Title: OneCode Login Author: oaron Published: 2026 年 1 月 5 日 Last modified: 2026 年 6 月 3 日 --- 搜索插件 ![](https://s.w.org/plugins/geopattern-icon/onecode-login.svg) # OneCode Login 作者:[oaron](https://profiles.wordpress.org/oaron/) [下载](https://downloads.wordpress.org/plugin/onecode-login.zip) * [详情](https://cn.wordpress.org/plugins/onecode-login/#description) * [评价](https://cn.wordpress.org/plugins/onecode-login/#reviews) * [安装](https://cn.wordpress.org/plugins/onecode-login/#installation) * [开发进展](https://cn.wordpress.org/plugins/onecode-login/#developers) [支持](https://wordpress.org/support/plugin/onecode-login/) ## 描述 OneCode Login provides a modern, passwordless authentication experience for your WordPress site. Instead of traditional passwords, users receive a secure 6-digit verification code via email. #### Key Features * **Passwordless Authentication** – Users log in with just their email address * **6-Digit Verification Codes** – Secure, time-limited codes sent via email * **Rate Limiting** – Built-in protection against brute force attacks * **Request ID Binding** – Each code is bound to a specific login session for enhanced security * **Neutral Feedback** – Prevents user enumeration attacks by not revealing if an email exists * **Customizable** – Configure expiry times, cooldowns, and email templates * **Accessible** – Full keyboard navigation and screen reader support * **Gutenberg Block** – Easy to add login forms to any page * **Shortcode Support** – Use [onecode_login] anywhere * **wp-login.php Integration** – Optionally replace the default WordPress login * **Developer API** – Other plugins can use OneCode Login as an email one-time- code (OTP) service to verify a visitor’s email — see the _Developer information_ section #### Security Features * Cryptographically secure code generation * Codes and magic-link tokens are stored HMAC-hashed, never in plain text * Configurable code expiry (default: 10 minutes) * Resend cooldown to prevent spam * IP-based and email-based rate limiting * Automatic lockout after failed attempts * Codes are single-use and invalidated after successful login #### Use Cases * Membership sites where password fatigue is an issue * Customer portals requiring simple authentication * Internal tools where security without complexity is needed * Any site wanting to improve user experience ### Developer information Other plugins on the same site can use OneCode Login as a generic email one-time- code (OTP) service — for example to verify a guest’s email before letting them act. OneCode emails the code and verifies it; your plugin keeps full control of its own login/session (OneCode only asserts that the code is valid for the email — it never logs anyone in). It works for **any** email address; the address does not need a WordPress account. All entry points are plain functions (and matching filters), so you do not need a hard dependency on any class. The API is gated by the _Settings Advanced Enable developer API toggle. Detect support (side-effect free — never call the request hook just to probe): ``` if ( function_exists( 'onecode_login_request_otp' ) && onecode_login_supports( 'otp' ) ) { ... } ``` 1. Start authentication — email a code and receive a handle: 2. $handle = onecode_login_request_otp( $email, array( ‘consumer’ => ‘my_plugin’ )); // $handle = array( ‘request_id’, ‘auth_secret’, ‘expires_in’ (seconds), ‘expires_at’( UTC), ‘sent’ ) // On failure: a WP_Error (codes: disabled, invalid_request, rate_limited, cooldown). Keep `request_id` and `auth_secret` server-side (e.g. in a transient tied to the visitor). The `auth_secret` is NEVER shown to the customer — it is what stops an outsider who only knows the email from completing verification by guessing codes. 1. Complete authentication — the customer gives your plugin the code from the email: 2. $result = onecode_login_verify_otp( array( ’email’ => $email, ‘request_id’ => $handle[‘request_id’], ‘code’ => $code_from_customer, ‘auth_secret’ => $handle[‘ auth_secret’], ‘consumer’ => ‘my_plugin’, ) ); // Success: array( ‘valid’ => true,’ email’ => … ). Failure: WP_Error. On failure show a generic message to the user (the API intentionally returns a single `verify_failed` code so it can’t be used as an oracle). Filters are also available for loose coupling: `onecode_login_request_otp` (`$pre, $email, $args`) and `onecode_login_verify_otp` (`$pre, $args`). Discovery and capabilities: * `onecode_login_supports( $feature )` — returns true for `'otp'`, ‘identity_assertion’ and `'any_email'`. * `onecode_login_api()` — returns the `OneCode_Login_API` service instance. * `OneCode_Login_API::VERSION` — the API contract version (independent of the plugin version), so you can feature-gate against the API surface. * `do_action( 'onecode_login_api_init', $api )` — fires once the API is ready; bind to it if you want to wire up as soon as OneCode Login loads. Reference: `$args['consumer']` (a short `[a-z0-9_-]` label identifying your integration) is required on both calls — it isolates your codes and rate limits from the built- in login and from other consumers. Both request and verify are rate-limited by OneCode, returning `rate_limited` / `cooldown` WP_Errors you can surface to the user. ## 屏幕截图 [⌊Admin settings page with all configuration options⌉⌊Admin settings page with all configuration options⌉[ Admin settings page with all configuration options [⌊Email input form for passwordless login⌉⌊Email input form for passwordless login⌉[ Email input form for passwordless login [⌊6-digit verification code entry screen⌉⌊6-digit verification code entry screen⌉[ 6-digit verification code entry screen ## 区块 该插件提供了 1 个区块. * OneCode Login ## 安装 1. Upload the `onecode-login` folder to `/wp-content/plugins/` 2. Activate the plugin through the Plugins menu in WordPress 3. Go to Settings > OneCode Login to configure options 4. Add the login form using the [onecode_login] shortcode or Gutenberg block #### Shortcode Options * `redirect_to` – URL to redirect after successful login * `button_text` – Custom text for the send code button * `verify_text` – Custom text for the verify button Example: `[onecode_login redirect_to="/dashboard" button_text="Get Code"]` ## 常见问题 ### Does this replace password login completely? By default, no. OneCode Login works alongside traditional password login. However, you can enable the “Replace wp-login.php” option to use OneCode Login as the primary login method. ### What happens if the email does not arrive? Users can request a new code after the cooldown period (default: 60 seconds). Check your server email configuration if emails consistently fail to deliver. ### Is this secure? Yes. The plugin uses cryptographically secure random number generation, time-limited codes, rate limiting, and request binding to prevent various attack vectors. ### Can I customize the email template? Yes. Go to Settings > OneCode Login > Email tab to customize the subject and body of verification emails. You can use placeholders like {code}, {expires}, {site_name}, and {user_email}. ### Does it work with multisite? The plugin is designed for single-site installations. Multisite compatibility may be added in future versions. ### What if a user does not have an account? The plugin only allows existing users to log in. For security reasons, it does not reveal whether an email address has an account – users always see the same “check your email” message. ## 评价 ![](https://secure.gravatar.com/avatar/04e4e3cafb60914b122969d49c740a3023c6fc6f3ab760d3cb73726b06303f17? s=60&d=retro&r=g) ### 󠀁[Good product](https://wordpress.org/support/topic/good-product-210/)󠁿 [alex049](https://profiles.wordpress.org/alex049/) 2026 年 5 月 14 日 3 回复 Good product. Do the job. Many thanks. Just I founded 2 bugs : when logout, data remain in the database login_codes that make when want to connect again, it remain on the login page and code is not sent, and finish by blocking over 7000s the next conexion. I don’t try with automatic exit after no usage, perhaps we have same result Problem in login_code where expire at is before created at. Perhaps linked to the fact one use time with jetlag and the other one the UTC ![](https://secure.gravatar.com/avatar/649d8bddb6156460ecb0ee0150168ee9d0d8573065bb564894c943d47a542501? s=60&d=retro&r=g) ### 󠀁[I really like this plugin. It has a lot of potential.](https://wordpress.org/support/topic/i-really-like-this-plugin-it-has-a-lot-of-potential/)󠁿 [painlessseo](https://profiles.wordpress.org/painlessseo/) 2026 年 3 月 2 日 The developer clearly understands real-world needs and built something that actually solves practical problems.Looking forward to the developer adding even more features in future updates.Thank you for making this plugin! [ 阅读所有2条评价 ](https://wordpress.org/support/plugin/onecode-login/reviews/) ## 贡献者及开发者 「OneCode Login」是开源软件。 以下人员对此插件做出了贡献。 贡献者 * [ oaron ](https://profiles.wordpress.org/oaron/) [帮助将「OneCode Login」翻译成简体中文。](https://translate.wordpress.org/projects/wp-plugins/onecode-login) ### 对开发感兴趣吗? 您可以[浏览代码](https://plugins.trac.wordpress.org/browser/onecode-login/),查看 [SVN仓库](https://plugins.svn.wordpress.org/onecode-login/),或通过[RSS](https://plugins.trac.wordpress.org/log/onecode-login/?limit=100&mode=stop_on_copy&format=rss) 订阅[开发日志](https://plugins.trac.wordpress.org/log/onecode-login/)。 ## 更新日志 #### 1.1 * New: developer API — other plugins on the same site can use OneCode Login as a generic email one-time-code (OTP) service. They request a code for any email address, then verify the code together with a server-side secret. Identity assertion only: OneCode confirms the code is valid for the email but never logs anyone in, so the integrating plugin keeps full control of its own session. See the “ Developer information” section for the code-level integration. * New: `api_enabled` setting (Advanced tab) to turn the developer API on or off. * Security: verification codes and magic-link tokens are now stored HMAC-hashed instead of in plain text. * Security: client IP detection no longer trusts spoofable proxy headers by default( opt in via the `onecode_login_trust_proxy_headers` filter when behind a trusted proxy). * Security: magic-link verification is now rate-limited per IP as well as per email. * Privacy: debug logging no longer records verification codes or full email addresses( emails are masked). * Privacy: added WordPress personal-data exporter and eraser, plus a suggested Privacy Policy snippet. * Internal: codes are scoped per channel so the developer API and the built-in login never interfere with each other; verification uses an atomic single-use claim. * Note: upgrading from 1.0.2 or earlier clears any pending codes/tokens once (storage- format change); users simply request a new code. #### 1.0.2 * Fix: assets are now loaded reliably when the shortcode/block is present on the page (prevents first-submit failure under aggressive page caching or JS optimization). * Fix: clear leftover code/rate-limit rows from earlier versions whose timestamps were stored in the local PHP timezone instead of UTC. #### 1.0.1 * Small bug fixes #### 1.0.0 * Initial release * Passwordless login with 6-digit verification codes * Rate limiting and brute force protection * Customizable email templates * Gutenberg block and shortcode support * wp-login.php integration option * Full accessibility support ## 额外信息 * 版本 **1.1** * 最后更新:**5 天前** * 活跃安装数量 **10+** * WordPress 版本 ** 5.8 或更高版本 ** * 已测试的最高版本为 **7.0** * PHP 版本 ** 7.4 或更高版本 ** * 语言 * [English (US)](https://wordpress.org/plugins/onecode-login/) * 标签 * [authentication](https://cn.wordpress.org/plugins/tags/authentication/)[email](https://cn.wordpress.org/plugins/tags/email/) [login](https://cn.wordpress.org/plugins/tags/login/)[otp](https://cn.wordpress.org/plugins/tags/otp/) [passwordless](https://cn.wordpress.org/plugins/tags/passwordless/) * [高级视图](https://cn.wordpress.org/plugins/onecode-login/advanced/) ## 评级 5 星(最高 5 星)。 * [ 2 条 5 星评价 ](https://wordpress.org/support/plugin/onecode-login/reviews/?filter=5) * [ 0 条 4 星评价 ](https://wordpress.org/support/plugin/onecode-login/reviews/?filter=4) * [ 0 条 3 星评价 ](https://wordpress.org/support/plugin/onecode-login/reviews/?filter=3) * [ 0 条 2 星评价 ](https://wordpress.org/support/plugin/onecode-login/reviews/?filter=2) * [ 0 条 1 星评价 ](https://wordpress.org/support/plugin/onecode-login/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/onecode-login/reviews/#new-post) [查看全部评论](https://wordpress.org/support/plugin/onecode-login/reviews/) ## 贡献者 * [ oaron ](https://profiles.wordpress.org/oaron/) ## 支持 有话要说吗?是否需要帮助? [查看支持论坛](https://wordpress.org/support/plugin/onecode-login/)