed and used if set.

The various authentication cookies will be set by this function and will be set for a longer period depending on if the ‘remember’ credential is set to true.

Note: wp_signon() doesn’t handle setting the current user. This means that if the function is called before the ‘init’ hook is fired, is_user_logged_in() will evaluate as false until that point. If is_user_logged_in() is needed in conjunction with wp_signon(), wp_set_current_user() should be called explicitly.

Parameters Parameters


(array) (Optional) User info in order to sign on.

Default value: array()


(string|bool) (Optional) Whether to use secure cookie.

Default value: ''

Top ↑

Return Return

(WP_User|WP_Error) WP_User on success, WP_Error on failure.

Top ↑

Source Source

File: wp-includes/user.php

function wp_signon( $credentials = array(), $secure_cookie = '' ) {
	if ( empty( $credentials ) ) {
		$credentials = array(); // Back-compat for plugins passing an empty string.

		if ( ! empty( $_POST['log'] ) ) {
			$credentials['user_login'] = $_POST['log'];
		if ( ! empty( $_POST['pwd'] ) ) {
			$credentials['user_password'] = $_POST['pwd'];
		if ( ! empty( $_POST['rememberme'] ) ) {
			$credentials['remember'] = $_POST['rememberme'];

	if ( ! empty( $credentials['remember'] ) ) {
		$credentials['remember'] = true;
	} else {
		$credentials['remember'] = false;

	 * Fires before the user is authenticated.
	 * The variables passed to the callbacks are passed by reference,
	 * and can be modified by callback functions.
	 * @since 1.5.1
	 * @todo Decide whether to deprecate the wp_authenticate action.
	 * @param string $user_login    Username (passed by reference).
	 * @param string $user_password User password (passed by reference).
	do_action_ref_array( 'wp_authenticate', array( &$credentials['user_login'], &$credentials['user_password'] ) );

	if ( '' === $secure_cookie ) {
		$secure_cookie = is_ssl();

	 * Filters whether to use a secure sign-on cookie.
	 * @since 3.1.0
	 * @param bool  $secure_cookie Whether to use a secure sign-on cookie.
	 * @param array $credentials {
	 *     Array of entered sign-on data.
	 *     @type string $user_login    Username.
	 *     @type string $user_password Password entered.
	 *     @type bool   $remember      Whether to 'remember' the user. Increases the time
	 *                                 that the cookie will be kept. Default false.
	 * }
	$secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials );

	global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie
	$auth_secure_cookie = $secure_cookie;

	add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );

	$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );

	if ( is_wp_error( $user ) ) {
		return $user;

	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
	 * Fires after the user has successfully logged in.
	 * @since 1.5.0
	 * @param string  $user_login Username.
	 * @param WP_User $user       WP_User object of the logged-in user.
	do_action( 'wp_login', $user->user_login, $user );
	return $user;

Top ↑

Changelog Changelog

Version Description
2.5.0 Introduced.

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    Contributed by cogdog

    I have some sites where in code I log in a visitor to a hidden account (to enable media uploads form front end form), admin bar is hidden, and access to dashboard is blocked. But I have a report where wp_signon() fails and my hunch is because it is on site with SSL. I am guessing I need to use the $secure_cookie option, but I cannot find any info on how to do this.

    My guess is I need to set the cookie first with wp_set_auth_cookie() ?? The option there for $secure too is unclear.

    And if this is a case, do I need to test first if the host is running SSL? Will setting this cookie on an http:// site break the universe?

  2. Skip to note 3 content
    Contributed by Codex

    This function and action can be placed in functions.php of the theme.

    Using the hook after_setup_theme will make it run before the headers and cookies are sent, so it can set the needed cookie for login.

     * Perform automatic login.
    function wpdocs_custom_login() {
    	$creds = array(
    		'user_login'    => 'example',
    		'user_password' => 'plaintextpw',
    		'remember'      => true
    	$user = wp_signon( $creds, false );
    	if ( is_wp_error( $user ) ) {
    		echo $user->get_error_message();
    // Run before the headers and cookies are sent.
    add_action( 'after_setup_theme', 'wpdocs_custom_login' );

You must log in before being able to contribute a note or feedback.