Skip to content

Adam Greenwell

Email Verification

Email Verification ensures that users who register on your WordPress site have access to the email address they provide. This security feature prevents fake accounts, reduces spam registrations, and verifies user identity before granting site access.

Overview

WordPress does NOT verify email addresses by default. When users register on a standard WordPress site, they can log in immediately without confirming they own the email address they provided. This makes it easy for bots, spammers, and malicious users to create fake accounts.

Guard Dog’s Email Verification feature fixes this security gap. When enabled, it requires all new user registrations to verify their email address before they can log in. Users receive a verification email with a secure link that they must click to activate their account.

WordPress Default Behavior vs Guard Dog

Standard WordPress Registration:

  • ❌ No email verification required
  • ❌ Users can provide fake/typo email addresses
  • ❌ Accounts active immediately after registration
  • ❌ Email only used for password delivery
  • ❌ Easy for bots to create accounts

With Guard Dog Email Verification:

  • ✅ Email verification required before login
  • ✅ Confirms user owns the email address
  • ✅ Blocks access until verification complete
  • ✅ Prevents fake/invalid email addresses
  • ✅ Significantly reduces bot registrations

Key Benefits:

  • ✅ Prevents fake account registrations
  • ✅ Reduces spam and bot registrations
  • ✅ Confirms user identity and email validity
  • ✅ Improves user database quality
  • ✅ Enhances site security
  • ✅ Users set passwords during registration (more secure than emailed passwords)

How It Works

Registration Flow

  1. User Registers
  • User visits your registration page (typically /wp-login.php?action=register)
  • User provides username, email, and password
  • Form validates all requirements (password policy if enabled)
  1. Verification Email Sent
  • WordPress creates the user account
  • Account is marked as “unverified”
  • Verification email sent to provided address
  • Email contains secure, time-limited link
  1. User Clicks Verification Link
  • Link verifies email ownership
  • Account marked as “verified”
  • User can now log in
  1. Login Access Granted
  • User logs in with username/email and password
  • If unverified, login is blocked with resend option
  • If verified, standard login flow proceeds

Email Change Flow

If a user changes their email address in their profile:

  1. Account automatically marked as “unverified”
  2. New verification email sent to new address
  3. User must verify new email before next login
  4. Login blocked until verification complete

Configuration

Basic Settings

Navigate to Guard Dog → Settings → Email Verification to configure:

Enable Email Verification:

  • Default: Disabled
  • Description: Require new users to verify their email address before logging in
  • Recommendation: Enable for public registration sites

Verification Link Expiry:

  • Default: 48 hours
  • Range: 1 – 168 hours (1 week)
  • Description: How long verification links remain valid
  • Recommendation: 48-72 hours for balance between security and user convenience

Bypass Admin-Created Users:

  • Default: Enabled
  • Description: Skip verification for users created by administrators
  • Use Case: Admin-created accounts are pre-vetted and trusted
  • Recommendation: Keep enabled unless you want admins to verify all accounts

Rate Limiting

Prevent abuse of the verification email system:

Resend Limit (Per Hour):

  • Default: 3 attempts
  • Range: 1 – 10 attempts
  • Description: Maximum verification email resends within 1 hour
  • Purpose: Prevent email flooding

Resend Limit (Per Day):

  • Default: 5 attempts
  • Range: 1 – 20 attempts
  • Description: Maximum verification email resends within 24 hours
  • Purpose: Prevent abuse and reduce email costs

User Experience

Registration Form

When Email Verification is enabled, the registration form changes:

Standard WordPress Registration:

  • Username
  • Email address
  • Password (auto-generated by WordPress)
  • Email sent with password

With Guard Dog Email Verification:

  • Username
  • Email address
  • Password (user chooses)
  • Repeat Password (confirmation)
  • Password requirements display (if Password Policy enabled)
  • Verification email sent (no password in email)

Verification Email

Users receive an email like this:

Subject: [Your Site] Verify Your Email Address

Hello [Username],

Please verify your email address by clicking the following link:

[Verification Link]

This link will expire in 48 hours.

If you did not create an account, please ignore this email.

---
Your Site Name

Login Experience

Unverified User Attempts Login:

❌ Error: Please verify your email address before logging in.
[Resend verification email]

After Verification:

✅ Your email address has been verified successfully. You can now log in.

Email Provider Integration

Email Verification works seamlessly with Guard Dog’s Email Provider system:

Without Email Provider

  • Uses WordPress’s default wp_mail() function
  • May be unreliable on some hosts
  • Emails might end up in spam
  • Limited deliverability tracking

With Email Provider Configured

  • Uses professional email service (SES, Resend, SendGrid)
  • Guaranteed delivery
  • Better inbox placement
  • Delivery tracking and analytics
  • Automatic fallback to wp_mail() on failure

Recommendation: Configure an email provider for reliable verification emails. See Email Provider Documentation for setup.

Admin Features

User List Column

The WordPress Users page displays email verification status:

Verified Users:

  • Shows: ✅ Verified (green)

Unverified Users:

  • Shows: ❌ Not Verified (red)
  • Actions available:
  • Verify – Manually mark as verified (admin only)
  • Resend – Send new verification email

Manual Verification

Administrators can manually verify users:

  1. Go to Users → All Users
  2. Find user in list
  3. Click Verify link in “Email Verified” column
  4. User immediately marked as verified
  5. User can log in without clicking email link

Use Cases for Manual Verification:

  • User reports not receiving verification email
  • Email delivery issues
  • Urgent access needed
  • Trusted users created offline

Resending Verification Emails

Administrators can resend verification emails:

  1. Go to Users → All Users
  2. Find user in list
  3. Click Resend link in “Email Verified” column
  4. New verification email sent
  5. Old verification link invalidated

User Self-Service

Resend Verification Email

Users who can’t find their verification email can request a new one:

  1. Attempt to log in
  2. See error: “Please verify your email address”
  3. Click “Resend verification email” link
  4. New email sent (subject to rate limits)
  5. Redirected to login with success message

Rate Limit Messages

If user exceeds resend limits:

❌ Too many resend requests. Please try again later.

Security Features

Secure Token Generation

  • Uses cryptographically secure random_bytes()
  • 64-character hexadecimal tokens
  • Tokens hashed with wp_hash() before storage
  • Separate token and key for double-blind verification

Token Expiration

  • Configurable expiration (default 48 hours)
  • Expired tokens automatically rejected
  • Old tokens cleaned up automatically
  • No possibility of permanent unverified accounts

Rate Limiting

  • Per-hour and per-day limits prevent abuse
  • Protects against email flooding
  • Prevents verification system abuse
  • Reduces email provider costs

Database Security

  • Tokens stored hashed, never in plain text
  • Custom database table for isolation
  • Automatic cleanup of old records
  • No sensitive data in user meta

Database Structure

Email Verification uses a custom table: wp_guard_dog_email_verification

Fields:

  • id – Auto-increment primary key
  • user_id – WordPress user ID
  • verification_token – Hashed verification token
  • verification_key – Hashed verification key
  • email – Email address being verified
  • created_at – When verification was requested
  • expires_at – When token expires
  • verified_at – When user verified (NULL if unverified)
  • resend_count – Number of resends
  • last_resend_at – Last resend timestamp

Activity Logging

Email Verification events are logged in the Activity Log:

Logged Events:

  • email_verification_sent – Verification email sent
  • email_verification_verified – User verified email
  • email_verification_failed – Verification attempt failed
  • email_verification_expired – Verification link expired
  • email_verification_resend – Verification email resent
  • email_verification_admin_verified – Admin manually verified user

View logs in Guard Dog → Activity Log.

Integration with Password Policy

Email Verification works seamlessly with Password Policy:

When Both Enabled:

  • Registration form shows password fields
  • Password requirements displayed in real-time
  • Password validated against policy
  • Password set during registration (not emailed)
  • Verification email sent (without password)
  • User can log in immediately after verification

Benefits:

  • Users choose strong passwords
  • No passwords sent via email (more secure)
  • Better user experience
  • Reduced support requests

Grandfathered Users

Existing users created before Email Verification was enabled are automatically “grandfathered”:

How It Works:

  • Users registered > 24 hours before feature activation
  • Automatically considered verified
  • No verification required
  • Can log in normally

Why:

  • Prevents locking out existing users
  • Avoids mass email notifications
  • Gradual rollout
  • Only new registrations require verification

Adjust Threshold:
Users registered within 24 hours of activation may be asked to verify. This is intentional to catch recent registrations during setup.

Troubleshooting

Verification Email Not Received

Check these in order:

  1. Spam Folder
  • Check user’s spam/junk folder
  • Verification emails may be filtered
  1. Email Provider Status
  • Check Settings → Email Provider
  • Send test email
  • Check provider dashboard for errors
  1. WordPress Email Settings
  • If not using email provider, check wp_mail() works
  • Test with password reset email
  1. Rate Limits
  • Check if user exceeded resend limits
  • View Guard Dog → Activity Log
  1. Debug Logs
  • Enable debug logging
  • Check Guard Dog → Debug
  • Look for email sending errors

Solution: Admin can manually verify user or resend email.

Verification Link Expired

Error Message:

❌ This verification link has expired. Please request a new one.

Cause:

  • Link older than configured expiry (default 48 hours)
  • User didn’t click link in time

Solution:

  1. User clicks “Resend verification email” on login page
  2. Or admin resends from Users list
  3. New link generated with fresh expiration

Verification Link Already Used

Error Message:

❌ This email address has already been verified.

Cause:

  • User already verified email
  • Clicking old verification link again

Solution:

  • User can log in normally
  • No action needed

Can’t Log In After Verification

Symptoms:

  • User verified email successfully
  • Still can’t log in
  • No error message

Possible Causes:

  1. Wrong Password
  • User may have forgotten password set during registration
  • Use password reset: /wp-login.php?action=lostpassword
  1. Username Confusion
  • User may be using email instead of username
  • Try both username and email
  1. Browser Cache
  • Clear browser cache
  • Try incognito/private mode
  1. Other Security Plugins
  • Check for conflicts with other security plugins
  • Temporarily disable other security features

Admin Can’t See Verification Status

Symptoms:

  • “Email Verified” column not showing
  • Can’t see verify/resend links

Solutions:

  1. Screen Options
  • Click “Screen Options” tab at top of Users page
  • Check “Email Verified” checkbox
  • Column should appear
  1. Feature Disabled
  • Check Guard Dog → Settings → Email Verification
  • Ensure “Enable Email Verification” is checked
  • Save settings
  1. Permissions
  • Ensure you have edit_users capability
  • Only admins can see verification controls

Users Registering Without Verification

Symptoms:

  • Users can log in without verifying
  • No verification email sent

Check:

  1. Feature Enabled
  • Go to Guard Dog → Settings → Email Verification
  • Confirm “Enable Email Verification” is checked
  1. Bypass Admin-Created Users
  • If admins are creating users, and bypass is enabled
  • These users skip verification (by design)
  • Disable bypass if needed
  1. Grandfathered Users
  • Existing users (> 24 hours old) automatically verified
  • Only affects new registrations

Best Practices

  1. Enable for Public Registration – Essential for sites allowing public signups
  2. Configure Email Provider – Use reliable email service for verification emails
  3. Set Reasonable Expiry – 48-72 hours balances security and convenience
  4. Monitor Activity Log – Watch for verification failures or abuse attempts
  5. Test Before Launch – Create test account to verify email flow
  6. Keep Bypass Enabled – Let admins skip verification for trusted users
  7. Combine with Password Policy – Require both email verification and strong passwords
  8. Customize Email Templates – Brand verification emails to match your site
  9. Set Up Rate Limits – Prevent abuse while allowing legitimate resends
  10. Document for Users – Add registration instructions to help pages

Performance Considerations

Email Verification is designed for minimal performance impact:

  • Database queries optimized with indexed columns
  • Verification checks only run during login
  • Token generation uses efficient crypto functions
  • Rate limiting prevents abuse
  • Automatic cleanup of expired records

Database Impact:

  • Minimal: One row per unverified user
  • Automatic cleanup after verification
  • Indexed user_id for fast lookups

Privacy and Compliance

Data Stored

  • User ID
  • Email address being verified
  • Hashed tokens (not reversible)
  • Timestamps
  • Resend counts

Data Retention

  • Unverified records kept until expiry + 7 days
  • Verified records kept for audit trail
  • Can be cleaned up manually if needed

GDPR Compliance

  • User data minimized
  • Tokens hashed for privacy
  • No unnecessary data collection
  • User can request data deletion

Use Cases

Public Blog with Comments

Scenario: Blog allowing public registration for commenting

Configuration:

  • Enable Email Verification
  • Enable Password Policy (require strong passwords)
  • Set expiry to 48 hours
  • Keep bypass enabled for admin-created accounts

Benefits:

  • Reduces spam comment accounts
  • Verifies real users
  • Prevents bot registrations

Membership Site

Scenario: Paid membership site with user accounts

Configuration:

  • Enable Email Verification
  • Enable Password Policy
  • Configure email provider (for reliability)
  • Set expiry to 72 hours (give paid users more time)
  • Monitor activity log for issues

Benefits:

  • Ensures paying customers have valid emails
  • Reduces support requests from typos
  • Professional, reliable email delivery

E-commerce Site

Scenario: WooCommerce store with customer accounts

Configuration:

  • Enable Email Verification
  • Enable Password Policy (strong customer protection)
  • Use email provider (critical for order confirmations)
  • Set expiry to 48 hours
  • Bypass admin-created users (for phone orders)

Benefits:

  • Verifies customer email addresses
  • Reduces fraudulent accounts
  • Ensures order notifications reach customers

Community Forum

Scenario: WordPress with BuddyPress or bbPress forum

Configuration:

  • Enable Email Verification (essential)
  • Enable Password Policy
  • Configure email provider
  • Set strict rate limits (3/hour, 5/day)
  • Monitor for abuse

Benefits:

  • Prevents spam forum accounts
  • Reduces moderation workload
  • Verifies community members

FAQ

Q: Do existing users need to verify their email?
A: No. Users registered before enabling Email Verification are automatically grandfathered and considered verified.

Q: What happens if verification email isn’t received?
A: Users can click “Resend verification email” on the login page. Admins can also resend or manually verify from the Users page.

Q: Can I customize the verification email?
A: Yes. Email templates are located in includes/views/emails/email-verification.php. Customize HTML and text versions.

Q: How long are verification links valid?
A: Default is 48 hours, but configurable from 1 hour to 1 week in settings.

Q: Can administrators bypass email verification?
A: Yes. Enable “Bypass Admin-Created Users” in settings. Admin-created users are automatically verified.

Q: What if I disable Email Verification later?
A: Unverified users can log in immediately. Verification status is preserved if you re-enable later.

Q: Does this work with WooCommerce registration?
A: Yes. Works with WooCommerce, BuddyPress, and most registration plugins that use WordPress user registration functions.

Q: Can users log in with unverified email?
A: No. Login is blocked until email is verified. Error message includes resend link.

Q: What email provider should I use?
A: Resend (simplest), Amazon SES (cheapest at scale), or SendGrid (enterprise). See Email Provider docs.

Q: How do I test the verification flow?
A: Create a test user account with your own email. Go through the registration and verification process.