Thanks for the heads up on this thread :-)
The wp_authenticate function is what logs a user into WordPress. Luckily, WordPress makes this a pluggable function. Meaning, you can define it yourself, and WordPress will use your version of the function instead of it’s default version.
Here is the default version of the function in WP v3.5.
/**
* Checks a user's login information and logs them in if it checks out.
*
* @since 2.5.0
*
* @param string $username User's username
* @param string $password User's password
* @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
*/
function wp_authenticate($username, $password) {
$username = sanitize_user($username);
$password = trim($password);
$user = apply_filters('authenticate', null, $username, $password);
if ( $user == null ) {
// TODO what should the error message be? (Or would these even happen?)
// Only needed if all authentication handlers fail to return anything.
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
}
$ignore_codes = array('empty_username', 'empty_password');
if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
do_action('wp_login_failed', $username);
}
return $user;
}
A modified version might look something like this.
Please create this directory and file:
/wp-content/mu-plugins/s2-hacks.php
(NOTE: these are MUST USE plugins, see: http://codex.wordpress.org/Must_Use_Plugins)
(See also: http://www.s2member.com/kb/hacking-s2member/)
/**
* Checks a user's login information and logs them in if it checks out.
*
* @since 2.5.0
*
* @param string $username User's username
* @param string $password User's password
* @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
*/
function wp_authenticate($username, $password) {
$username = sanitize_user($username);
$password = trim($password);
$user = apply_filters('authenticate', null, $username, $password);
if ( $user == null ) {
// TODO what should the error message be? (Or would these even happen?)
// Only needed if all authentication handlers fail to return anything.
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
}
else if($user->has_cap('s2member_level1')) // A Level #1 Member?
{
$deny = TRUE; // Deny these Members?
if($deny)
{
$user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: You have been denied access at this time. Please try again later.'));
}
}
$ignore_codes = array('empty_username', 'empty_password');
if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
do_action('wp_login_failed', $username);
}
return $user;
}