: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
* @since 5.8.0 The `$userdata` parameter was added.
* @param int $user_id User ID.
* @param WP_User $old_user_data Object containing user's data prior to update.
* @param array $userdata The raw array of data passed to wp_insert_user().
do_action( 'profile_update', $user_id, $old_user_data, $userdata );
if ( isset( $userdata['spam'] ) && $userdata['spam'] !== $old_user_data->spam ) {
if ( '1' === $userdata['spam'] ) {
* Fires after the user is marked as a SPAM user.
* @param int $user_id ID of the user marked as SPAM.
do_action( 'make_spam_user', $user_id );
* Fires after the user is marked as a HAM user. Opposite of SPAM.
* @param int $user_id ID of the user marked as HAM.
do_action( 'make_ham_user', $user_id );
* Fires immediately after a new user is registered.
* @since 5.8.0 The `$userdata` parameter was added.
* @param int $user_id User ID.
* @param array $userdata The raw array of data passed to wp_insert_user().
do_action( 'user_register', $user_id, $userdata );
* Updates a user in the database.
* It is possible to update a user's password by specifying the 'user_pass'
* value in the $userdata parameter array.
* If current user's password is being updated, then the cookies will be
* @see wp_insert_user() For what fields can be set in $userdata.
* @param array|object|WP_User $userdata An array of user data or a user object of type stdClass or WP_User.
* @return int|WP_Error The updated user's ID or a WP_Error object if the user could not be updated.
function wp_update_user( $userdata ) {
if ( $userdata instanceof stdClass ) {
$userdata = get_object_vars( $userdata );
} elseif ( $userdata instanceof WP_User ) {
$userdata = $userdata->to_array();
$userdata_raw = $userdata;
$user_id = isset( $userdata['ID'] ) ? (int) $userdata['ID'] : 0;
return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
// First, get all of the original fields.
$user_obj = get_userdata( $user_id );
return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
$user = $user_obj->to_array();
// Add additional custom fields.
foreach ( _get_additional_user_keys( $user_obj ) as $key ) {
$user[ $key ] = get_user_meta( $user_id, $key, true );
// Escape data pulled from DB.
$user = add_magic_quotes( $user );
if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
// If password is changing, hash it now.
$plaintext_pass = $userdata['user_pass'];
$userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
* Filters whether to send the password change email.
* @see wp_insert_user() For `$user` and `$userdata` fields.
* @param bool $send Whether to send the email.
* @param array $user The original user array.
* @param array $userdata The updated user array.
$send_password_change_email = apply_filters( 'send_password_change_email', true, $user, $userdata );
if ( isset( $userdata['user_email'] ) && $user['user_email'] !== $userdata['user_email'] ) {
* Filters whether to send the email change email.
* @see wp_insert_user() For `$user` and `$userdata` fields.
* @param bool $send Whether to send the email.
* @param array $user The original user array.
* @param array $userdata The updated user array.
$send_email_change_email = apply_filters( 'send_email_change_email', true, $user, $userdata );
clean_user_cache( $user_obj );
// Merge old and new fields with new fields overwriting old ones.
$userdata = array_merge( $user, $userdata );
$user_id = wp_insert_user( $userdata );
if ( is_wp_error( $user_id ) ) {
$blog_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
$switched_locale = false;
if ( ! empty( $send_password_change_email ) || ! empty( $send_email_change_email ) ) {
$switched_locale = switch_to_user_locale( $user_id );
if ( ! empty( $send_password_change_email ) ) {
/* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
This notice confirms that your password was changed on ###SITENAME###.
If you did not change your password, please contact the Site Administrator at
This email has been sent to ###EMAIL###
$pass_change_email = array(
'to' => $user['user_email'],
/* translators: Password change notification email subject. %s: Site title. */
'subject' => __( '[%s] Password Changed' ),
'message' => $pass_change_text,
* Filters the contents of the email sent when the user's password is changed.
* @param array $pass_change_email {
* Used to build wp_mail().
* @type string $to The intended recipients. Add emails in a comma separated string.
* @type string $subject The subject of the email.
* @type string $message The content of the email.
* The following strings have a special meaning and will get replaced dynamically:
* - ###USERNAME### The current user's username.
* - ###ADMIN_EMAIL### The admin email in case this was unexpected.
* - ###EMAIL### The user's email address.
* - ###SITENAME### The name of the site.
* - ###SITEURL### The URL to the site.
* @type string $headers Headers. Add headers in a newline (\r\n) separated string.
* @param array $user The original user array.
* @param array $userdata The updated user array.
$pass_change_email = apply_filters( 'password_change_email', $pass_change_email, $user, $userdata );
$pass_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $pass_change_email['message'] );
$pass_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $pass_change_email['message'] );
$pass_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $pass_change_email['message'] );
$pass_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $pass_change_email['message'] );
$pass_change_email['message'] = str_replace( '###SITEURL###', home_url(), $pass_change_email['message'] );
wp_mail( $pass_change_email['to'], sprintf( $pass_change_email['subject'], $blog_name ), $pass_change_email['message'], $pass_change_email['headers'] );
if ( ! empty( $send_email_change_email ) ) {
/* translators: Do not translate USERNAME, ADMIN_EMAIL, NEW_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
This notice confirms that your email address on ###SITENAME### was changed to ###NEW_EMAIL###.
If you did not change your email, please contact the Site Administrator at
This email has been sent to ###EMAIL###
$email_change_email = array(
'to' => $user['user_email'],
/* translators: Email change notification email subject. %s: Site title. */
'subject' => __( '[%s] Email Changed' ),
'message' => $email_change_text,
* Filters the contents of the email sent when the user's email is changed.
* @param array $email_change_email {
* Used to build wp_mail().
* @type string $to The intended recipients.
* @type string $subject The subject of the email.
* @type string $message The content of the email.
* The following strings have a special meaning and will get replaced dynamically:
* - ###USERNAME### The current user's username.
* - ###ADMIN_EMAIL### The admin email in case this was unexpected.
* - ###NEW_EMAIL### The new email address.
* - ###EMAIL### The old email address.
* - ###SITENAME### The name of the site.
* - ###SITEURL### The URL to the site.
* @type string $headers Headers.
* @param array $user The original user array.
* @param array $userdata The updated user array.
$email_change_email = apply_filters( 'email_change_email', $email_change_email, $user, $userdata );
$email_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $email_change_email['message'] );
$email_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $email_change_email['message'] );
$email_change_email['message'] = str_replace( '###NEW_EMAIL###', $userdata['user_email'], $email_change_email['message'] );
$email_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $email_change_email['message'] );
$email_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $email_change_email['message'] );
$email_change_email['message'] = str_replace( '###SITEURL###', home_url(), $email_change_email['message'] );
wp_mail( $email_change_email['to'], sprintf( $email_change_email['subject'], $blog_name ), $email_change_email['message'], $email_change_email['headers'] );
if ( $switched_locale ) {
restore_previous_locale();
// Update the cookies if the password changed.
$current_user = wp_get_current_user();
if ( $current_user->ID === $user_id ) {
if ( isset( $plaintext_pass ) ) {
* Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.
* If it's greater than this, then we know the user checked 'Remember Me' when they logged in.
$logged_in_cookie = wp_parse_auth_cookie( '', 'logged_in' );
/** This filter is documented in wp-includes/pluggable.php */
$default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false );
if ( false !== $logged_in_cookie && ( $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) {
wp_set_auth_cookie( $user_id, $remember );
* Fires after the user has been updated and emails have been sent.
* @param int $user_id The ID of the user that was just updated.
* @param array $userdata The array of user data that was updated.
* @param array $userdata_raw The unedited array of user data that was updated.
do_action( 'wp_update_user', $user_id, $userdata, $userdata_raw );
* Provides a simpler way of inserting a user into the database.
* Creates a new user with just the username, password, and email. For more
* complex user creation use wp_insert_user() to specify more information.
* @see wp_insert_user() More complete way to create a new user.
* @param string $username The user's username.
* @param string $password The user's password.
* @param string $email Optional. The user's email. Default empty.
* @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not
function wp_create_user( $username, $password, $email = '' ) {
$user_login = wp_slash( $username );
$user_email = wp_slash( $email );
$userdata = compact( 'user_login', 'user_email', 'user_pass' );
return wp_insert_user( $userdata );
* Returns a list of meta keys to be (maybe) populated in wp_update_user().
* The list of keys returned via this function are dependent on the presence
* of those keys in the user meta data to be set.
* @param WP_User $user WP_User instance.
* @return string[] List of user keys to be populated in wp_update_user().
function _get_additional_user_keys( $user ) {
$keys = array( 'first_name', 'last_name', 'nickname', 'description', 'rich_editing', 'syntax_highlighting', 'comment_shortcuts', 'admin_color', 'use_ssl', 'show_admin_bar_front', 'locale' );
return array_merge( $keys, array_keys( wp_get_user_contact_methods( $user ) ) );
* Sets up the user contact methods.
* Default contact methods were removed in 3.6. A filter dictates contact methods.
* @param WP_User|null $user Optional. WP_User object.
* @return string[] Array of contact method labels keyed by contact method.
function wp_get_user_contact_methods( $user = null ) {
if ( get_site_option( 'initial_db_version' ) < 23588 ) {
'yim' => __( 'Yahoo IM' ),
'jabber' => __( 'Jabber / Google Talk' ),
* Filters the user contact methods.
* @param string[] $methods Array of contact method labels keyed by contact method.
* @param WP_User|null $user WP_User object or null if none was provided.
return apply_filters( 'user_contactmethods', $methods, $user );
* The old private function for setting up user contact methods.
* Use wp_get_user_contact_methods() instead.
* @param WP_User|null $user Optional. WP_User object. Default null.
* @return string[] Array of contact method labels keyed by contact method.
function _wp_get_user_contactmethods( $user = null ) {
return wp_get_user_contact_methods( $user );
* Gets the text suggesting how to create strong passwords.
* @return string The password hint text.
function wp_get_password_hint() {
$hint = __( 'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).' );
* Filters the text describing the site's password complexity policy.
* @param string $hint The password hint text.
return apply_filters( 'password_hint', $hint );
* Creates, stores, then returns a password reset key for user.
* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
* @param WP_User $user User to retrieve password reset key for.
* @return string|WP_Error Password reset key on success. WP_Error on error.
function get_password_reset_key( $user ) {
if ( ! ( $user instanceof WP_User ) ) {
return new WP_Error( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
* Fires before a new password is retrieved.
* Use the {@see 'retrieve_password'} hook instead.
* @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead.
* @param string $user_login The user login name.
do_action_deprecated( 'retreive_password', array( $user->user_login ), '1.5.1', 'retrieve_password' );
* Fires before a new password is retrieved.
* @param string $user_login The user login name.
do_action( 'retrieve_password', $user->user_login );
$password_reset_allowed = wp_is_password_reset_allowed_for_user( $user );
if ( ! $password_reset_allowed ) {
return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
} elseif ( is_wp_error( $password_reset_allowed ) ) {
return $password_reset_allowed;
// Generate something random for a password reset key.
$key = wp_generate_password( 20, false );
* Fires when a password reset key is generated.
* @param string $user_login The username for the user.
* @param string $key The generated password reset key.
do_action( 'retrieve_password_key', $user->user_login, $key );
// Now insert the key, hashed, into the DB.
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
$key_saved = wp_update_user(
'user_activation_key' => $hashed,
if ( is_wp_error( $key_saved ) ) {
* Retrieves a user row based on password reset key and login.
* A key is considered 'expired' if it exactly matches the value of the
* user_activation_key field, rather than being matched after going through the
* hashing process. This field is now hashed; old values are no longer accepted
* but have a different WP_Error code so good user feedback can be provided.
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
