Also find user by email when incrementing failed login counter

(previously, if an email address was provided in the username field on a failed login, the user lookup failed, so the global failed attempt counter was incremented instead of the failed attempt counter for the user)
uhm-coe · Mar 6, 2024 · 3d392fc · 3d392fc
1 parent 4d9ead7
commit 3d392fc
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/authorizer/class-login-form.php b/src/authorizer/class-login-form.php
@@ -320,7 +320,7 @@ public function wp_login_errors__maybe_redirect_to_cas( $errors, $redirect_to )
 	 *
 	 * Action: wp_login_failed
 	 *
-	 * @param  string $username Username to update login count for.
+	 * @param  string $username Username or email address.
 	 * @return void
 	 */
 	public function update_login_failed_count( $username ) {
@@ -331,6 +331,11 @@ public function update_login_failed_count( $username ) {
 		// Get user trying to log in.
 		$user = get_user_by( 'login', $username );
 
+		// If user not found, check if logging in with an email address.
+		if ( false === $user ) {
+			$user = get_user_by( 'email', $username );
+		}
+
 		if ( false !== $user ) {
 			$last_attempt = get_user_meta( $user->ID, 'auth_settings_advanced_lockouts_time_last_failed', true );
 			$num_attempts = get_user_meta( $user->ID, 'auth_settings_advanced_lockouts_failed_attempts', true );