Description
OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email.
Key Features
- Passwordless Authentication – Users log in with just their email address
- 6-Digit Verification Codes – Secure, time-limited codes sent via email
- Rate Limiting – Built-in protection against brute force attacks
- Request ID Binding – Each code is bound to a specific login session for enhanced security
- Neutral Feedback – Prevents user enumeration attacks by not revealing if an email exists
- Customizable – Configure expiry times, cooldowns, and email templates
- Accessible – Full keyboard navigation and screen reader support
- Gutenberg Block – Easy to add login forms to any page
- Shortcode Support – Use [onecode_login] anywhere
- wp-login.php Integration – Optionally replace the default WordPress login
Security Features
- Cryptographically secure code generation
- Configurable code expiry (default: 10 minutes)
- Resend cooldown to prevent spam
- IP-based and email-based rate limiting
- Automatic lockout after failed attempts
- Codes are single-use and invalidated after successful login
Use Cases
- Membership sites where password fatigue is an issue
- Customer portals requiring simple authentication
- Internal tools where security without complexity is needed
- Any site wanting to improve user experience
Screenshots
Admin settings page with all configuration options 
Email input form for passwordless login 
6-digit verification code entry screen
Blocks
This plugin provides 1 block.
- OneCode Login
Installation
- Upload the
onecode-loginfolder to/wp-content/plugins/ - Activate the plugin through the Plugins menu in WordPress
- Go to Settings > OneCode Login to configure options
- Add the login form using the [onecode_login] shortcode or Gutenberg block
Shortcode Options
redirect_to– URL to redirect after successful loginbutton_text– Custom text for the send code buttonverify_text– Custom text for the verify button
Example: [onecode_login redirect_to="/dashboard" button_text="Get Code"]
FAQ
-
Does this replace password login completely?
-
By default, no. OneCode Login works alongside traditional password login. However, you can enable the «Replace wp-login.php» option to use OneCode Login as the primary login method.
-
What happens if the email does not arrive?
-
Users can request a new code after the cooldown period (default: 60 seconds). Check your server email configuration if emails consistently fail to deliver.
-
Is this secure?
-
Yes. The plugin uses cryptographically secure random number generation, time-limited codes, rate limiting, and request binding to prevent various attack vectors.
-
Can I customize the email template?
-
Yes. Go to Settings > OneCode Login > Email tab to customize the subject and body of verification emails. You can use placeholders like {code}, {expires}, {site_name}, and {user_email}.
-
Does it work with multisite?
-
The plugin is designed for single-site installations. Multisite compatibility may be added in future versions.
-
What if a user does not have an account?
-
The plugin only allows existing users to log in. For security reasons, it does not reveal whether an email address has an account – users always see the same «check your email» message.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“OneCode Login” is open source software. The following people have contributed to this plugin.
Contributors
Translate “OneCode Login” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0
- Initial release
- Passwordless login with 6-digit verification codes
- Rate limiting and brute force protection
- Customizable email templates
- Gutenberg block and shortcode support
- wp-login.php integration option
- Full accessibility support