XeroWP
O

OneCode Login

5/5 (2 ratings) 80 active installs Updated Jun 3, 2026
authenticationemailloginotppasswordless
Download v1.1 Plugin Website
Admin settings page with all configuration options

Admin settings page with all configuration options

OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email.

Key Features

  • Passwordless Authentication – Users log in with just their email address
  • 6-Digit Verification Codes – Secure, time-limited codes sent via email
  • Rate Limiting – Built-in protection against brute force attacks
  • Request ID Binding – Each code is bound to a specific login session for enhanced security
  • Neutral Feedback – Prevents user enumeration attacks by not revealing if an email exists
  • Customizable – Configure expiry times, cooldowns, and email templates
  • Accessible – Full keyboard navigation and screen reader support
  • Gutenberg Block – Easy to add login forms to any page
  • Shortcode Support – Use [onecode_login] anywhere
  • wp-login.php Integration – Optionally replace the default WordPress login
  • Developer API – Other plugins can use OneCode Login as an email one-time-code (OTP) service to verify a visitor’s email — see the Developer information section

Security Features

  • Cryptographically secure code generation
  • Codes and magic-link tokens are stored HMAC-hashed, never in plain text
  • Configurable code expiry (default: 10 minutes)
  • Resend cooldown to prevent spam
  • IP-based and email-based rate limiting
  • Automatic lockout after failed attempts
  • Codes are single-use and invalidated after successful login

Use Cases

  • Membership sites where password fatigue is an issue
  • Customer portals requiring simple authentication
  • Internal tools where security without complexity is needed
  • Any site wanting to improve user experience

Developer information

Other plugins on the same site can use OneCode Login as a generic email
one-time-code (OTP) service — for example to verify a guest’s email before
letting them act. OneCode emails the code and verifies it; your plugin keeps
full control of its own login/session (OneCode only asserts that the code is
valid for the email — it never logs anyone in). It works for any email
address; the address does not need a WordPress account.

All entry points are plain functions (and matching filters), so you do not need
a hard dependency on any class. The API is gated by the Settings Advanced
Enable developer API toggle.

Detect support (side-effect free — never call the request hook just to probe):

if ( function_exists( 'onecode_login_request_otp' ) && onecode_login_supports( 'otp' ) ) { ... }

  1. Start authentication — email a code and receive a handle:

    $handle = onecode_login_request_otp( $email, array( ‘consumer’ => ‘my_plugin’ ) );
    // $handle = array( ‘request_id’, ‘auth_secret’, ‘expires_in’ (seconds), ‘expires_at’ (UTC), ‘sent’ )
    // On failure: a WP_Error (codes: disabled, invalid_request, rate_limited, cooldown).

Keep request_id and auth_secret server-side (e.g. in a transient tied to the
visitor). The auth_secret is NEVER shown to the customer — it is what stops an
outsider who only knows the email from completing verification by guessing codes.

  1. Complete authentication — the customer gives your plugin the code from the email:

    $result = onecode_login_verify_otp( array(
    ’email’ => $email,
    ‘request_id’ => $handle[‘request_id’],
    ‘code’ => $code_from_customer,
    ‘auth_secret’ => $handle[‘auth_secret’],
    ‘consumer’ => ‘my_plugin’,
    ) );
    // Success: array( ‘valid’ => true, ’email’ => … ). Failure: WP_Error.

On failure show a generic message to the user (the API intentionally returns a
single verify_failed code so it can’t be used as an oracle).

Filters are also available for loose coupling: onecode_login_request_otp
($pre, $email, $args) and onecode_login_verify_otp ($pre, $args).

Discovery and capabilities:

  • onecode_login_supports( $feature ) — returns true for 'otp',
    ‘identity_assertion’ and 'any_email'.
  • onecode_login_api() — returns the OneCode_Login_API service instance.
  • OneCode_Login_API::VERSION — the API contract version (independent of the
    plugin version), so you can feature-gate against the API surface.
  • do_action( 'onecode_login_api_init', $api ) — fires once the API is ready;
    bind to it if you want to wire up as soon as OneCode Login loads.

Reference: $args['consumer'] (a short [a-z0-9_-] label identifying your
integration) is required on both calls — it isolates your codes and rate limits
from the built-in login and from other consumers. Both request and verify are
rate-limited by OneCode, returning rate_limited / cooldown WP_Errors you can
surface to the user.