Great question! When building a custom plugin that involves user login in WordPress, especially for a non-eCommerce site, you have a few clean, flexible options that don’t require WooCommerce. Here’s a breakdown to help guide you:
Option 1: Use WordPress’ Native User System (Recommended)
WordPress already has a built-in, extensible user system with login, registration, roles, capabilities, password hashing, and security features. Leveraging this is the most robust, future-proof approach.
Why it’s best:
- Secure password hashing (uses
wp_hash_password() and wp_verify_password())
- Integration with login/logout/session management
- Compatible with WP core hooks, user roles, and permissions
- Easier to integrate with third-party plugins if needed later
Custom Login Form Using WP’s Auth System
You can create your own login form and use WordPress functions to authenticate users.
HTML form:
<form method="post" action="<?php echo esc_url(admin_url('admin-post.php')); ?>">
<input type="hidden" name="action" value="custom_user_login">
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<button type="submit">Login</button>
</form>
Handle login in your plugin:
add_action('admin_post_nopriv_custom_user_login', 'handle_custom_user_login');
function handle_custom_user_login() {
$creds = [
'user_login' => sanitize_user($_POST['username']),
'user_password' => $_POST['password'],
'remember' => true,
];
$user = wp_signon($creds, false);
if (is_wp_error($user)) {
wp_redirect(home_url('/login?error=1'));
exit;
}
wp_redirect(home_url('/dashboard')); // or wherever
exit;
}
Security Tip: Always sanitize and validate inputs. Use sanitize_user() and escape properly.
Option 2: Lightweight Login Plugins (Optional)
If you don’t want to reinvent basic login/registration but want to keep it lean, you can try these lightweight plugins:
Recommended Minimal Plugins:
- WP User Manager – Clean UI, highly customizable.
- Theme My Login – Simple login/registration with redirect control.
- User Registration – Lightweight, drag-and-drop builder.
- LoginPress – For styled login screens (more cosmetic).
You can override templates, use shortcodes, or build custom forms while using their backend logic.
Option 3: Storing Users in a Custom Table (Not Recommended)
While it’s technically possible to store users in a separate DB table, it’s not advisable unless you have very specific needs (e.g., high-performance API, massive external user base, etc.).
Why avoid custom user tables:
- You’ll lose built-in WordPress security & capabilities
- Password hashing, role management, authentication must be rebuilt securely
- Incompatibility with WP plugins
- More complexity, more bugs, more risk
Instead, use wp_users and wp_usermeta tables, and extend them if needed.
Bonus: User Registration
If you need user registration, you can use wp_create_user() or wp_insert_user() in your custom handler.
$user_id = wp_create_user($username, $password, $email);
Summary – Best Practices
| Need |
Best Approach |
| Custom login |
Use wp_signon() with your own form |
| Registration |
Use wp_create_user() |
| Manage roles |
Use built-in roles/capabilities |
| Minimal UI |
Use lightweight plugin like WP User Manager |
| Custom DB table |
Avoid unless absolutely necessary |
Let me know if you’d like:
- A full code sample for login + registration + redirect
- REST API-based login for headless/JS apps
- Login via AJAX
- Google/Facebook login integration
Happy to help you architect it cleanly!