WordPress MU plugin: Secure invites

One a couple of the WordPress MU websites I’ve built I’ve needed to only allow signups for people who have been invited. I’ve taken the solution I built, and mixing it with the invitation plugin by kt (Gord) from http://www.ikazoku.com I’ve created this secure invite plugin.

This plugin stops access to your signup page, except where the visitor has been invited and clicked the link in their invitation email. Your users invite people, and you can see who has sent the most invitations, and how many resulting signups have occurred. Other features:

  • Restrict the ability to invite people to users who have been registered only for a certain number of days or more
  • View the number of invites sent and resulting signups per month
  • View the users who have sent the most invites, and the number of resulting signups
  • Browse all invitations sent (auto paginated)
  • Change the default email text
  • Set after how many days an invitation will expire
  • Works with different locations of signup page (default: /wp-signup.php)
  • Set the message to show if someone tries to sign up with no valid invitation


Put the plugin file into /wp-content/mu-plugins/. The plugin will try to automatically create the invitation database table. If this fails, because of a user permissions error for example, you will need to create the table manually. Here’s the code:

CREATE TABLE wp_invitations ( 
id mediumint(9) NOT NULL AUTO_INCREMENT, 
user_id mediumint(9), 
invited_email varchar(255), 
datestamp datetime, 

Remember to change the “wp_” but if you’re using a non-standard database prefix.

The plugin is available for download from my page in the official WordPress plugin repository. If you have any suggestions please feel free to put them in the comments here.


0.5: June 9, 2009: Added the __() function to the rest of the text bits to allow for translation. Changed the site admin functions to only have one menu item. Moved the plugin to the official WordPress repository.

0.4: May 8, 2009: Modified the create table script so it’s more robust. It should create the table every time now.

0.3: March 17, 2009: Added “Open signup” option which disables security on the signup page, allowing anyone to sign up. This of course leaves the invitation feature alone. Also fixed a bug with user levels. Users of level 0 and above (anyone with a Dashboard login) will now be able to use the invitation feature.

0.2: March 11, 2009: Made wp-signup.php more secure – there is a bug in WP that allows paths such as /category/uncategorized/wp-signup.php to load the signup page. Also added email error report feature on failure of an invite database insertion. And changed email function to wp_mail() from the standard PHP mail() function.

Thanks to the commenters at my website for reporting these errors.

0.1: February 25, 2009: Fixed a bug with the invitation expiry time. Moved the plugin to version 0.1 from Please let me know if you have any problems or queries here. January 2009: This is a BETA version, so any comments or problems should be reported on the blog post announcing the release: https://www.stillbreathing.co.uk/blog/2009/01/14/wordpress-mu-plugin-secure-invites/

Leave a Reply