外掛說明

OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email.

Key Features

Passwordless Authentication – Users log in with just their email address
6-Digit Verification Codes – Secure, time-limited codes sent via email
Rate Limiting – Built-in protection against brute force attacks
Request ID Binding – Each code is bound to a specific login session for enhanced security
Neutral Feedback – Prevents user enumeration attacks by not revealing if an email exists
Customizable – Configure expiry times, cooldowns, and email templates
Accessible – Full keyboard navigation and screen reader support
Gutenberg Block – Easy to add login forms to any page
Shortcode Support – Use [onecode_login] anywhere
wp-login.php Integration – Optionally replace the default WordPress login
Developer API – Other plugins can use OneCode Login as an email one-time-code (OTP) service to verify a visitor’s email — see the Developer information section

Security Features

Cryptographically secure code generation
Codes and magic-link tokens are stored HMAC-hashed, never in plain text
Configurable code expiry (default: 10 minutes)
Resend cooldown to prevent spam
IP-based and email-based rate limiting
Automatic lockout after failed attempts
Codes are single-use and invalidated after successful login

Use Cases

Membership sites where password fatigue is an issue
Customer portals requiring simple authentication
Internal tools where security without complexity is needed
Any site wanting to improve user experience

Developer information

Other plugins on the same site can use OneCode Login as a generic email
one-time-code (OTP) service — for example to verify a guest’s email before
letting them act. OneCode emails the code and verifies it; your plugin keeps
full control of its own login/session (OneCode only asserts that the code is
valid for the email — it never logs anyone in). It works for any email
address; the address does not need a WordPress account.

All entry points are plain functions (and matching filters), so you do not need
a hard dependency on any class. The API is gated by the Settings Advanced
Enable developer API toggle.

Detect support (side-effect free — never call the request hook just to probe):

if ( function_exists( 'onecode_login_request_otp' ) && onecode_login_supports( 'otp' ) ) { ... }

Start authentication — email a code and receive a handle:

$handle = onecode_login_request_otp( $email, array( ‘consumer’ => ‘my_plugin’ ) );
// $handle = array( ‘request_id’, ‘auth_secret’, ‘expires_in’ (seconds), ‘expires_at’ (UTC), ‘sent’ )
// On failure: a WP_Error (codes: disabled, invalid_request, rate_limited, cooldown).

Keep request_id and auth_secret server-side (e.g. in a transient tied to the
visitor). The auth_secret is NEVER shown to the customer — it is what stops an
outsider who only knows the email from completing verification by guessing codes.

Complete authentication — the customer gives your plugin the code from the email:

$result = onecode_login_verify_otp( array(
’email’ => $email,
‘request_id’ => $handle[‘request_id’],
‘code’ => $code_from_customer,
‘auth_secret’ => $handle[‘auth_secret’],
‘consumer’ => ‘my_plugin’,
) );
// Success: array( ‘valid’ => true, ’email’ => … ). Failure: WP_Error.

On failure show a generic message to the user (the API intentionally returns a
single verify_failed code so it can’t be used as an oracle).

Filters are also available for loose coupling: onecode_login_request_otp
($pre, $email, $args) and onecode_login_verify_otp ($pre, $args).

Discovery and capabilities:

onecode_login_supports( $feature ) — returns true for 'otp',
‘identity_assertion’ and 'any_email'.
onecode_login_api() — returns the OneCode_Login_API service instance.
OneCode_Login_API::VERSION — the API contract version (independent of the
plugin version), so you can feature-gate against the API surface.
do_action( 'onecode_login_api_init', $api ) — fires once the API is ready;
bind to it if you want to wire up as soon as OneCode Login loads.

Reference: $args['consumer'] (a short [a-z0-9_-] label identifying your
integration) is required on both calls — it isolates your codes and rate limits
from the built-in login and from other consumers. Both request and verify are
rate-limited by OneCode, returning rate_limited / cooldown WP_Errors you can
surface to the user.

螢幕擷圖

Admin settings page with all configuration options

Email input form for passwordless login — Admin settings page with all configuration options

適用於區塊編輯器

這個外掛提供 1 個可供 Gutenberg/區塊編輯器使用的區塊。

OneCode Login

安裝方式

Upload the onecode-login folder to /wp-content/plugins/
Activate the plugin through the Plugins menu in WordPress
Go to Settings > OneCode Login to configure options
Add the login form using the [onecode_login] shortcode or Gutenberg block

Shortcode Options

redirect_to – URL to redirect after successful login
button_text – Custom text for the send code button
verify_text – Custom text for the verify button

Example: [onecode_login redirect_to="/dashboard" button_text="Get Code"]

常見問題集

Does this replace password login completely?: By default, no. OneCode Login works alongside traditional password login. However, you can enable the “Replace wp-login.php” option to use OneCode Login as the primary login method.
What happens if the email does not arrive?: Users can request a new code after the cooldown period (default: 60 seconds). Check your server email configuration if emails consistently fail to deliver.
Is this secure?: Yes. The plugin uses cryptographically secure random number generation, time-limited codes, rate limiting, and request binding to prevent various attack vectors.
Can I customize the email template?: Yes. Go to Settings > OneCode Login > Email tab to customize the subject and body of verification emails. You can use placeholders like {code}, {expires}, {site_name}, and {user_email}.
Does it work with multisite?: The plugin is designed for single-site installations. Multisite compatibility may be added in future versions.
What if a user does not have an account?: The plugin only allows existing users to log in. For security reasons, it does not reveal whether an email address has an account – users always see the same “check your email” message.

使用者評論

alex049 2026 年 5 月 14 日 3 則留言

Good product. Do the job. Many thanks. Just I founded 2 bugs : when logout, data remain in the database login_codes that make when want to connect again, it remain on the login page and code is not sent, and finish by blocking over 7000s the next conexion. I don’t try with automatic exit after no usage, perhaps we have same result Problem in login_code where expire at is before created at. Perhaps linked to the fact one use time with jetlag and the other one the UTC

painlessseo 2026 年 3 月 2 日

The developer clearly understands real-world needs and built something that actually solves practical problems.Looking forward to the developer adding even more features in future updates.Thank you for making this plugin!

閱讀全部 2 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈OneCode Login〉的開發相關工作。

oaron

將〈OneCode Login〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣？

任何人均可瀏覽程式碼、查看 SVN 存放庫，或透過 RSS 訂閱開發記錄。

變更記錄

1.1

New: developer API — other plugins on the same site can use OneCode Login as a generic email one-time-code (OTP) service. They request a code for any email address, then verify the code together with a server-side secret. Identity assertion only: OneCode confirms the code is valid for the email but never logs anyone in, so the integrating plugin keeps full control of its own session. See the “Developer information” section for the code-level integration.
New: api_enabled setting (Advanced tab) to turn the developer API on or off.
Security: verification codes and magic-link tokens are now stored HMAC-hashed instead of in plain text.
Security: client IP detection no longer trusts spoofable proxy headers by default (opt in via the onecode_login_trust_proxy_headers filter when behind a trusted proxy).
Security: magic-link verification is now rate-limited per IP as well as per email.
Privacy: debug logging no longer records verification codes or full email addresses (emails are masked).
Privacy: added WordPress personal-data exporter and eraser, plus a suggested Privacy Policy snippet.
Internal: codes are scoped per channel so the developer API and the built-in login never interfere with each other; verification uses an atomic single-use claim.
Note: upgrading from 1.0.2 or earlier clears any pending codes/tokens once (storage-format change); users simply request a new code.

1.0.2

Fix: assets are now loaded reliably when the shortcode/block is present on the page (prevents first-submit failure under aggressive page caching or JS optimization).
Fix: clear leftover code/rate-limit rows from earlier versions whose timestamps were stored in the local PHP timezone instead of UTC.

1.0.1

Small bug fixes

1.0.0

Initial release
Passwordless login with 6-digit verification codes
Rate limiting and brute force protection
Customizable email templates
Gutenberg block and shortcode support
wp-login.php integration option
Full accessibility support

外掛說明

Key Features

Security Features

Use Cases

Developer information

螢幕擷圖

適用於區塊編輯器

安裝方式

Shortcode Options

常見問題集

Does this replace password login completely?

What happens if the email does not arrive?

Is this secure?

Can I customize the email template?

Does it work with multisite?

What if a user does not have an account?