/* translators: %s: Post title. */
$notify_message = sprintf( __( 'A new comment on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n";
$notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n";
/* translators: 1: Comment author's name, 2: Comment author's IP address, 3: Comment author's hostname. */
$notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n";
/* translators: %s: Comment author email. */
$notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n";
/* translators: %s: Trackback/pingback/comment author URL. */
$notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n";
if ( $comment->comment_parent ) {
/* translators: Comment moderation. %s: Parent comment edit URL. */
$notify_message .= sprintf( __( 'In reply to: %s' ), admin_url( "comment.php?action=editcomment&c={$comment->comment_parent}#wpbody-content" ) ) . "\r\n";
/* translators: %s: Comment text. */
$notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n";
/* translators: Comment moderation. %s: Comment action URL. */
$notify_message .= sprintf( __( 'Approve it: %s' ), admin_url( "comment.php?action=approve&c={$comment_id}#wpbody-content" ) ) . "\r\n";
if ( EMPTY_TRASH_DAYS ) {
/* translators: Comment moderation. %s: Comment action URL. */
$notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment_id}#wpbody-content" ) ) . "\r\n";
/* translators: Comment moderation. %s: Comment action URL. */
$notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment_id}#wpbody-content" ) ) . "\r\n";
/* translators: Comment moderation. %s: Comment action URL. */
$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment_id}#wpbody-content" ) ) . "\r\n";
$notify_message .= sprintf(
/* translators: Comment moderation. %s: Number of comments awaiting approval. */
'Currently %s comment is waiting for approval. Please visit the moderation panel:',
'Currently %s comments are waiting for approval. Please visit the moderation panel:',
number_format_i18n( $comments_waiting )
$notify_message .= admin_url( 'edit-comments.php?comment_status=moderated#wpbody-content' ) . "\r\n";
/* translators: Comment moderation notification email subject. 1: Site title, 2: Post title. */
$subject = sprintf( __( '[%1$s] Please moderate: "%2$s"' ), $blogname, $post->post_title );
* Filters the comment moderation email text.
* @param string $notify_message Text of the comment moderation email.
* @param int $comment_id Comment ID.
$notify_message = apply_filters( 'comment_moderation_text', $notify_message, $comment_id );
* Filters the comment moderation email subject.
* @param string $subject Subject of the comment moderation email.
* @param int $comment_id Comment ID.
$subject = apply_filters( 'comment_moderation_subject', $subject, $comment_id );
wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers );
if ( $switched_locale ) {
restore_previous_locale();
if ( ! function_exists( 'wp_password_change_notification' ) ) :
* Notifies the blog admin of a user changing password, normally via email.
* @param WP_User $user User object.
function wp_password_change_notification( $user ) {
* Send a copy of password change notification to the admin,
* but check to see if it's the admin whose password we're changing, and skip this.
if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
$admin_user = get_user_by( 'email', get_option( 'admin_email' ) );
$switched_locale = switch_to_user_locale( $admin_user->ID );
$switched_locale = switch_to_locale( get_locale() );
/* translators: %s: User name. */
$message = sprintf( __( 'Password changed for user: %s' ), $user->user_login ) . "\r\n";
* The blogname option is escaped with esc_html() on the way into the database in sanitize_option().
* We want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
$wp_password_change_notification_email = array(
'to' => get_option( 'admin_email' ),
/* translators: Password change notification email subject. %s: Site title. */
'subject' => __( '[%s] Password Changed' ),
* Filters the contents of the password change notification email sent to the site admin.
* @param array $wp_password_change_notification_email {
* Used to build wp_mail().
* @type string $to The intended recipient - site admin email address.
* @type string $subject The subject of the email.
* @type string $message The body of the email.
* @type string $headers The headers of the email.
* @param WP_User $user User object for user whose password was changed.
* @param string $blogname The site title.
$wp_password_change_notification_email = apply_filters( 'wp_password_change_notification_email', $wp_password_change_notification_email, $user, $blogname );
$wp_password_change_notification_email['to'],
wp_specialchars_decode( sprintf( $wp_password_change_notification_email['subject'], $blogname ) ),
$wp_password_change_notification_email['message'],
$wp_password_change_notification_email['headers']
if ( $switched_locale ) {
restore_previous_locale();
if ( ! function_exists( 'wp_new_user_notification' ) ) :
* Emails login credentials to a newly-registered user.
* A new user registration notification is also sent to admin email.
* @since 4.3.0 The `$plaintext_pass` parameter was changed to `$notify`.
* @since 4.3.1 The `$plaintext_pass` parameter was deprecated. `$notify` added as a third parameter.
* @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created.
* @param int $user_id User ID.
* @param null $deprecated Not used (argument deprecated).
* @param string $notify Optional. Type of notification that should happen. Accepts 'admin' or an empty
* string (admin only), 'user', or 'both' (admin and user). Default empty.
function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) {
if ( null !== $deprecated ) {
_deprecated_argument( __FUNCTION__, '4.3.1' );
// Accepts only 'user', 'admin' , 'both' or default '' as $notify.
if ( ! in_array( $notify, array( 'user', 'admin', 'both', '' ), true ) ) {
$user = get_userdata( $user_id );
* The blogname option is escaped with esc_html() on the way into the database in sanitize_option().
* We want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
* Filters whether the admin is notified of a new user registration.
* @param bool $send Whether to send the email. Default true.
* @param WP_User $user User object for new user.
$send_notification_to_admin = apply_filters( 'wp_send_new_user_notification_to_admin', true, $user );
if ( 'user' !== $notify && true === $send_notification_to_admin ) {
$admin_user = get_user_by( 'email', get_option( 'admin_email' ) );
$switched_locale = switch_to_user_locale( $admin_user->ID );
$switched_locale = switch_to_locale( get_locale() );
/* translators: %s: Site title. */
$message = sprintf( __( 'New user registration on your site %s:' ), $blogname ) . "\r\n\r\n";
/* translators: %s: User login. */
$message .= sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
/* translators: %s: User email address. */
$message .= sprintf( __( 'Email: %s' ), $user->user_email ) . "\r\n";
$wp_new_user_notification_email_admin = array(
'to' => get_option( 'admin_email' ),
/* translators: New user registration notification email subject. %s: Site title. */
'subject' => __( '[%s] New User Registration' ),
* Filters the contents of the new user notification email sent to the site admin.
* @param array $wp_new_user_notification_email_admin {
* Used to build wp_mail().
* @type string $to The intended recipient - site admin email address.
* @type string $subject The subject of the email.
* @type string $message The body of the email.
* @type string $headers The headers of the email.
* @param WP_User $user User object for new user.
* @param string $blogname The site title.
$wp_new_user_notification_email_admin = apply_filters( 'wp_new_user_notification_email_admin', $wp_new_user_notification_email_admin, $user, $blogname );
$wp_new_user_notification_email_admin['to'],
wp_specialchars_decode( sprintf( $wp_new_user_notification_email_admin['subject'], $blogname ) ),
$wp_new_user_notification_email_admin['message'],
$wp_new_user_notification_email_admin['headers']
if ( $switched_locale ) {
restore_previous_locale();
* Filters whether the user is notified of their new user registration.
* @param bool $send Whether to send the email. Default true.
* @param WP_User $user User object for new user.
$send_notification_to_user = apply_filters( 'wp_send_new_user_notification_to_user', true, $user );
// `$deprecated` was pre-4.3 `$plaintext_pass`. An empty `$plaintext_pass` didn't sent a user notification.
if ( 'admin' === $notify || true !== $send_notification_to_user || ( empty( $deprecated ) && empty( $notify ) ) ) {
$key = get_password_reset_key( $user );
if ( is_wp_error( $key ) ) {
$switched_locale = switch_to_user_locale( $user_id );
/* translators: %s: User login. */
$message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n";
$message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n";
* Since some user login names end in a period, this could produce ambiguous URLs that
* end in a period. To avoid the ambiguity, ensure that the login is not the last query
* arg in the URL. If moving it to the end, a trailing period will need to be escaped.
* @see https://core.trac.wordpress.org/tickets/42957
$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user->user_login ) . "&key=$key&action=rp", 'login' ) . "\r\n\r\n";
$message .= wp_login_url() . "\r\n";
$wp_new_user_notification_email = array(
'to' => $user->user_email,
/* translators: Login details notification email subject. %s: Site title. */
'subject' => __( '[%s] Login Details' ),
* Filters the contents of the new user notification email sent to the new user.
* @param array $wp_new_user_notification_email {
* Used to build wp_mail().
* @type string $to The intended recipient - New user email address.
* @type string $subject The subject of the email.
* @type string $message The body of the email.
* @type string $headers The headers of the email.
* @param WP_User $user User object for new user.
* @param string $blogname The site title.
$wp_new_user_notification_email = apply_filters( 'wp_new_user_notification_email', $wp_new_user_notification_email, $user, $blogname );
$wp_new_user_notification_email['to'],
wp_specialchars_decode( sprintf( $wp_new_user_notification_email['subject'], $blogname ) ),
$wp_new_user_notification_email['message'],
$wp_new_user_notification_email['headers']
if ( $switched_locale ) {
restore_previous_locale();
if ( ! function_exists( 'wp_nonce_tick' ) ) :
* Returns the time-dependent variable for nonce creation.
* A nonce has a lifespan of two ticks. Nonces in their second tick may be
* updated, e.g. by autosave.
* @since 6.1.0 Added `$action` argument.
* @param string|int $action Optional. The nonce action. Default -1.
* @return float Float value rounded up to the next highest integer.
function wp_nonce_tick( $action = -1 ) {
* Filters the lifespan of nonces in seconds.
* @since 6.1.0 Added `$action` argument to allow for more targeted filters.
* @param int $lifespan Lifespan of nonces in seconds. Default 86,400 seconds, or one day.
* @param string|int $action The nonce action, or -1 if none was provided.
$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS, $action );
return ceil( time() / ( $nonce_life / 2 ) );
if ( ! function_exists( 'wp_verify_nonce' ) ) :
* Verifies that a correct security nonce was used with time limit.
* A nonce is valid for between 12 and 24 hours (by default).
* @param string $nonce Nonce value that was used for verification, usually via a form field.
* @param string|int $action Should give context to what is taking place and be the same when nonce was created.
* @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
* 2 if the nonce is valid and generated between 12-24 hours ago.
* False if the nonce is invalid.
function wp_verify_nonce( $nonce, $action = -1 ) {
$nonce = (string) $nonce;
$user = wp_get_current_user();
* Filters whether the user who generated the nonce is logged out.
* @param int $uid ID of the nonce-owning user.
* @param string|int $action The nonce action, or -1 if none was provided.
$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
$token = wp_get_session_token();
$i = wp_nonce_tick( $action );
// Nonce generated 0-12 hours ago.
$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
// Nonce generated 12-24 hours ago.
$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
* Fires when nonce verification fails.
* @param string $nonce The invalid nonce.
* @param string|int $action The nonce action.
* @param WP_User $user The current user object.
* @param string $token The user's session token.
do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );
if ( ! function_exists( 'wp_create_nonce' ) ) :
* Creates a cryptographic token tied to a specific action, user, user session,
* @since 4.0.0 Session tokens were integrated with nonce creation.
* @param string|int $action Scalar value to add context to the nonce.
* @return string The token.
function wp_create_nonce( $action = -1 ) {
$user = wp_get_current_user();
/** This filter is documented in wp-includes/pluggable.php */
$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
$token = wp_get_session_token();
$i = wp_nonce_tick( $action );
return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
if ( ! function_exists( 'wp_salt' ) ) :
* Returns a salt to add to hashes.
* Salts are created using secret keys. Secret keys are located in two places:
* in the database and in the wp-config.php file. The secret key in the database
* is randomly generated and will be appended to the secret keys in wp-config.php.
* The secret keys in wp-config.php should be updated to strong, random keys to maximize
* security. Below is an example of how the secret key constants are defined.
* Do not paste this example directly into wp-config.php. Instead, have a
* {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just
* define('AUTH_KEY', ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON');
* define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~');
* define('LOGGED_IN_KEY', '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
* define('NONCE_KEY', '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|');
* define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');
* define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n');
* define('LOGGED_IN_SALT', '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm');
* define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT');
* Salting passwords helps against tools which has stored hashed values of
* common dictionary strings. The added values makes it harder to crack.
* @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php
* @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce).
* @return string Salt value
function wp_salt( $scheme = 'auth' ) {
static $cached_salts = array();
if ( isset( $cached_salts[ $scheme ] ) ) {
* Filters the WordPress salt.
* @param string $cached_salt Cached salt for the given scheme.
* @param string $scheme Authentication scheme. Values include 'auth',
* 'secure_auth', 'logged_in', and 'nonce'.
return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme );
if ( null === $duplicated_keys ) {
$duplicated_keys = array();
foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) {
foreach ( array( 'KEY', 'SALT' ) as $second ) {
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
