WordPress allows login by either username or email address.
But, email addresses are more likely to be common knowledge. Or perhaps easier to guess. We tend to keep our email addresses to set patterns.
Its all very well having a fancy obscure username but if the email address associated with the account is easily guessable, all that effort has been wasted.
An email address could be created, just for logging into the website. It could be made obscure and configured to forward emails. But this is looking like a username. Would it not be better to configure WordPress to block logins using email addresses, only allowing logins using a username and password?
A set of random characters, upper case and lower case, together with numbers and symbols can make a good choice for a username, but not a good choice for an email address. Who would be comfortable receiving an email from such an address?
Do you really wish to create a separate obscure email address (a shadow email address) for every registered user – or at least admin user of a WordPress website?
I can explain to my customers the need to have an obscure username to access their website. But to suggest that a second email address should be created for them to use…
So I have another little section of code to be added to the functions.php file included within my theme files.
/* * Block login by email address */ remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );
There you are the simple solution.
With the above code login to a WordPress website using the account email address is blocked. Access using the likely more easily guessed email address has been stopped.
Now to sell to my customers the idea of using a username as equally obscure as their password!