外掛說明
Tanur Social Login is a lightweight WordPress social login plugin that allows users to sign in or register using Google, Facebook, and LinkedIn. The plugin integrates seamlessly with WordPress and WooCommerce, supporting login, registration, My Account, and checkout pages.
Designed for performance and simplicity, Tanur Social Login helps reduce registration friction, improve user experience, and increase conversions by enabling one-click social authentication without relying on third-party SaaS services.
Features
- Google, Facebook, and LinkedIn OAuth login.
- WooCommerce My Account, checkout, login, and registration integration.
- Default WordPress login page integration.
- Existing users are linked by verified provider ID or email address.
- New users are created with a generated secure password.
- One-time OAuth state tokens using WordPress transients.
- Same-site redirect validation with WordPress redirect helpers.
- Setup guide inside the WordPress admin.
- Copy-ready redirect URI fields for each provider.
User account creation and login
This plugin creates and logs in WordPress users because that is the primary function of a social login plugin. A visitor who successfully completes OAuth with an enabled provider can be matched to an existing WordPress user or created as a new WordPress user.
Existing accounts are linked by provider ID first. Email-based linking is only used when the provider email is trusted. Google and LinkedIn email verification signals are checked when available, and Facebook email is treated as trusted because Facebook Login returns account email through the email permission. The plugin does not create administrator users; new users receive the WooCommerce customer role when WooCommerce is active, otherwise the site’s configured default WordPress role is used.
Built by Tanur Graphics
Tanur Social Login is built by Tanur Graphics, a WordPress, WooCommerce, SEO, automation, and design team.
Website: https://tanur.graphics
If you need help with OAuth setup, WooCommerce customization, SEO systems, or custom WordPress development, visit Tanur Graphics for support and services.
Setup Tutorial
- Open Google Cloud Console > APIs & Services > Credentials.
- Create an OAuth Client ID.
- Choose Web application.
- Add the Authorized Redirect URI shown by this plugin.
- Configure the OAuth consent screen.
- Copy the Client ID and Client Secret into the plugin settings.
- Enable Google in the plugin settings and save.
- Open Facebook Developers and create or select an app.
- Add the Facebook Login product.
- In Facebook Login settings, add the Valid OAuth Redirect URI shown by this plugin.
- Copy the App ID and App Secret into the plugin settings.
- Make sure the app is in Live mode before public users log in.
- Open LinkedIn Developers and create or select an app.
- Request the Sign In with LinkedIn using OpenID Connect product.
- Add the OAuth redirect URI shown by this plugin.
- Copy the Client ID and Client Secret into the plugin settings.
- Enable LinkedIn in the plugin settings and save.
Security Tips
- Use HTTPS on every site that enables social login.
- Keep WordPress, WooCommerce, and all plugins updated.
- Restrict access to OAuth client secrets.
- Do not paste client secrets into screenshots or public support threads.
- Regenerate provider client secrets if they are exposed.
- Test social login after changing domains, SSL, permalinks, or caching settings.
- Use a separate OAuth app for staging and production sites.
External services
This plugin connects directly from the WordPress site to OAuth providers selected and configured by the site administrator. These services are required only when the related provider is enabled in the plugin settings.
This plugin uses Google OAuth and Google userinfo endpoints to let users sign in with Google.
Data sent: when a visitor clicks “Sign in with Google”, the visitor is sent to Google for OAuth authorization. During the callback, the site sends the OAuth authorization code, the configured Client ID, Client Secret, and redirect URI to Google’s token endpoint. The site then sends the returned access token to Google’s userinfo endpoint to request the user’s Google account ID, email address, email verification status, name, first name, last name, and profile image URL when available. This data is used only to create or link a WordPress user account and log the user in.
Service provider: Google LLC.
Terms: https://policies.google.com/terms
Privacy: https://policies.google.com/privacy
Facebook / Meta
This plugin uses Facebook Login and Meta Graph API endpoints to let users sign in with Facebook.
Data sent: when a visitor clicks “Sign in with Facebook”, the visitor is sent to Facebook for OAuth authorization. During the callback, the site sends the OAuth authorization code, the configured App ID, App Secret, and redirect URI to Meta’s token endpoint. The site then sends the returned access token to the Meta Graph API /me endpoint to request the user’s Facebook ID, name, email address, first name, last name, and profile picture URL when available. This data is used only to create or link a WordPress user account and log the user in.
Service provider: Meta Platforms, Inc.
Terms: https://www.facebook.com/legal/terms
Privacy: https://www.facebook.com/privacy/policy/
This plugin uses LinkedIn OAuth and LinkedIn OpenID Connect userinfo endpoints to let users sign in with LinkedIn.
Data sent: when a visitor clicks “Sign in with LinkedIn”, the visitor is sent to LinkedIn for OAuth authorization. During the callback, the site sends the OAuth authorization code, the configured Client ID, Client Secret, and redirect URI to LinkedIn’s token endpoint. The site then sends the returned access token to LinkedIn’s userinfo endpoint to request the user’s LinkedIn subject ID, email address, email verification status when available, name, first name, last name, and profile image URL when available. This data is used only to create or link a WordPress user account and log the user in.
Service provider: LinkedIn Corporation.
Terms: https://www.linkedin.com/legal/user-agreement
Privacy: https://www.linkedin.com/legal/privacy-policy
螢幕擷圖
安裝方式
- Upload the plugin zip using Plugins > Add New > Upload Plugin.
- Activate Tanur Social Login.
- Go to Settings > Tanur Social Login.
- Enable the providers you want to use.
- Copy the Authorized Redirect URI shown in each provider card.
- Paste the exact URI into the provider developer console.
- Add your Client ID and Client Secret, then save settings.
- Test login in a private/incognito browser window.
常見問題集
-
Is this plugin secure?
-
The plugin uses standard WordPress security practices: sanitized settings, escaped output, one-time OAuth state tokens, provider allowlists, REST route validation, and WordPress redirect validation. No software can guarantee that no attacker in the world will ever find a vulnerability, so keep WordPress, themes, plugins, and provider credentials updated.
-
No. The plugin never receives or stores Google, Facebook, or LinkedIn passwords. Authentication happens through OAuth provider redirects and access tokens.
-
Does this plugin send data to Tanur Graphics?
-
No. The plugin connects your site directly to the enabled OAuth providers. It does not send login data to Tanur Graphics.
-
Why do I see redirect_uri_mismatch?
-
The redirect URI in the provider console does not exactly match the URI shown by the plugin. Copy it again from Settings > Tanur Social Login and paste it exactly, including https and without an extra trailing slash.
-
Why is the callback URL using ?rest_route=?
-
Pretty permalinks are disabled. Go to Settings > Permalinks and choose a structure such as Post name, then save.
-
Can I use this with WooCommerce?
-
Yes. The plugin displays social login buttons on WooCommerce login, registration, My Account, and checkout screens.
-
Does it work with WooCommerce?
-
Yes. The plugin integrates with WooCommerce login, registration, My Account, and checkout pages.
-
Does it create new users automatically?
-
Yes. New users can be created automatically after successful social authentication.
-
Can existing accounts be linked?
-
Yes. Existing WordPress users are linked securely using verified email addresses.
-
Is it GDPR friendly?
-
The plugin only processes authentication data returned by the selected OAuth provider.
使用者評論
這個外掛目前沒有任何使用者評論。
參與者及開發者
變更記錄
1.0.9
- Fixed: replaced direct non-prefixed wp_login hook invocation with a plugin-prefixed login action.
1.0.8
- Fixed: moved admin JavaScript to an enqueued asset file.
- Fixed: expanded internal prefixes for classes, constants, options, transients, hooks, and metadata.
- Fixed: documented Google, Facebook/Meta, and LinkedIn external services in the readme.
- Security: existing WordPress accounts are linked by email only when the provider email is trusted.
1.0.7
- Fixed: resolved Plugin Check escaping, safe redirect, nonce verification, and user-meta lookup findings.
1.0.6
- Fixed: plugin header now uses a plugin-specific Plugin URI that differs from the Author URI for WordPress.org submission checks.
1.0.5
- Fixed: social login from the WordPress login/register screen no longer returns users back to wp-login.php after successful OAuth.
1.0.4
- Improved: social login buttons now appear on the default WordPress registration page.
- Improved: removed the always-visible redirect URI dashboard notice for a cleaner customer settings screen.
1.0.3
- Security: improved redirect validation using WordPress redirect helpers.
- Security: OAuth provider responses now reject non-2xx and invalid JSON responses.
- Security: social account creation now requires a valid email address and provider user ID.
- Improved: added in-plugin setup tutorial, security tips, and Tanur Graphics information.
- Improved: prepared readme metadata for WordPress.org submission.
1.0.2
- Fixed: post-login redirects now preserve safe redirect_to values and normalize malformed wp-admin redirects.
1.0.1
- Fixed: redirect_uri_mismatch by generating callback URIs dynamically.
- Fixed: state token now stores redirect URL internally, removing session_id() dependency.
- Fixed: REST handler uses WP_REST_Request params instead of raw $_GET.
- Fixed: WooCommerce role fallback if WooCommerce is not active.
- Fixed: open redirect guard on post-login redirect.
- Fixed: suppress random-password new user notification emails.
- Improved: error pages now use a styled back-to-login button.
1.0.0
- Initial release.