4 Replies to “Programmatically Creating WordPress Users”

  1. Hi Tom,

    I’m wondering why you’re using PHP’s FILTER_VALIDATE_EMAIL filter (filter_var( FILTER_VALIDATE_EMAIL, $email )) instead of WordPress’ sanitize_email() function. Any specific reason?

    P.S. I think you have a syntax error. Unless I’m mistaken, it should be filter_var( $email, FILTER_VALIDATE_EMAIL );

    1. I think you have a syntax error. Unless I’m mistaken, it should be filter_var( $email, FILTER_VALIDATE_EMAIL );

      Yeah, oops, I fixed this shortly after publishing it — thanks, though!

      I’m wondering why you’re using PHP’s FILTER_VALIDATE_EMAIL filter (filter_var( FILTER_VALIDATE_EMAIL, $email )) instead of WordPress’ sanitize_email() function. Any specific reason?

      It’s generally because most the projects I’ve used have been better served by filter_var but that’s not to say sanitize_email shouldn’t be used. At minimum, use one or the other or – at the most aggressive way – use both :).

      Though I’m normally a fan of using the application’s API when possible, this is purely an example of my using an example from some code I’ve previously written. It’s not an argument for/against the WordPress API.

      Thanks for mentioning that function!

  2. Not to get too far away from your main point of how to create a user, but there are some privacy and security issues to consider along the way.

    WordPress publicly displays the username in various places, for example, when a user leaves a comment on a blog post. Using the e-mail address as the username means that a user’s e-mail address can be revealed to the public. That’s not only a privacy issue but it pretty much guarantees the user will be inundated with spam as bots scrape every e-mail address shown on web pages.

    Coming back around to coding automated user creation, it may require building a username from the left portion of an e-mail address (still could have privacy concerns), a hash of the e-mail, or generating a random username.

    On the security side of things, wp_generate_password() creates a 12-character password by default. Since 12 characters are just out of reach of current brute force password cracking techniques, a few extra characters make for reasonable future-proofing without inconveniencing the user too much more. I believe that’s why WordPress defaults to generating a 16-character password for new accounts and resets.

    1. there are some privacy and security issues to consider along the way

      Absolutely (and always :)

      Using the e-mail address as the username means that a user’s e-mail address can be revealed to the public. That’s not only a privacy issue but it pretty much guarantees the user will be inundated with spam as bots scrape every e-mail address shown on web pages.

      Agreed. There are times where this is okay (such as within Intranet appliations, sites, and so on — and I’ve worked on those before), but as a public site, definitely. Good point worth mentioning here so thank you for that.

      Coming back around to coding automated user creation,…

      The ways you’ve mentioned are good. I also like…

      • generating a name based on the first and last fields (if provided),
      • creating a username, like you mentioned, that’s random
      • using a combination of the first part of the email address and the last name
      • etc.

      <

      p>There are a lot of ways to do it but simply using the email address in a public settings is going to result in lots of frustrated users :).

      Since 12 characters are just out of reach of current brute force password cracking techniques, a few extra characters make for reasonable future-proofing without inconveniencing the user too much more. I believe that’s why WordPress defaults to generating a 16-character password for new accounts and resets.

      Point taken and gist updated!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.