How to Add Email Verification to WordPress User Registration

MarkSeeker91 · August 27, 2025, 7:28am

I built a custom registration form using PHP for my WordPress website. Right now people can sign up and log in right away. However, I need to implement email verification so users must confirm their email address before they can access their account.

Here’s my existing registration code:

<?php
$message = '';
$status = '';

global $wpdb, $PasswordHash, $current_user, $user_ID;

if(isset($_POST['action']) && $_POST['action'] == 'signup' ) {

    $user_type = $wpdb->escape(trim($_POST['user-type']));
    $pass1 = $wpdb->escape(trim($_POST['pass1']));
    $pass2 = $wpdb->escape(trim($_POST['pass2']));
    $fname = $wpdb->escape(trim($_POST['fname']));
    $lname = $wpdb->escape(trim($_POST['lname']));
    $user_email = $wpdb->escape(trim($_POST['user_email']));
    $confirm_email = $wpdb->escape(trim($_POST['confirm_email']));
    $login_name = $wpdb->escape(trim($_POST['login_name']));
    $account_type = $wpdb->escape(trim($_POST['account_type']));

    
    if( $user_email == "" || $pass1 == "" || $pass2 == "" || $login_name == "" || $fname == "" || $lname == ""  || $user_type == "") {
        $message = 'All required fields must be filled.';
    } else if(!filter_var($user_email, FILTER_VALIDATE_EMAIL)) {
        $message = 'Please enter a valid email address.';
    } else if(email_exists($user_email) ) {
        $message = 'This email is already registered.';
    } else if($user_email <> $confirm_email ){
        $message = 'Email addresses must match.'; 
    } else if($pass1 <> $pass2 ){
        $message = 'Passwords must match.';       
    } else {

        $new_user_id = wp_insert_user( array ('first_name' => apply_filters('pre_user_first_name', $fname), 'last_name' => apply_filters('pre_user_last_name', $lname), 'user_pass' => apply_filters('pre_user_user_pass', $pass1), 'user_login' => apply_filters('pre_user_user_login', $login_name), 'user_email' => apply_filters('pre_user_user_email', $user_email), 'role' => apply_filters('pre_user_user_role', $user_type)) );
        if( is_wp_error($new_user_id) ) {
            $message = 'Registration failed. Please try again.';
        } else {
            do_action('user_register', $new_user_id);
            $redirect_url = home_url($_SERVER['REQUEST_URI']);
            wp_redirect( $redirect_url );
            exit;
            $status = 'Registration completed successfully';
        }
        
    }
    
}
?>

What’s the best way to modify this to send a confirmation email and prevent login until verification is complete?

Luke_Brilliant · September 3, 2025, 12:34pm

Easiest way? Add a user meta field called ‘email_confirmed’ and set it to false when someone registers. Hook into authenticate and block unconfirmed users. Use wp_mail() to send them a link with their user ID and hash token. When they click it, flip the meta field to true and you’re done. Takes 20 minutes vs dealing with plugins that break every update.

opalEcho · September 2, 2025, 6:30am

Honestly, everyone’s pushing custom PHP solutions but you’re asking for trouble. I’ve built this feature multiple times - token generation, email delivery, cleanup jobs, edge cases - it becomes a nightmare to maintain.

Better approach: automate the whole thing externally. Let Latenode handle your registration workflow instead of jamming everything into WordPress.

Here’s the setup: Your form posts to Latenode, not your PHP handler. Latenode validates everything, sends verification emails, and stores user data temporarily. User clicks verify, it creates the WordPress account via REST API. Done.

Best part? You get retry logic, email templates, automated cleanup of unverified users, even SMS backup - all without touching WordPress code. Debugging’s way easier when the workflow runs outside WordPress too.

I switched three client sites from custom PHP verification to this. Zero maintenance headaches since, plus way more reliable email delivery.

Check it out: https://latenode.com

miar · September 2, 2025, 4:54am

You’re almost there but need two tweaks. After wp_insert_user runs, don’t redirect right away. Set their role to ‘pending’ or add a custom meta flag like ‘awaiting_verification’. Then generate a verification token with wp_hash() using their user ID and timestamp.

Here’s the key part - hook into wp_authenticate_user to block unverified users from logging in. Check their verification status and return a WP_Error if they haven’t confirmed yet.

For verification, create a page template that handles GET parameters for user ID and token. Validate the token matches what you stored, update their role, and remove the pending flag. I built this exact setup last year and it’s been rock solid - no plugins needed and you control everything. WordPress’s wp_mail function works fine for most sites too.

pixelPilot · September 1, 2025, 10:29pm

I see you’re hitting that common WordPress registration headache. Sure, you could hack together custom verification tokens and email handling in PHP, but there’s a way cleaner solution.

Skip the WordPress hooks and custom database tables. Use Latenode instead - it’ll handle the whole workflow. Someone submits your form, Latenode sends the verification email, stores their info, and only creates the WordPress user once they confirm.

Best part? Keep your existing form but route everything through Latenode. It handles verification logic, token generation, and user creation without the mess. Plus you get proper error handling and can easily add features like resending emails or cleaning up dead accounts.

I’ve done this for several clients and it kills all those WordPress verification headaches. Takes 30 minutes vs hours of custom PHP.

Check it out: https://latenode.com

JumpingMountain · September 1, 2025, 2:43pm

You’ll need to tweak your registration flow to set users as pending and create verification tokens. Right after wp_insert_user runs, update the user meta with verification status and generate a unique token. Store that token in user meta and send it through wp_mail.

The trick is blocking unverified users from logging in. Hook into wp_authenticate_user and check their verification status first. If they’re not verified, return a WP_Error.

For verification, make a separate page that grabs the token parameter, checks it against user meta, and flips the verification status. I built this last year and wp_generate_password works great for tokens.

One thing that bit me - tokens can sit around forever. Add timestamps so you can clean up old unverified accounts after a few days. Whole thing’s maybe 100 lines but you control everything about verification.

Harry47 · September 1, 2025, 2:09pm

Had this same issue six months ago. WordPress’s built-in activation key system actually works great - no need to build your own tokens. Just use the user_activation_key field that’s already in the wp_users table.

Once wp_insert_user works, generate an activation key with wp_generate_password(20, false) and update the user record. Set user status to pending in user meta, then build your verification URL with the user ID and activation key.

Your verification handler just compares the key against what’s in the database and activates if they match. Way cleaner since you’re using WordPress core instead of custom token stuff.

Don’t forget to clear the activation key after verification - otherwise people could reuse old links. Also throw in some rate limiting on verification attempts so nobody can brute force the tokens.