How do I hook into the Wordpress login system to stop some users programmatically?

Question

I am working on a Wordpress based portal which integrates with a custom-made e-commerce. The e-commerce serves also as a \'control panel\': all the roles are set up there.

Answer 1

You can either overload the wp_authenticate function (see the function in the code here: http://core.trac.wordpress.org/browser/trunk/wp-includes/pluggable.php) and return a WP_error if you don't want to allow the user to login.

Or better, use the filter authenticate and return null if you don't want the user to log in, e.g.

add_filter('authenticate', 'check_login', 10, 3);
function check_login($user, $username, $password) {
    $user = get_userdatabylogin($username); 

    if( /* check to see if user is allowed */ ) {
        return null;
    }
    return $user;
}

Answer 2

There were a few issues with mjangda answer so I'm posting a version that works with WordPress 3.2

The main issues were with the return statement. He should be returning a WP_User Object. The other issue was with the priority not being high enough.

add_filter('authenticate', 'check_login', 100, 3);
function check_login($user, $username, $password) {
    // this filter is called on the log in page
    // make sure we have a username before we move forward
    if (!empty($username)) {
        $user_data = $user->data;

        if (/* check to see if user is allowed */) {
          // stop login
          return null;
        }
        else {
            return $user;
        }
    }

    return $user;
}

Answer 3

Might be an idea or code to borrow and implement: WordPress › External DB authentication « WordPress Plugins