Back in WordPress 4.5, the platform gave users the option to log into their accounts using their email address instead of a username. While this can help some users remember the login credentials easier, others may want to remove the email address login option.
While most websites also offer email address as a login option, there are security concerns from it. You see, a user’s email is not exactly a secret. You can usually find their email from viewing their LinkedIn page or other social network.
As such, making it one of the safeguards of your account can be seen as risky.
Today, I will show you how to remove it with some code.
What Makes an Email Address Unsafe?
Now, you may be questioning why it is a big deal for an email address to be used as a login credential. This is a pretty valid question since almost every major website allows users to log in with one.
The simple answer is that it is because an email address is typically considered public information as it is often shared on various sites. Social media accounts, personal websites, friends, family, co-workers, and more probably know your email.
As such, can you really consider it to be a secure login credential?
One of the most common methods hackers use to break into an account is a Brute Force Attack. As the name implies, a hacker will set up a script to continuously enter different passwords to your account until it guesses the right one.
As such, all they need is either an email address or username to begin. Which is why emails are considered unsafe.
Or at least they were. Things have changed as more sites have adapted to preventing brute force attacks, thus it is not really a big deal anymore. That said, if you are still adamant you want to remove the email address as a login option, this guide will help.
How to Remove Email Address Login in WordPress
Since the email address was added to the WordPress core files, we can simply disable it by adding a line of code to your current theme’s functions.php file.
Don’t worry all you’ll need to do is copy and paste a line of code, so it is not very difficult.
That said, there are multiple ways you can access this file and I will demonstrate how to access it from within WordPress and how you can do it from your cPanel. The code used is the same in both methods, so it just comes down to your preference.
Since you will be editing the code of your website, take a minute and make sure your backup is up to date. This can be used to quickly restore your site in case a mistake is made.
While the chances of this happening are small, it’s better to be safe than sorry.
Important Note: This will change the way you and other users log into your website. Be sure to properly inform everyone that they must use their username and not their email address going forward. Otherwise, you will get a ton of support requests.
Method 1: Theme File Editor
Perhaps the easiest way to access your theme’s functions.php file is to use the Theme File Editor within WordPress. This is a section that allows you to access your theme’s files and edit them as needed.
That said, not all themes have access to this, for example, the latest block-based themes, like Twenty-Twenty-Two and beyond, no longer have this option. As such, you will need to use the second method if that is the case.
To begin, click on Appearance and select the Theme File Editor option.
On the right-hand side, you will see a list of all of the files within your active theme. Locate the functions.php file and select it.
This will open the file, where you can view all of the code and edit it. In this case, we are simply going to add the following line of code in the file and, it will remove the email as a login option:
remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );
While it does not matter where you place it, I recommend doing so at the bottom of the file.
After that, just click on the “Update File” button to save the changes. From here, you can log out of your site and go to the login area to see that the email address no longer works.
Note: The login area will still list email as an option, but it no longer works, This is actually a good way of tricking hackers that may be attempting to use an email address to log in.
Method 2: Using the cPanel
The second method you can use is to go directly through the cPanel. As such, you will need your login credentials to access your web hosting account. Contact your web host if you do not have them.
Begin by logging into the cPanel. Locate the Files section and click on the File Manager option.
The File Manager will allow you to access all of the files related to your website. In this case, we need to locate your theme’s functions.php file. On the left-hand side, you will see all of the directories stored on your web server.
Click on the public_html directory. Once inside, click on the wp-content folder.
Inside this folder, you will find all of the content related to your WordPress website.
Locate and click on the themes folder. This folder contains all of the themes you have installed on your website. Locate the theme you are currently using and click on it. Finally, locate and right-click on the functions.php file and select the Edit option.
A pop-up window will show up. This box will warn you to create a backup of your files before editing anything. This will ensure that you can revert your website back to when it was working if something goes wrong.
Click on the “Edit” button. to continue past the popup. A new tab will open containing all of the code from the file.
Copy and paste the following line of code into your functions.php file:
remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );
The line can be placed anywhere in the file, but for simplicity, I recommend adding it to the bottom of the file. Once you have inserted the code into the functions.php file, click on the “Save Changes” button to finish.
Again, this code will just remove the email address as an option for the login area. However, the login area will still mention that you can use it, but it will not work.
Protect Your Login Area Today
Security is one of the top concerns of any website. If there’s anything worse than having your data stolen, it is being responsible for having someone else’s data stolen. As such, security is something you need to get right.
Securing your login area is very important as it acts as the front door for the entire site. Choosing to remove the email address is just one way to do this. Consider adding other security methods like reCAPTCHA to protect it.
In any case, I hope you found this tutorial helpful.
Do you think that your website is safer using only a username login? Do your visitors have any login issues?
When someone writes an piece of writing he/she keeps the thought of a user in his/her brain that how a user can understand it. So that’s why this paragraph is perfect. Thanks!
Keep working ,impressive job!
Wow! At last I got a web site from where I be able to in fact get valuable facts regarding my study and knowledge.
Just want to say your article is as astounding. The clarity in your post is simply spectacular and i can assume you are an expert on this subject. Fine with your permission let me to grab your feed to keep updated with forthcoming post. Thanks a million and please continue the rewarding work.
Wonderful blog! Do you have any hints for aspiring writers? I’m planning to start my own site soon but I’m a little lost on everything. Would you recommend starting with a free platform like WordPress or go for a paid option? There are so many choices out there that I’m totally confused .. Any ideas? Cheers!
Hey there! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly? My weblog looks weird when viewing from my iphone4. I’m trying to find a template or plugin that might be able to correct this issue. If you have any suggestions, please share. Thank you!