Are you sure you really want to auto-login new users? It’s very close to allowing anyone to login without a password. The reason for the email validation is to demonstrate to you the user at least provided a functioning email address that they control. Well, it’s your site, but I strongly recommend against this sort of thing.
I take it you want to redirect a new user validation and actually log in, yes? The problem with that is determining the “condition” that shaniji suggests. There is not any special “activation” action. When the user registers, they are already a fully active user, they just don’t know their password so they can log in. The “activation” link sent by email is merely a password reset link. The process is no different for a new user than a user who has been registered for many years.
I suppose you can pick a period of time since registration to consider a password reset as an activation. The nonce provided in the reset link is good for 24 hours, so that would be a good time frame. However, what is the difference between a new activation and an already activated user who is very forgetful and resets their password within that same 24 hour period? There is no difference.
It often happens new users initially accept the crazy, long, convoluted password first suggested by WP, then realize that it’s too cumbersome and change their password through the reset process instead of going to their profile. If you’re OK with erroneously redirecting such users once in a while, then you can use the ‘validate_password_reset’ action to do your own reset. Then check the user’s registration date. If it’s recent, do your auto login thing (if you must), then use wp_redirect() to go where you intend new activations to go.
If the registration is not recent, continue with the normal password reset process, then exit; when complete. The normal reset process includes verifying there are no errors and that a non-empty password was provided. If that does not check out, return without doing anything. For your convenience, here is the relevant code from wp-login.php you need to in part replicate to do your own reset. This includes the do_action() call that you hook into, so your callback is executed right at that line.
* @param object $errors WP Error object.
* @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise.
*/
do_action( 'validate_password_reset', $errors, $user );
if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
reset_password($user, $_POST['pass1']);
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
login_header( __( 'Password Reset' ), '<p class="message reset-pass">' . __( 'Your password has been reset.' ) . ' <a href="' . esc_url( wp_login_url() ) . '">' . __( 'Log in' ) . '</a></p>' );
login_footer();
exit;
}
