Описание

OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email.

Key Features

Passwordless Authentication — Users log in with just their email address
6-Digit Verification Codes — Secure, time-limited codes sent via email
Rate Limiting — Built-in protection against brute force attacks
Request ID Binding — Each code is bound to a specific login session for enhanced security
Neutral Feedback — Prevents user enumeration attacks by not revealing if an email exists
Customizable — Configure expiry times, cooldowns, and email templates
Accessible — Full keyboard navigation and screen reader support
Gutenberg Block — Easy to add login forms to any page
Shortcode Support — Use [onecode_login] anywhere
wp-login.php Integration — Optionally replace the default WordPress login
Developer API — Other plugins can use OneCode Login as an email one-time-code (OTP) service to verify a visitor’s email — see the Developer information section

Security Features

Cryptographically secure code generation
Codes and magic-link tokens are stored HMAC-hashed, never in plain text
Configurable code expiry (default: 10 minutes)
Resend cooldown to prevent spam
IP-based and email-based rate limiting
Automatic lockout after failed attempts
Codes are single-use and invalidated after successful login

Use Cases

Membership sites where password fatigue is an issue
Customer portals requiring simple authentication
Internal tools where security without complexity is needed
Any site wanting to improve user experience

Developer information

Other plugins on the same site can use OneCode Login as a generic email
one-time-code (OTP) service — for example to verify a guest’s email before
letting them act. OneCode emails the code and verifies it; your plugin keeps
full control of its own login/session (OneCode only asserts that the code is
valid for the email — it never logs anyone in). It works for any email
address; the address does not need a WordPress account.

All entry points are plain functions (and matching filters), so you do not need
a hard dependency on any class. The API is gated by the Settings Advanced
Enable developer API toggle.

Detect support (side-effect free — never call the request hook just to probe):

if ( function_exists( 'onecode_login_request_otp' ) && onecode_login_supports( 'otp' ) ) { ... }

Start authentication — email a code and receive a handle:

$handle = onecode_login_request_otp( $email, array( ‘consumer’ => ‘my_plugin’ ) );
// $handle = array( ‘request_id’, ‘auth_secret’, ‘expires_in’ (seconds), ‘expires_at’ (UTC), ‘sent’ )
// On failure: a WP_Error (codes: disabled, invalid_request, rate_limited, cooldown).

Keep request_id and auth_secret server-side (e.g. in a transient tied to the
visitor). The auth_secret is NEVER shown to the customer — it is what stops an
outsider who only knows the email from completing verification by guessing codes.

Complete authentication — the customer gives your plugin the code from the email:

$result = onecode_login_verify_otp( array(
’email’ => $email,
‘request_id’ => $handle[‘request_id’],
‘code’ => $code_from_customer,
‘auth_secret’ => $handle[‘auth_secret’],
‘consumer’ => ‘my_plugin’,
) );
// Success: array( ‘valid’ => true, ’email’ => … ). Failure: WP_Error.

On failure show a generic message to the user (the API intentionally returns a
single verify_failed code so it can’t be used as an oracle).

Filters are also available for loose coupling: onecode_login_request_otp
($pre, $email, $args) and onecode_login_verify_otp ($pre, $args).

Discovery and capabilities:

onecode_login_supports( $feature ) — returns true for 'otp',
‘identity_assertion’ and 'any_email'.
onecode_login_api() — returns the OneCode_Login_API service instance.
OneCode_Login_API::VERSION — the API contract version (independent of the
plugin version), so you can feature-gate against the API surface.
do_action( 'onecode_login_api_init', $api ) — fires once the API is ready;
bind to it if you want to wire up as soon as OneCode Login loads.

Reference: $args['consumer'] (a short [a-z0-9_-] label identifying your
integration) is required on both calls — it isolates your codes and rate limits
from the built-in login and from other consumers. Both request and verify are
rate-limited by OneCode, returning rate_limited / cooldown WP_Errors you can
surface to the user.

Скриншоты

Admin settings page with all configuration options
Email input form for passwordless login
6-digit verification code entry screen

Блоки

Этот плагин предоставляет 1 блок.

OneCode Login

Установка

Upload the onecode-login folder to /wp-content/plugins/
Activate the plugin through the Plugins menu in WordPress
Go to Settings > OneCode Login to configure options
Add the login form using the [onecode_login] shortcode or Gutenberg block

Shortcode Options

redirect_to — URL to redirect after successful login
button_text — Custom text for the send code button
verify_text — Custom text for the verify button

Example: [onecode_login redirect_to="/dashboard" button_text="Get Code"]

Часто задаваемые вопросы

Does this replace password login completely?: By default, no. OneCode Login works alongside traditional password login. However, you can enable the «Replace wp-login.php» option to use OneCode Login as the primary login method.
What happens if the email does not arrive?: Users can request a new code after the cooldown period (default: 60 seconds). Check your server email configuration if emails consistently fail to deliver.
Is this secure?: Yes. The plugin uses cryptographically secure random number generation, time-limited codes, rate limiting, and request binding to prevent various attack vectors.
Can I customize the email template?: Yes. Go to Settings > OneCode Login > Email tab to customize the subject and body of verification emails. You can use placeholders like {code}, {expires}, {site_name}, and {user_email}.
Does it work with multisite?: The plugin is designed for single-site installations. Multisite compatibility may be added in future versions.
What if a user does not have an account?: The plugin only allows existing users to log in. For security reasons, it does not reveal whether an email address has an account — users always see the same «check your email» message.

Отзывы

alex049 14.05.2026 3 ответа

Good product. Do the job. Many thanks. Just I founded 2 bugs : when logout, data remain in the database login_codes that make when want to connect again, it remain on the login page and code is not sent, and finish by blocking over 7000s the next conexion. I don’t try with automatic exit after no usage, perhaps we have same result Problem in login_code where expire at is before created at. Perhaps linked to the fact one use time with jetlag and the other one the UTC

painlessseo 02.03.2026

The developer clearly understands real-world needs and built something that actually solves practical problems.Looking forward to the developer adding even more features in future updates.Thank you for making this plugin!

Посмотреть все 2 отзыва

Участники и разработчики

«OneCode Login» — проект с открытым исходным кодом. В развитие плагина внесли свой вклад следующие участники:

oaron

Перевести «OneCode Login» на ваш язык.

Заинтересованы в разработке?

Посмотрите код, проверьте SVN репозиторий, или подпишитесь на журнал разработки по RSS.

Журнал изменений

1.1

New: developer API — other plugins on the same site can use OneCode Login as a generic email one-time-code (OTP) service. They request a code for any email address, then verify the code together with a server-side secret. Identity assertion only: OneCode confirms the code is valid for the email but never logs anyone in, so the integrating plugin keeps full control of its own session. See the «Developer information» section for the code-level integration.
New: api_enabled setting (Advanced tab) to turn the developer API on or off.
Security: verification codes and magic-link tokens are now stored HMAC-hashed instead of in plain text.
Security: client IP detection no longer trusts spoofable proxy headers by default (opt in via the onecode_login_trust_proxy_headers filter when behind a trusted proxy).
Security: magic-link verification is now rate-limited per IP as well as per email.
Privacy: debug logging no longer records verification codes or full email addresses (emails are masked).
Privacy: added WordPress personal-data exporter and eraser, plus a suggested Privacy Policy snippet.
Internal: codes are scoped per channel so the developer API and the built-in login never interfere with each other; verification uses an atomic single-use claim.
Note: upgrading from 1.0.2 or earlier clears any pending codes/tokens once (storage-format change); users simply request a new code.

1.0.2

Fix: assets are now loaded reliably when the shortcode/block is present on the page (prevents first-submit failure under aggressive page caching or JS optimization).
Fix: clear leftover code/rate-limit rows from earlier versions whose timestamps were stored in the local PHP timezone instead of UTC.

1.0.1

Small bug fixes

1.0.0

Initial release
Passwordless login with 6-digit verification codes
Rate limiting and brute force protection
Customizable email templates
Gutenberg block and shortcode support
wp-login.php integration option
Full accessibility support

Описание

Key Features

Security Features

Use Cases

Developer information

Скриншоты

Блоки

Установка

Shortcode Options

Часто задаваемые вопросы

Does this replace password login completely?

What happens if the email does not arrive?

Is this secure?

Can I customize the email template?

Does it work with multisite?

What if a user does not have an account?

Отзывы

Участники и разработчики

Заинтересованы в разработке?

Журнал изменений

1.1

1.0.2

1.0.1

1.0.0

Мета

Оценки

Участники

Поддержка