外掛說明

Easy Secure Login enhances your site’s security by integrating two powerful Google authentication methods: Google Sign-In and Google One Tap. It can optionally replace the standard WordPress password system entirely, offering a modern, passwordless login experience.

Born out of necessity after a real-world brute-force attack, this plugin was designed with the option to enforce a Google-only login policy, ensuring that only verified Google accounts can access your site. It combines robust, Google-powered security with a beautiful user interface, automatic user management, and a step-by-step setup wizard.

Key Features

Optional Passwordless Security: Ability to completely disable standard password logins, forcing all users to authenticate via Google’s secure OAuth 2.0.
Role-Based Redirects: Define custom landing pages for different user roles. Redirect subscribers to your homepage or a custom dashboard while keeping admins in wp-admin.
Google Sign-In Button: A clean, modern “Continue with Google” button on your login page.
Google One Tap: Allows logged-in Google users to sign in instantly with a single click via a non-intrusive pop-up.
Complete User Management: Whitelist specific Google accounts and assign roles, or allow open registration for any Google user.
Google Profile Picture Sync: Automatically syncs and displays Google profile pictures as user avatars in WordPress.
Built-in Security Hardening:
- Disable XML-RPC to prevent common attacks.
- Disable the plugin and theme file editor.
- Hide your WordPress version number.
- Restrict REST API access to logged-in users.
- Block direct access to sensitive core files.
User-Friendly Setup Wizard: A clean, multi-step guide to get your Google Cloud credentials configured in minutes.
Actively Maintained for the latest WordPress versions.

This plugin provides maximum login security while dramatically improving the user experience.

External services

This plugin uses Google’s Identity Services to provide a secure authentication method (Google Sign-In and Google One Tap). To function, it connects to several Google APIs.

Service: Google Identity Services (accounts.google.com)
Purpose: This service is used to display the “Sign in with Google” button and the Google One Tap prompt. It handles the user authentication process directly in the user’s browser.
Data Sent: This plugin initiates the authentication flow, but user data (like email and password) is entered directly on Google’s domain, not through this plugin. The plugin only receives a secure authentication token from Google after a successful login.
Terms and Policies:
- Google Terms of Service: https://policies.google.com/terms
- Google Privacy Policy: https://policies.google.com/privacy
Service: Google OAuth & People APIs (oauth2.googleapis.com, www.googleapis.com)
Purpose: After a user authenticates, the plugin’s server sends the received authentication token/code to these Google APIs to verify its authenticity and retrieve basic user profile information (email, name, profile picture).
Data Sent: An authentication token/code provided by Google is sent from your server to Google’s servers for validation.
Terms and Policies:
- Google APIs Terms of Service: https://developers.google.com/terms

螢幕擷圖

安裝方式

Upload the plugin folder to /wp-content/plugins/ or install via Plugins Add New in WordPress.
Activate the plugin through the Plugins menu.
Go to Easy Secure Login in the WordPress admin sidebar to launch the setup wizard.
Follow the setup wizard:
- Create a Google Cloud project and configure OAuth credentials.
- Add the “Authorized redirect URIs” and “Authorized JavaScript origins” provided by the wizard to your Google project.
- Enter your Google Client ID and Client Secret into the plugin settings.
- Configure authorized users or enable public sign-ups with a default role.
- Enable optional Google One Tap on your homepage.
- Review and enable additional security enhancements.
Test the login flow on your WordPress login page.

That’s it! Your site is now enhanced with Google’s secure authentication.

常見問題集

Does this completely replace WordPress password login?: You can choose. By default, the plugin adds Google Sign-In as an alternative to the standard password login. For maximum security, you can enable the “Disable Password Login” option in the plugin’s security settings. When enabled, all password-related functionality is disabled, including the login form, password reset, and standard registration forms. This protects you from brute-force and password-guessing attacks.
Can I allow only specific users?: Yes. In the “Users” step of the wizard, you can build a whitelist of authorized Google email addresses and assign a specific WordPress role to each.
What if I want to allow any Google user to register?: You can enable the “Allow New User Sign-Ups” option. Any user who authenticates with a Google account will have an account created for them with your chosen default role (Subscriber is recommended for safety).
How does Google One Tap work?: Google One Tap is automatically enabled on the login page. If a user is already signed into their Google account in their browser, a small pop-up will appear, allowing them to log in to your site with a single click, without ever leaving the page. You can also choose to enable this on your homepage.
What happens to existing WordPress users?: They can log in seamlessly using the Google account that matches their existing WordPress user email address. Their account will be linked automatically.
Is this plugin compatible with other login or security plugins?: Because it can completely replace the core WordPress authentication flow, it may conflict with other plugins that modify the login process (like other social logins, 2FA, or login page customizers) if you enable the “Disable Password Login” option. It is designed to be an all-in-one solution for login security.
How secure is this?: Extremely secure. The entire authentication process is handled by Google’s OAuth 2.0 servers. The plugin uses recommended security practices like state tokens for CSRF protection and server-side token verification to ensure all logins are legitimate.

使用者評論

adreee 2025 年 12 月 28 日

Best plugin

閱讀全部 0 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈Easy Secure Login – Google One Tap & Sign-In〉的開發相關工作。

〈Easy Secure Login – Google One Tap & Sign-In〉外掛目前已有 4 個本地化語言版本。感謝全部譯者為這個外掛做出的貢獻。

將〈Easy Secure Login – Google One Tap & Sign-In〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣？

任何人均可瀏覽程式碼、查看 SVN 存放庫，或透過 RSS 訂閱開發記錄。

變更記錄

2.2.1

Fix: Resolved a persistent Google OAuth setup notice showing even when valid credentials were already configured.
Maintenance: Confirmed removal of development-only combined_contents.txt from distributable plugin files.

2.2.0

Improvement: Intermediary page on both button as well as one tap signup

2.1.9

Improvement: Removed the “Login Expereince by HardToSkip” footer from public facing pages

2.1.8

Improvement: Made the “Login Expereince by HardToSkip” footer non-sticky

2.1.7

Improvement: Only show the Login Expereince by HardToSkip on homepage

2.1.6

Hotfix: Added subdomain/external host whitelisting for custom login redirects. This fixes the issue where redirects to subdomains (like app.example.com) were being blocked by WordPress security filters.

2.1.5

New Feature: Added Role-Based Login Redirects. You can now configure custom landing pages (like the homepage) for specific user roles instead of the default /wp-admin redirect.
Enhancement: Improved settings sanitization for URL fields to ensure security while maintaining query parameter integrity.
Security: Enforced wp_safe_redirect for all login flows to prevent Open Redirect vulnerabilities.

2.1.4

Fatal Error Fix: Resolved a fatal error (Call to undefined function is_user_logged_in()) caused by the plugin loading before the WordPress core was fully initialized.
“Headers Already Sent” Fix: Eliminated PHP warnings by moving all cookie-setting operations to appropriate early-loading hooks (template_redirect and login_init), preventing conflicts with themes and other plugins.
Code Refactoring: Improved the reliability of the authentication flow by refactoring how the CSRF and OAuth state tokens are generated and handled.

2.1.3

Feature: Added an option to disable standard WordPress password-based authentication, allowing administrators to enforce a Google-only login policy for enhanced security.
Enhancement: The login page UI now adapts based on whether password login is disabled, ensuring a seamless user experience.
Enhancement: Updated plugin description and FAQ to reflect the new optional passwordless functionality.

2.1.2

Security: Hardened security by adding nonce verification to the login error display and One Tap callback handlers to prevent Cross-Site Request Forgery (CSRF) vulnerabilities.
Security: Implemented the recommended OAuth 2.0 state parameter validation during the standard Google Sign-In flow to protect against CSRF attacks.
Security: Improved data sanitization on the admin settings page to ensure redirect URLs are handled securely.
Fix: Corrected a bug where the “Please configure your Google OAuth credentials” admin notice would persist even after the plugin was fully configured.
Enhancement: Updated the readme.txt to include a comprehensive “External Services” section, clearly documenting the use of Google APIs as required by WordPress plugin guidelines.

2.1.1

Initial Release