$username = sanitize_text_field($_POST['username']);
$password = sanitize_text_field($_POST['password']);
$user = validatedata( $username, $password );
if ( is_wp_error( $user )) { wp_die( $user->get_error_message );}
// User checks out -- log them in

function validatedata( $user, $pwd ) {
  // validate passed values
  // if data validates, try to get WP_User
  // return either WP_User on success or WP_Error on fail
}

Globals should be seen as a last ditch crutch for when you’ve coded yourself into a corner. (However, WP makes extensive use of globals) Another way to pass values when using function parameters is out is via class static properties combined with static getter methods. Then you can get or set values with something like My_Class::get_my_value() and My_Class::set_my_value('bcworkz')

It can be argued these class methods are merely elaborate globals. Perhaps, but it’s far more structured and better avoids name collisions, avoiding the drawbacks of simple globals.

Are you aware that there are WP functions that do all of this checking and logging in for you? (wp_signon() for one) If you are avoiding these built in functions for the sake of learning, that’s fine, but review the source code of the WP functions to be sure your code is doing all the same checks. You don’t want to compromise on security ??

Oh BTW, the “init” action fires right after WP is fully loaded, but before the request is processed. Trying to use WP functions before “init” fires is unreliable.

Thanks for the Response