Allowing WordPress Multisite admins to set new user passwords

One of our clients recently asked us how Site Admins within their WordPress Multisite install could set a new user’s password during registration. We’d seen this question before from the WordPress Multisite community. It’s because there are fundamental differences between the way admins work when compared to Single Site WordPress.

Why we wrote the plugin

In WordPress Multisite, there are two types of admins – a ‘Network Admin’ with administrative control over the whole network of sites, and a ‘Site Admin’ with administrative control of a single site within the network, much like a regular Admin for Single Site WordPress. Many Site Admins, experienced with Single Site WordPress, expect to be able to set a password when they are registering a new user.

But this is not the case for a site within a WordPress Multisite network. As users can potentially register for multiple sites within the same network, the ability for Site Admins to designate passwords is removed. This prevents a Site Admin adding an existing user from another site within the network to their own site, at the same time allocating a different password to the existing user. Unintentionally, this would prevent the user from accessing the original site.

This is where our new plugin comes in. It allows a Site Admin to set the password during new user registration for the single site within a WordPress Multisite network they are responsible for.

Developing the plugin

We hoped to find the functionality we needed in WordPress core, but found no hooks or filters that could be used to alter the registration process. So we wrote a workaround from the ground up for our client, which we have released as a plugin to the WordPress community.

Let’s have a look at the code

We started by firing the listener function as each page loads to catch the global variable $_REQUEST sent from the registration form. Once this variable is detected our code is executed, by-passing WordPress core’s code.

Here’s how the plugin listens to the $_REQUEST

We needed to give the Site Admin the opportunity to choose the password, so we hooked additional input fields to the new user registration form. The following code did it for us. See the highlighted line? It’s a hidden security input field that passes an additional $_REQUEST variable to our listener function to ensure the information is actually from the new user registration form:

When the conditions for $_REQUEST variables are met, we use our functionality instead of that of WordPress. Yet we were concerned to make sure there were no conflicts, so we copied the function that registers the new user to the WordPress Multisite network from the original WordPress functions.

Allowing the Site Admin to set the user’s password was simple. After registering the user with the original WordPress function, we changed the password with following code. (Please note the value of $_REQUEST[pass1] is validated with $_REQUEST[pass2] using jQuery as the password is entered in form):

When registering the new user to WordPress Multisite, the Site Admin can choose whether they want to send the user an invitation email or set a new password for them. If the Site Admin chooses to send the user the invitation, the user is asked to change their password and the process doesn’t need our plugin’s functionality. On the other hand, if the Site Admin chooses to register the user without sending an invitation, we had to solve how to deliver the password to the new user. WordPress sends a welcome e-mail by default. Its content is stored in the database, so first we had to change it with the following code:

After delivering this altered e-mail, another custom e-mail is sent to the new user containing their login details. We put this code right before redirecting the Site Admin to the confirmation page:

That’s it.

Try the plugin

We’ve made this plugin available in the official WordPress repository. Please try it and let us know what you think.

Let's connect