Authyo Passwordless Login is a WordPress login security plugin that protects your site with brute-force protection, IP blacklisting, security activity logs, XML-RPC blocking, REST API protection, and a custom login URL. All security features work immediately after activation — no API keys or account registration needed.

Optionally, add Authyo API credentials to enable passwordless OTP login where users log in with a one-time password sent to their email instead of a traditional password.

Security features that work without API keys:

Brute-force protection — Limit login attempts per IP and username with progressive lockout durations. Repeat offenders are automatically blacklisted.
IP Manager — Whitelist trusted IPs and blacklist attackers. Includes search, filter, pagination, and per-page selector for large lists.
Security activity logs — Track every login, logout, failed attempt, lockout, and blocked access. Includes request URL tracking, date filters, search, and CSV export.
Disable XML-RPC — Block xmlrpc.php requests at the server level using .htaccess rules. Removes X-Pingback headers and XML-RPC discovery links. Falls back to PHP blocking on Nginx.
REST API Protection — Restrict access to WordPress REST API endpoints for unauthenticated users. Prevents data enumeration and unauthorized access while keeping essential endpoints functional.
Custom login URL — Hide wp-login.php behind a custom URL slug to prevent automated attacks.
Blocked IP logging — Every access attempt from blacklisted or locked-out IPs is logged with IP address, user agent, and request URL.

Passwordless login features (requires free Authyo API keys):

Email OTP login — Users receive a one-time password via email and log in without a traditional password.
Google Authenticator fallback — Server-side verified 2FA as a backup method after multiple OTP attempts.
Secure login tokens — Cryptographically generated, single-use, browser-bound tokens that expire after 5 minutes.
AJAX-powered login — Smooth login experience with no page reloads.

How It Works

Security (works immediately after activation):

Activate the plugin — brute-force protection and security logs start automatically
Go to Settings > Authyo Passwordless Login > Security tab
Enable XML-RPC Protection, REST API Protection, and Custom Login URL as needed
Visit Authyo Logs to monitor activity and manage IPs

Passwordless login (requires API keys):

User enters their email on the WordPress login page
A one-time password (OTP) is sent to their email
User enters the OTP code
WordPress logs the user in automatically — no password required

External Services

This plugin connects to Authyo’s external API only for passwordless login and Google Authenticator features. All security features (brute-force protection, IP manager, security logs, XML-RPC protection, REST API protection, custom login URL) work locally without any external service.

OTP Authentication:

User email address is sent to Authyo API when requesting an OTP
OTP code and Mask ID are sent to Authyo API for verification

Google Authenticator Verification:

Verification token is sent to Authyo API for server-side validation
The Authyo 2FA SDK script is loaded from https://app.authyo.io/js/v1/auth-2fasdk.js

Usage Tracking (Opt-In Only):

If the user explicitly opts in, plugin version, WordPress version, and site URL are sent when settings are saved. Deactivation feedback is sent when the plugin is deactivated. No tracking data is sent without user consent.

Authentication Flow:

After OTP verification, the plugin generates a secure single-use token using WordPress core functions
Token is browser-bound using a hashed User-Agent signature to prevent session hijacking
Token is stored temporarily in WordPress transients (5-minute expiry) and deleted immediately after use

Data Storage:

OTP session data stored temporarily in WordPress transients (10-minute expiry)
Login tokens stored temporarily in WordPress transients (5-minute expiry, single-use)
Security logs stored in a custom database table with configurable retention
IP whitelist and blacklist stored in a custom database table
No user data is permanently stored beyond security logs

Service URLs:

API: https://app.authyo.io/api/v1/
2FA SDK: https://app.authyo.io/js/v1/auth-2fasdk.js
Tracking: https://app.authyo.io/api/v1/user/WordpressWebhook

Terms of Service: https://authyo.io/terms-service
Privacy Policy: https://authyo.io/privacy-policy