{"id":314636,"date":"2026-06-09T15:43:19","date_gmt":"2026-06-09T15:43:19","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/easyauth\/"},"modified":"2026-06-09T15:42:55","modified_gmt":"2026-06-09T15:42:55","slug":"authdock","status":"publish","type":"plugin","link":"https:\/\/ru.wordpress.org\/plugins\/authdock\/","author":17211928,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"AuthDock","header_author":"Degird","header_description":"A comprehensive authentication and user access management plugin for WordPress. Social login, magic link login, two-factor authentication, login attempt limiting, dynamic redirects, audit logging, wp-admin access restriction, and core security hardening \u2014 all with a native WordPress UI and REST API integration.","assets_banners_color":"9e9f9f","last_updated":"2026-06-09 15:42:55","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/degird.com","header_plugin_uri":"https:\/\/degird.com\/","header_author_uri":"https:\/\/degird.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":24,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"rakibantor","date":"2026-06-09 15:42:55"}},"upgrade_notice":{"1.0.0":"<p>Initial release of AuthDock. Install to replace multiple security plugins with a single, comprehensive authentication solution.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3566239,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3566239,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3566239,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3566239,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":{"authdock\/login-form":{"$schema":"https:\/\/schemas.wp.org\/trunk\/block.json","apiVersion":3,"name":"authdock\/login-form","version":"1.0.0","title":"AuthDock Login Form","category":"widgets","description":"Display a complete login form with social login buttons, magic link, and 2FA support.","keywords":["login","authentication","social login","magic link","2fa"],"textdomain":"authdock","attributes":{"redirect":{"type":"string","default":""},"labelColor":{"type":"string","default":""},"buttonBgColor":{"type":"string","default":""},"buttonTextColor":{"type":"string","default":""},"buttonFontSize":{"type":"string","default":""},"placeholderColor":{"type":"string","default":""},"socialBtnBgColor":{"type":"string","default":""},"socialBtnTextColor":{"type":"string","default":""}},"supports":{"align":["wide","full","center"],"html":false,"color":{"background":true,"text":true,"link":false,"gradients":false},"spacing":{"margin":true,"padding":true},"typography":{"fontSize":true,"lineHeight":false},"__experimentalBorder":{"radius":true,"width":false,"color":false,"style":false}},"editorScript":"file:.\/index.js","style":"authdock-public"}},"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3566239,"resolution":"1","location":"assets","locale":"","width":1280,"height":720},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3566239,"resolution":"2","location":"assets","locale":"","width":1280,"height":720},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3566239,"resolution":"3","location":"assets","locale":"","width":1280,"height":720},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3566239,"resolution":"4","location":"assets","locale":"","width":1280,"height":720},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3566239,"resolution":"5","location":"assets","locale":"","width":1280,"height":720},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3566239,"resolution":"6","location":"assets","locale":"","width":1280,"height":720},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3566239,"resolution":"7","location":"assets","locale":"","width":1280,"height":720}},"screenshots":{"1":"<strong>Dashboard<\/strong> \u2014 Overview of authentication activity with live stats and quick feature toggles.","2":"<strong>Social Login Settings<\/strong> \u2014 Configure Google, Facebook, GitHub, and X OAuth providers with button style options.","3":"<strong>Magic Link Settings<\/strong> \u2014 Configure link expiry, rate limiting, allowed roles, and force-magic mode.","4":"<strong>Two-Factor Authentication<\/strong> \u2014 TOTP and email-based 2FA setup with QR code provisioning and backup codes.","5":"<strong>Login Protection<\/strong> \u2014 Brute force settings with progressive lockout, IP whitelist\/blacklist, and notification options.","6":"<strong>Dynamic Redirects<\/strong> \u2014 Role-based login and logout redirect rules with first-login redirect.","7":"<strong>Audit Logs<\/strong> \u2014 Searchable, filterable log of all authentication events with CSV\/JSON export.","8":"<strong>Security Hardening<\/strong> \u2014 Custom login URL, XML-RPC control, security headers, password policies, and user enumeration prevention.","9":"<strong>Email Notifications<\/strong> \u2014 Admin and user notification settings with throttle control and test email.","10":"<strong>Access Control<\/strong> \u2014 wp-admin restriction by role and IP with emergency bypass and admin bar hiding.","11":"<strong>Session Management<\/strong> \u2014 Concurrent limits, idle timeout, per-role session duration, and remote termination.","12":"<strong>Social Login Buttons<\/strong> \u2014 Clean social login buttons on the WordPress login page."}},"plugin_section":[],"plugin_tags":[1912,46125,1229,2056,1909],"plugin_category":[],"plugin_contributors":[262317],"plugin_business_model":[],"class_list":["post-314636","plugin","type-plugin","status-publish","hentry","plugin_tags-access-control","plugin_tags-brute-force-protection","plugin_tags-login-security","plugin_tags-social-login","plugin_tags-two-factor-authentication","plugin_contributors-rakibantor","plugin_committers-rakibantor"],"banners":{"banner":"https:\/\/ps.w.org\/authdock\/assets\/banner-772x250.png?rev=3566239","banner_2x":"https:\/\/ps.w.org\/authdock\/assets\/banner-1544x500.png?rev=3566239","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/authdock\/assets\/icon-128x128.png?rev=3566239","icon_2x":"https:\/\/ps.w.org\/authdock\/assets\/icon-256x256.png?rev=3566239","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-1.png?rev=3566239","caption":"<strong>Dashboard<\/strong> \u2014 Overview of authentication activity with live stats and quick feature toggles."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-2.png?rev=3566239","caption":"<strong>Social Login Settings<\/strong> \u2014 Configure Google, Facebook, GitHub, and X OAuth providers with button style options."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-3.png?rev=3566239","caption":"<strong>Magic Link Settings<\/strong> \u2014 Configure link expiry, rate limiting, allowed roles, and force-magic mode."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-4.png?rev=3566239","caption":"<strong>Two-Factor Authentication<\/strong> \u2014 TOTP and email-based 2FA setup with QR code provisioning and backup codes."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-5.png?rev=3566239","caption":"<strong>Login Protection<\/strong> \u2014 Brute force settings with progressive lockout, IP whitelist\/blacklist, and notification options."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-6.png?rev=3566239","caption":"<strong>Dynamic Redirects<\/strong> \u2014 Role-based login and logout redirect rules with first-login redirect."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-7.png?rev=3566239","caption":"<strong>Audit Logs<\/strong> \u2014 Searchable, filterable log of all authentication events with CSV\/JSON export."}],"raw_content":"<!--section=description-->\n<p><strong>AuthDock<\/strong> is a professional-grade WordPress authentication and user access management plugin that replaces 5\u20137 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API integration, and zero bloat.<\/p>\n\n<p>Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet \u2014 AuthDock gives you full control over how users log in, stay safe, and interact with your site.<\/p>\n\n<h4>\ud83d\udd11 Social Login<\/h4>\n\n<p>Let users sign in with one click using their existing accounts. No more forgotten passwords.<\/p>\n\n<ul>\n<li><strong>Google OAuth 2.0<\/strong> \u2014 Sign in with Google using OAuth 2.0 authorization<\/li>\n<li><strong>Facebook Login<\/strong> \u2014 Authenticate via the Facebook Graph API<\/li>\n<li><strong>GitHub OAuth<\/strong> \u2014 Developer-friendly sign in with GitHub<\/li>\n<li><strong>X (Twitter) OAuth 2.0<\/strong> \u2014 Uses OAuth 2.0 with PKCE (S256) for maximum security<\/li>\n<li><strong>Button Style<\/strong> \u2014 Choose between icon + text, icon only, or text only button styles<\/li>\n<li><strong>Button Layout<\/strong> \u2014 Display buttons vertically or horizontally<\/li>\n<li><strong>Button Order<\/strong> \u2014 Drag and drop to reorder provider buttons<\/li>\n<li><strong>Default Role<\/strong> \u2014 Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)<\/li>\n<li><strong>Auto-Registration<\/strong> \u2014 Automatically create WordPress accounts from social profiles<\/li>\n<li><strong>Domain Restriction<\/strong> \u2014 Restrict social login to specific email domains (e.g., <code>company.com<\/code>, <code>university.edu<\/code>)<\/li>\n<li><strong>Avatar Integration<\/strong> \u2014 Automatically set user profile pictures from social account avatars<\/li>\n<li><strong>Account Linking<\/strong> \u2014 Users can link\/unlink social accounts from their WordPress profile page<\/li>\n<li><strong>Shortcode<\/strong> \u2014 Place social login buttons anywhere using <code>[authdock_social_login]<\/code><\/li>\n<li><strong>Developer Filters<\/strong> \u2014 <code>authdock_allow_social_account_linking<\/code> and <code>authdock_allow_social_registration<\/code> for custom control<\/li>\n<\/ul>\n\n<h4>\u2709\ufe0f Magic Link Login<\/h4>\n\n<p>Passwordless authentication \u2014 users receive a one-time login link via email. No passwords to remember or leak.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for passwordless login<\/li>\n<li><strong>Link Expiry<\/strong> \u2014 Set how long each magic link stays valid (in minutes, default: 10 minutes)<\/li>\n<li><strong>Rate Limiting<\/strong> \u2014 Maximum magic link requests per email per hour (default: 5\/hour) to prevent abuse<\/li>\n<li><strong>Allowed Roles<\/strong> \u2014 Restrict magic login to specific user roles (e.g., Subscribers, Editors)<\/li>\n<li><strong>Force Magic Login Mode<\/strong> \u2014 Hide the standard WordPress password form entirely and show only the magic link form<\/li>\n<li><strong>Custom Email Subject<\/strong> \u2014 Personalize the magic link email subject line<\/li>\n<li><strong>Custom Email Body<\/strong> \u2014 Customize the email body using merge tags: <code>{user_name}<\/code>, <code>{magic_link}<\/code>, <code>{expiry_time}<\/code>, <code>{site_name}<\/code>, <code>{ip_address}<\/code><\/li>\n<li><strong>One-Time Use<\/strong> \u2014 Each magic link is cryptographically random and can only be used once<\/li>\n<li><strong>Token Invalidation<\/strong> \u2014 Magic links are automatically invalidated when a user changes their password<\/li>\n<li><strong>Anti-Enumeration<\/strong> \u2014 Generic success messages prevent attackers from discovering valid email addresses<\/li>\n<li><strong>Shortcode<\/strong> \u2014 Display the form anywhere with <code>[authdock_magic_login]<\/code> and optional <code>redirect<\/code> attribute<\/li>\n<\/ul>\n\n<h4>\ud83d\udd10 Two-Factor Authentication (2FA)<\/h4>\n\n<p>Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for two-factor authentication<\/li>\n<li><strong>TOTP Method<\/strong> \u2014 Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.<\/li>\n<li><strong>Email Method<\/strong> \u2014 Receive a 6-digit numeric verification code via email<\/li>\n<li><strong>Enforced Roles<\/strong> \u2014 Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA<\/li>\n<li><strong>Grace Period<\/strong> \u2014 Give users a configurable number of days to set up 2FA before enforcement kicks in (default: 3 days)<\/li>\n<li><strong>Trusted Devices<\/strong> \u2014 Allow users to skip 2FA on recognized devices for a configurable number of days (default: 30 days)<\/li>\n<li><strong>Trust Duration<\/strong> \u2014 Set how long a device stays trusted (in days)<\/li>\n<li><strong>Backup Recovery Codes<\/strong> \u2014 Generate 10 one-time-use backup codes for account recovery if the authenticator device is lost<\/li>\n<li><strong>Brute-Force Protection<\/strong> \u2014 Rate-limited to 5 verification attempts per session to prevent code guessing<\/li>\n<li><strong>Encrypted Secret Storage<\/strong> \u2014 TOTP secrets are encrypted with AES-256-CBC before storing in the database<\/li>\n<li><strong>Replay Protection<\/strong> \u2014 Each TOTP code can only be used once per time window (RFC 6238 \u00a75.2)<\/li>\n<li><strong>Clock Drift Tolerance<\/strong> \u2014 Accepts codes from \u00b11 time step (30 seconds) to handle minor clock differences<\/li>\n<li><strong>Interstitial Challenge Screen<\/strong> \u2014 Clean, WordPress-native verification screen shown after primary authentication<\/li>\n<li><strong>Admin Management<\/strong> \u2014 Administrators can view and disable 2FA for any user from the user profile page<\/li>\n<\/ul>\n\n<h4>\ud83d\udee1\ufe0f Brute Force Protection (Login Limiter)<\/h4>\n\n<p>Stop brute-force attacks with intelligent lockout rules that escalate automatically.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for login attempt limiting<\/li>\n<li><strong>Max Attempts<\/strong> \u2014 Set the number of failed login attempts before triggering a lockout (default: 5)<\/li>\n<li><strong>Lockout Duration<\/strong> \u2014 Time for the initial lockout period in minutes (default: 15 minutes)<\/li>\n<li><strong>Progressive Lockout<\/strong> \u2014 Lockouts automatically escalate: 15 minutes \u2192 1 hour \u2192 24 hours for repeat offenders<\/li>\n<li><strong>Auto-Blacklist<\/strong> \u2014 Permanently ban an IP after a configurable number of lockouts (e.g., after 5 lockouts)<\/li>\n<li><strong>IP Whitelist<\/strong> \u2014 Allow trusted IP addresses to bypass login limits (supports exact match, CIDR ranges like <code>192.168.1.0\/24<\/code>, and wildcards like <code>10.0.0.*<\/code>)<\/li>\n<li><strong>IP Blacklist<\/strong> \u2014 Permanently block specific IP addresses, CIDR ranges, or wildcard patterns<\/li>\n<li><strong>Notify Admin on Lockout<\/strong> \u2014 Send email alerts to the site administrator when an IP gets locked out<\/li>\n<li><strong>Notify Threshold<\/strong> \u2014 Configure after how many lockouts the notification triggers (default: 1)<\/li>\n<li><strong>XML-RPC Integration<\/strong> \u2014 Automatically block XML-RPC authentication from locked-out IPs<\/li>\n<li><strong>Login Page Warnings<\/strong> \u2014 Display remaining attempt count and lockout timers directly on the login page<\/li>\n<li><strong>Log Retention<\/strong> \u2014 Configure how long failed login attempt data is retained (default: 30 days)<\/li>\n<li><strong>Trusted Proxies<\/strong> \u2014 Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers<\/li>\n<\/ul>\n\n<h4>\ud83d\udd04 Dynamic Login &amp; Logout Redirects<\/h4>\n\n<p>Send users exactly where they need to go \u2014 based on their role, or if it is their first login.<\/p>\n\n<ul>\n<li><strong>Role-Based Login Redirects<\/strong> \u2014 Set a custom URL for each WordPress role after login (e.g., Editors \u2192 <code>\/editorial-dashboard<\/code>, Subscribers \u2192 <code>\/members-area<\/code>)<\/li>\n<li><strong>Role-Based Logout Redirects<\/strong> \u2014 Set a custom URL for each WordPress role after logout<\/li>\n<li><strong>First-Login Redirect<\/strong> \u2014 Redirect brand new users to a welcome page, onboarding wizard, or setup screen on their very first login<\/li>\n<li><strong>Relative &amp; Absolute URLs<\/strong> \u2014 Supports both relative paths (<code>\/dashboard<\/code>) and full URLs (<code>https:\/\/example.com\/welcome<\/code>)<\/li>\n<li><strong>Open Redirect Prevention<\/strong> \u2014 All redirects are validated via <code>wp_safe_redirect()<\/code> and <code>wp_validate_redirect()<\/code> to prevent open redirect attacks<\/li>\n<\/ul>\n\n<h4>\ud83d\udccb Audit Logging<\/h4>\n\n<p>Keep a complete, searchable record of every authentication event happening on your site.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for audit logging<\/li>\n<li><strong>Tracked Events<\/strong> \u2014 Login success, login failure, logout, password reset, password change, user registration, profile updates (email\/role changes), social login, social linking\/unlinking, magic link requests, magic link usage, 2FA enabled\/disabled, session termination, access blocked, lockout events<\/li>\n<li><strong>Event Details<\/strong> \u2014 Each log entry records: user ID, event type, IP address, user agent, JSON context data, and precise timestamp<\/li>\n<li><strong>Retention Period<\/strong> \u2014 Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited (0 = forever)<\/li>\n<li><strong>Auto-Cleanup<\/strong> \u2014 Daily WP-Cron job automatically removes expired log entries in batches of 1,000 to avoid database locks<\/li>\n<li><strong>Filter by Event Type<\/strong> \u2014 View only specific event categories (e.g., show only failed logins)<\/li>\n<li><strong>Filter by Date Range<\/strong> \u2014 Narrow results by <code>date_from<\/code> and <code>date_to<\/code> parameters<\/li>\n<li><strong>Filter by User<\/strong> \u2014 View all events for a specific user ID<\/li>\n<li><strong>Search by IP<\/strong> \u2014 Find all events from a particular IP address<\/li>\n<li><strong>Full-Text Search<\/strong> \u2014 Search across event types, IPs, and context data<\/li>\n<li><strong>CSV Export<\/strong> \u2014 Download your complete audit log as a CSV file with formula injection protection<\/li>\n<li><strong>JSON Export<\/strong> \u2014 Export logs in JSON format for integration with external tools<\/li>\n<li><strong>Purge All Logs<\/strong> \u2014 One-click purge to clear all historical log data<\/li>\n<li><strong>Admin UI Viewer<\/strong> \u2014 Built-in admin page with paginated table, filters, and export buttons<\/li>\n<li><strong>Custom Database Table<\/strong> \u2014 Logs are stored in a dedicated <code>authdock_audit_logs<\/code> table with proper indexes for fast queries<\/li>\n<\/ul>\n\n<h4>\ud83c\udff0 Security Hardening<\/h4>\n\n<p>Close common WordPress security holes without installing another plugin.<\/p>\n\n<p><strong>Custom Login URL<\/strong>\n* <strong>Custom Slug<\/strong> \u2014 Replace <code>wp-login.php<\/code> with your own secret URL (e.g., <code>\/my-secure-login<\/code>)\n* <strong>Block Action<\/strong> \u2014 Choose what happens when someone visits the default <code>wp-login.php<\/code>: return a 404 error or redirect to the homepage\n* <strong>Recovery Key<\/strong> \u2014 Access the login page in emergencies via a secret query parameter even when the custom URL is active<\/p>\n\n<p><strong>XML-RPC Control<\/strong>\n* <strong>Disable XML-RPC<\/strong> \u2014 Completely disable the XML-RPC interface to block remote brute-force attacks\n* <strong>Partial Disable<\/strong> \u2014 Remove only authentication methods while keeping pingbacks functional<\/p>\n\n<p><strong>REST API Restriction<\/strong>\n* <strong>Restrict to Authenticated Users<\/strong> \u2014 Block all REST API access for unauthenticated visitors\n* <strong>Namespace Whitelist<\/strong> \u2014 Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain accessible<\/p>\n\n<p><strong>User Enumeration Prevention<\/strong>\n* <strong>Block Author Archives<\/strong> \u2014 Redirect <code>?author=N<\/code> enumeration queries to the homepage\n* <strong>Restrict User REST Endpoint<\/strong> \u2014 Block <code>\/wp-json\/wp\/v2\/users<\/code> for non-logged-in users\n* <strong>Generic Login Errors<\/strong> \u2014 Replace specific \"username not found\" or \"wrong password\" messages with a generic error<\/p>\n\n<p><strong>Password Strength Enforcement<\/strong>\n* <strong>Force Strong Passwords<\/strong> \u2014 Master toggle for password policy enforcement\n* <strong>Minimum Length<\/strong> \u2014 Set the minimum password length (default: 8 characters)\n* <strong>Require Uppercase<\/strong> \u2014 Mandate at least one uppercase letter\n* <strong>Require Lowercase<\/strong> \u2014 Mandate at least one lowercase letter\n* <strong>Require Number<\/strong> \u2014 Mandate at least one numeric digit\n* <strong>Require Special Character<\/strong> \u2014 Mandate at least one special character (e.g., <code>!@#$%<\/code>)\n* <strong>Enforced Roles<\/strong> \u2014 Apply password rules only to specific roles<\/p>\n\n<p><strong>Security HTTP Headers<\/strong>\n* <strong>X-Content-Type-Options<\/strong> \u2014 Prevents MIME-type sniffing (<code>nosniff<\/code>)\n* <strong>X-Frame-Options<\/strong> \u2014 Blocks clickjacking by restricting iframe embedding (<code>SAMEORIGIN<\/code>)\n* <strong>X-XSS-Protection<\/strong> \u2014 Legacy XSS filter for older browsers (<code>1; mode=block<\/code>)\n* <strong>Referrer-Policy<\/strong> \u2014 Controls referrer information sent with requests (<code>strict-origin-when-cross-origin<\/code>)\n* <strong>Strict-Transport-Security (HSTS)<\/strong> \u2014 Enforces HTTPS connections for 1 year (<code>max-age=31536000; includeSubDomains<\/code>)\n* <strong>Permissions-Policy<\/strong> \u2014 Restricts access to camera, microphone, and geolocation APIs<\/p>\n\n<p><strong>Role-Based Session Duration<\/strong>\n* <strong>Per-Role Cookie Lifetime<\/strong> \u2014 Set different authentication cookie durations per WordPress role (in hours)<\/p>\n\n<h4>\ud83d\udce7 Email Notifications<\/h4>\n\n<p>Stay informed about critical security events with real-time email alerts \u2014 for admins and users.<\/p>\n\n<p><strong>Admin Notifications<\/strong>\n* <strong>Multiple Failed Logins<\/strong> \u2014 Alert every N failed attempts from the same IP (default: every 3)\n* <strong>IP Lockout<\/strong> \u2014 Alert when an IP address gets locked out\n* <strong>Admin Login Alert<\/strong> \u2014 Notify when an administrator account logs in\n* <strong>New User Registration<\/strong> \u2014 Alert on every new user registration\n* <strong>User Promoted to Admin<\/strong> \u2014 Alert when any user is promoted to the Administrator role\n* <strong>Admin Password Changed<\/strong> \u2014 Alert when an administrator's password is changed or reset\n* <strong>2FA Disabled<\/strong> \u2014 Alert when any user disables their two-factor authentication\n* <strong>Login from New IP<\/strong> \u2014 Alert when a user logs in from a previously unseen IP address<\/p>\n\n<p><strong>User Self-Notifications<\/strong>\n* <strong>Password Changed<\/strong> \u2014 Notify the user when their password is changed\n* <strong>Email Changed<\/strong> \u2014 Notify at the OLD email address when a user's email is updated (security measure)\n* <strong>2FA Status Changed<\/strong> \u2014 Notify the user when 2FA is enabled or disabled on their account\n* <strong>Social Account Linked<\/strong> \u2014 Notify when a social provider is connected to their account\n* <strong>New Device Login<\/strong> \u2014 Notify the user when a login is detected from a new IP address\n* <strong>Account Locked<\/strong> \u2014 Notify the user when their account is locked due to failed attempts<\/p>\n\n<p><strong>Notification Settings<\/strong>\n* <strong>Custom Recipients<\/strong> \u2014 Set custom email addresses for admin notifications (defaults to the site admin email)\n* <strong>Throttle Period<\/strong> \u2014 Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes)\n* <strong>Digest Mode<\/strong> \u2014 Option to batch notifications instead of sending them individually\n* <strong>Test Email<\/strong> \u2014 Send a test notification to verify your email configuration is working<\/p>\n\n<h4>\ud83d\udeaa wp-admin Access Control<\/h4>\n\n<p>Restrict who can access the WordPress dashboard \u2014 by role, by IP, or both.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for access control<\/li>\n<li><strong>Blocked Roles<\/strong> \u2014 Select which WordPress roles are blocked from accessing <code>\/wp-admin<\/code> (e.g., Subscriber, Customer)<\/li>\n<li><strong>IP Restriction Mode<\/strong> \u2014 Enable IP-based restrictions so only whitelisted IPs can access wp-admin<\/li>\n<li><strong>IP Whitelist<\/strong> \u2014 Specify allowed IP addresses and CIDR ranges (e.g., <code>203.0.113.5<\/code>, <code>192.168.1.0\/24<\/code>)<\/li>\n<li><strong>Hide Admin Bar<\/strong> \u2014 Remove the WordPress admin bar from the frontend for blocked roles<\/li>\n<li><strong>Redirect Action<\/strong> \u2014 Choose what happens when access is denied: redirect to homepage, redirect to a custom URL, or show a 403 Forbidden page<\/li>\n<li><strong>Custom Redirect URL<\/strong> \u2014 Set a specific URL for the access-denied redirect<\/li>\n<li><strong>Emergency Bypass Key<\/strong> \u2014 A secret query parameter (<code>?authdock_bypass=YOUR_KEY<\/code>) to regain access if you get locked out<\/li>\n<li><strong>Smart Exceptions<\/strong> \u2014 AJAX requests, WP-Cron, and <code>admin-post.php<\/code> are always allowed through<\/li>\n<li><strong>Administrator Immunity<\/strong> \u2014 Administrators are never blocked, regardless of settings<\/li>\n<\/ul>\n\n<h4>\u23f1\ufe0f Session Management<\/h4>\n\n<p>Take control of user sessions \u2014 limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for session management<\/li>\n<li><strong>Concurrent Session Limit<\/strong> \u2014 Set the maximum number of simultaneous active sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded<\/li>\n<li><strong>Idle Session Timeout<\/strong> \u2014 Automatically log out users after a configurable period of inactivity (in minutes, 0 = disabled)<\/li>\n<li><strong>Per-Role Session Duration<\/strong> \u2014 Set different session lifetimes for each WordPress role (in hours)<\/li>\n<li><strong>Admin Session Viewer<\/strong> \u2014 View all active user sessions via the REST API, including user details and last activity timestamps<\/li>\n<li><strong>Remote Session Termination<\/strong> \u2014 Administrators can terminate all sessions for any user with a single API call<\/li>\n<li><strong>Throttled Activity Tracking<\/strong> \u2014 Last-activity timestamps are updated at most once per 5 minutes to minimize database writes<\/li>\n<\/ul>\n\n<h4>\u26a1 Performance &amp; Infrastructure<\/h4>\n\n<p>AuthDock is built for speed and follows WordPress best practices from top to bottom.<\/p>\n\n<ul>\n<li><strong>Conditional Asset Loading<\/strong> \u2014 CSS and JavaScript files load only on pages where they are needed<\/li>\n<li><strong>Indexed Database Tables<\/strong> \u2014 Custom tables use proper indexes for fast lookups<\/li>\n<li><strong>WP-Cron Maintenance<\/strong> \u2014 Audit log cleanup runs via non-blocking WP-Cron<\/li>\n<li><strong>Transient-Based Tracking<\/strong> \u2014 Brute force attempt tracking uses transients (no additional DB queries per login attempt)<\/li>\n<li><strong>REST API Powered<\/strong> \u2014 All admin data operations go through the <code>authdock\/v1<\/code> REST API namespace with 15+ endpoints<\/li>\n<li><strong>Hook-Based Architecture<\/strong> \u2014 Centralized Loader class registers all hooks for clean dependency management<\/li>\n<li><strong>Custom Capabilities<\/strong> \u2014 <code>authdock_manage_settings<\/code>, <code>authdock_view_audit_logs<\/code>, <code>authdock_export_audit_logs<\/code>, <code>authdock_manage_sessions<\/code>, <code>authdock_manage_lockouts<\/code><\/li>\n<li><strong>Clean Activation<\/strong> \u2014 Creates database tables, sets default options, registers capabilities, and schedules cron<\/li>\n<li><strong>Clean Deactivation<\/strong> \u2014 Clears cron events but preserves all settings for reactivation<\/li>\n<li><strong>Full Uninstall<\/strong> \u2014 Removes everything: options, user meta, database tables, capabilities, and transients<\/li>\n<li><strong>Full i18n<\/strong> \u2014 All user-facing strings use proper WordPress internationalization functions with the <code>authdock<\/code> text domain<\/li>\n<\/ul>\n\n<h4>\ud83e\udd14 Why Choose AuthDock?<\/h4>\n\n<ul>\n<li><strong>Replace 5\u20137 plugins<\/strong> \u2014 Social login + magic links + 2FA + brute force + audit logs + session management + access control \u2014 all in one<\/li>\n<li><strong>WordPress-native UI<\/strong> \u2014 Looks and feels like core WordPress, not a foreign dashboard<\/li>\n<li><strong>REST API powered<\/strong> \u2014 Modern, secure data handling for all admin operations<\/li>\n<li><strong>Lightweight &amp; fast<\/strong> \u2014  &hellip;<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>authdock<\/code> folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>Go to <strong>AuthDock<\/strong> in the admin menu to configure settings<\/li>\n<li>Enable the features you want to use<\/li>\n<\/ol>\n\n<p>Or install directly from the WordPress plugin repository:<\/p>\n\n<ol>\n<li>Go to <strong>Plugins \u2192 Add New<\/strong> in your WordPress admin<\/li>\n<li>Search for \"AuthDock\"<\/li>\n<li>Click <strong>Install Now<\/strong>, then <strong>Activate<\/strong><\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20authdock%20work%20with%20woocommerce%3F\"><h3>Does AuthDock work with WooCommerce?<\/h3><\/dt>\n<dd><p>Yes. Social login buttons can be displayed on WooCommerce login and checkout pages when WooCommerce is active. Role-based redirects also work with WooCommerce customer roles.<\/p><\/dd>\n<dt id=\"is%20authdock%20multisite%20compatible%3F\"><h3>Is AuthDock multisite compatible?<\/h3><\/dt>\n<dd><p>Yes. Each subsite in a WordPress multisite network has independent settings and its own audit log table.<\/p><\/dd>\n<dt id=\"will%20authdock%20slow%20down%20my%20site%3F\"><h3>Will AuthDock slow down my site?<\/h3><\/dt>\n<dd><p>No. AuthDock uses conditional asset loading \u2014 CSS and JavaScript are only loaded on pages where they are needed. Database queries use proper indexing, and brute force tracking uses lightweight transients instead of database writes.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20deactivate%20the%20plugin%3F\"><h3>What happens when I deactivate the plugin?<\/h3><\/dt>\n<dd><p>Cron events are cleaned up, but your settings, database tables, and user data are preserved so you can reactivate later without losing configuration.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20delete%20the%20plugin%3F\"><h3>What happens when I delete the plugin?<\/h3><\/dt>\n<dd><p>All plugin data is completely removed: options, user meta (social IDs, 2FA secrets, trusted devices), custom database tables, custom capabilities, and transients.<\/p><\/dd>\n<dt id=\"can%20i%20use%20social%20login%20and%202fa%20together%3F\"><h3>Can I use social login and 2FA together?<\/h3><\/dt>\n<dd><p>Absolutely. When a user logs in via social login, they are still required to complete the 2FA challenge if 2FA is enabled for their account or role. AuthDock ensures 2FA cannot be bypassed regardless of the login method.<\/p><\/dd>\n<dt id=\"what%20authenticator%20apps%20work%20with%20authdock%202fa%3F\"><h3>What authenticator apps work with AuthDock 2FA?<\/h3><\/dt>\n<dd><p>Any TOTP-compatible authenticator app works, including Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and FreeOTP.<\/p><\/dd>\n<dt id=\"what%20if%20i%20get%20locked%20out%20by%20the%20custom%20login%20url%3F\"><h3>What if I get locked out by the custom login URL?<\/h3><\/dt>\n<dd><p>AuthDock includes a recovery key parameter. Access your login page via <code>?authdock_recover=YOUR_KEY<\/code> to bypass the custom login URL block. The recovery key is set in your security settings.<\/p><\/dd>\n<dt id=\"does%20the%20brute%20force%20protection%20work%20with%20cloudflare%20or%20reverse%20proxies%3F\"><h3>Does the brute force protection work with Cloudflare or reverse proxies?<\/h3><\/dt>\n<dd><p>Yes. You can configure trusted proxy IPs in the login limiter settings, and AuthDock will correctly read the real client IP from <code>X-Forwarded-For<\/code> headers.<\/p><\/dd>\n<dt id=\"can%20i%20export%20my%20audit%20logs%3F\"><h3>Can I export my audit logs?<\/h3><\/dt>\n<dd><p>Yes. Audit logs can be exported in both CSV and JSON formats via the REST API or the admin UI. CSV exports include formula injection protection for safe spreadsheet use.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Social Login with Google, Facebook, GitHub, and X (Twitter) via OAuth 2.0<\/li>\n<li>Magic Link passwordless login with configurable expiry, rate limiting, and force-magic mode<\/li>\n<li>Two-Factor Authentication \u2014 TOTP (RFC 6238) and email-based 2FA with encrypted secret storage, backup codes, trusted devices, and per-role enforcement<\/li>\n<li>Brute force protection with configurable attempts, progressive lockout escalation, IP whitelist\/blacklist with CIDR and wildcard support, and auto-blacklist<\/li>\n<li>Dynamic login\/logout redirects with per-role configuration and first-login redirect<\/li>\n<li>Comprehensive audit logging to custom database table with retention, filters, CSV\/JSON export, and auto-cleanup<\/li>\n<li>Security hardening \u2014 custom login URL with recovery key, XML-RPC control, REST API restriction, user enumeration prevention, password strength enforcement, and 6 security HTTP headers<\/li>\n<li>wp-admin access control with role-based and IP-based restrictions, admin bar hiding, emergency bypass key, and smart AJAX\/cron exceptions<\/li>\n<li>Session management \u2014 concurrent session limiting, idle timeout, per-role session duration, admin session viewer, and remote termination<\/li>\n<li>Email notification system with 8 admin triggers, 6 user self-notification triggers, configurable throttling, custom recipients, and test email<\/li>\n<li>REST API namespace <code>authdock\/v1<\/code> with 15+ endpoints for all data operations<\/li>\n<li>5 custom capabilities for granular permission control<\/li>\n<li>Full i18n support with <code>.pot<\/code> file<\/li>\n<li>WordPress.org compliance \u2014 GPL-2.0+, no tracking, no encoded code, third-party service disclosure<\/li>\n<\/ul>","raw_excerpt":"All-in-one WordPress authentication plugin with social login, magic links, 2FA, brute force protection, custom login URL, session management, and secu &hellip;","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/314636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=314636"}],"author":[{"embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/rakibantor"}],"wp:attachment":[{"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=314636"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=314636"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=314636"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=314636"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=314636"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ru.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=314636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}