Major feature release with CAPTCHA providers, Hide Admin, and social login improvements. Review the new security settings after updating.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3558755,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3558755,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3558755,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3558755,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{"blueprint.json":{"filename":"blueprint.json","revision":3558764,"resolution":false,"location":"assets","locale":"","contents":"{\"$schema\":\"https:\\\/\\\/playground.wordpress.net\\\/blueprint-schema.json\",\"landingPage\":\"\\\/access-preview\\\/\",\"preferredVersions\":{\"php\":\"8.3\",\"wp\":\"latest\"},\"phpExtensionBundles\":[\"kitchen-sink\"],\"steps\":[{\"step\":\"installPlugin\",\"options\":{\"activate\":true},\"pluginData\":{\"resource\":\"wordpress.org\\\/plugins\",\"slug\":\"oomf-access\"}},{\"step\":\"setSiteOptions\",\"options\":{\"blogname\":\"oOMF! Access Preview\",\"blogdescription\":\"A temporary WordPress Playground demo for oOMF! Access.\",\"permalink_structure\":\"\\\/%postname%\\\/\",\"users_can_register\":\"1\",\"default_role\":\"subscriber\"}},{\"step\":\"runPHP\",\"code\":\" 'dark',\\n 'color_primary' => '#4353ff',\\n 'headline' => 'oOMF! Access',\\n 'subheadline' => 'Temporary Playground demo',\\n 'footer_note' => 'Demo credentials: admin \\\/ password.',\\n 'redirect_after_login' => admin_url( 'options-general.php?page=oomf_access_settings' ),\\n 'redirect_after_logout' => home_url( '\\\/access-preview\\\/' ),\\n 'show_site_link' => 1,\\n 'magiclink_enabled' => 0,\\n 'enable_captcha' => 0,\\n 'hide_admin_enabled' => 1,\\n 'hide_admin_slug' => 'access-preview',\\n 'hide_admin_obscure_mode' => '404',\\n 'hide_admin_hide_login_links' => 1,\\n 'honeypot_enable' => 0,\\n 'throttle_enabled' => 0,\\n 'social_enabled' => 0,\\n )\\n);\\nupdate_option( 'oomf_access_options', $options );\\n\\n$page_id = (int) get_option( 'oomf_access_page_id', 0 );\\nif ( $page_id > 0 ) {\\n wp_update_post(\\n array(\\n 'ID' => $page_id,\\n 'post_title' => 'oOMF! Access Demo',\\n 'post_name' => 'oomf-access',\\n 'post_status' => 'publish',\\n 'post_content' => '[oomf_access_form]',\\n )\\n );\\n}\\n\\nadd_rewrite_rule( '^access-preview\\\/?$', 'index.php?oomf_access_secret_login=1&lf_secret_login=1', 'top' );\\nflush_rewrite_rules( false );\\n\"}]}"}},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3557361,"resolution":"1","location":"assets","locale":"","width":1440,"height":1000},"screenshot-10.png":{"filename":"screenshot-10.png","revision":3557361,"resolution":"10","location":"assets","locale":"","width":1440,"height":1100},"screenshot-11.png":{"filename":"screenshot-11.png","revision":3557361,"resolution":"11","location":"assets","locale":"","width":1440,"height":1100},"screenshot-12.png":{"filename":"screenshot-12.png","revision":3557361,"resolution":"12","location":"assets","locale":"","width":1440,"height":1100},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3557361,"resolution":"2","location":"assets","locale":"","width":1440,"height":1000},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3557361,"resolution":"3","location":"assets","locale":"","width":1440,"height":1000},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3557361,"resolution":"4","location":"assets","locale":"","width":1440,"height":1000},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3557361,"resolution":"5","location":"assets","locale":"","width":1440,"height":1100},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3557361,"resolution":"6","location":"assets","locale":"","width":390,"height":844},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3557361,"resolution":"7","location":"assets","locale":"","width":1440,"height":1100},"screenshot-8.png":{"filename":"screenshot-8.png","revision":3557361,"resolution":"8","location":"assets","locale":"","width":1440,"height":1100},"screenshot-9.png":{"filename":"screenshot-9.png","revision":3557361,"resolution":"9","location":"assets","locale":"","width":1440,"height":1100}},"screenshots":{"1":"Branded login screen with social sign-in, remember-me, magic link, and recovery links.","2":"Magic link request screen for passwordless email sign-in.","3":"Password reset screen with reset link request and alternate login paths.","4":"Registration screen with social sign-in and username\/email account creation.","5":"Logged-in account card with dashboard, logout, profile, and site links.","6":"Mobile login layout with stacked social buttons and responsive form controls.","7":"Settings home with Hide Admin notice, navigation tabs, and live login preview.","8":"Appearance and spacing controls with live preview updates.","9":"Social login provider options for OAuth credentials, redirect URIs, roles, and scopes.","10":"Behavior settings for login redirects, logout redirects, and site link visibility.","11":"Security settings for CAPTCHA, honeypot, time trap, throttling, and lockout controls.","12":"Hide Admin and emergency access controls with secret login path settings."}},"plugin_section":[],"plugin_tags":[710,2604,602,726,600],"plugin_category":[38,54],"plugin_contributors":[262849],"plugin_business_model":[],"class_list":["post-260508","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-branding","plugin_tags-login","plugin_tags-redirects","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-oomf","plugin_committers-oomf"],"banners":{"banner":"https:\/\/ps.w.org\/oomf-access\/assets\/banner-772x250.png?rev=3558755","banner_2x":"https:\/\/ps.w.org\/oomf-access\/assets\/banner-1544x500.png?rev=3558755","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/oomf-access\/assets\/icon-128x128.png?rev=3558755","icon_2x":"https:\/\/ps.w.org\/oomf-access\/assets\/icon-256x256.png?rev=3558755","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-1.png?rev=3557361","caption":"Branded login screen with social sign-in, remember-me, magic link, and recovery links."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-2.png?rev=3557361","caption":"Magic link request screen for passwordless email sign-in."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-3.png?rev=3557361","caption":"Password reset screen with reset link request and alternate login paths."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-4.png?rev=3557361","caption":"Registration screen with social sign-in and username\/email account creation."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-5.png?rev=3557361","caption":"Logged-in account card with dashboard, logout, profile, and site links."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-6.png?rev=3557361","caption":"Mobile login layout with stacked social buttons and responsive form controls."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-7.png?rev=3557361","caption":"Settings home with Hide Admin notice, navigation tabs, and live login preview."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-8.png?rev=3557361","caption":"Appearance and spacing controls with live preview updates."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-9.png?rev=3557361","caption":"Social login provider options for OAuth credentials, redirect URIs, roles, and scopes."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-10.png?rev=3557361","caption":"Behavior settings for login redirects, logout redirects, and site link visibility."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-11.png?rev=3557361","caption":"Security settings for CAPTCHA, honeypot, time trap, throttling, and lockout controls."},{"src":"https:\/\/ps.w.org\/oomf-access\/assets\/screenshot-12.png?rev=3557361","caption":"Hide Admin and emergency access controls with secret login path settings."}],"raw_content":"\n
oOMF! Access gives WordPress sites a better front door: a polished login page, guided account flows, passwordless magic links, social sign-in, safe redirects, CAPTCHA, hide-admin controls, honeypots, throttling, and lockout protection.<\/p>\n\n
It is built for agencies, membership sites, product teams, and site owners who want a professional sign-in experience without hand-rolling templates, OAuth plumbing, redirect rules, and abuse controls for every project.<\/p>\n\n
[oomf_access_form]<\/code>, theme-aware styling, logo controls, custom copy, gradients, and live admin previews.<\/li>\n- One flow for every access moment<\/strong> - keep login, registration, lost password, password reset, logged-in states, and magic-link requests inside the same consistent interface.<\/li>\n
- Passwordless and social sign-in<\/strong> - offer email magic links plus Google, Apple, GitHub, Microsoft, and Facebook providers with provider-specific setup hints.<\/li>\n
- Redirects you can trust<\/strong> - send people to the right page after login\/logout while validating
redirect_to<\/code> values and exposing filters for approved external hosts.<\/li>\n- Layered anti-abuse controls<\/strong> - enable reCAPTCHA, hCaptcha, honeypots, soft throttling, lockouts, secret login paths, and emergency bypass flows from wp-admin.<\/li>\n
- Developer-friendly internals<\/strong> - focused hooks and filters let you customize destinations, CAPTCHA behavior, provider handling, inline CSS, and allowed redirect hosts.<\/li>\n<\/ul>\n\n
Built for the real WordPress admin<\/h4>\n\n
The settings screen includes a live preview, grouped controls for content\/appearance\/behavior\/security, provider previews, and setup copy for external services. Frontend and admin assets load only where needed and are versioned with filemtime()<\/code>.<\/p>\n\nPrivacy<\/h3>\n\n
oOMF! Access does not send data to oOMF! services. CAPTCHA and social login features connect only when you enable them and provide your own third-party credentials. Removing the plugin deletes its settings, and the generated login page can also be removed via the oomf_access\/delete_page_on_uninstall<\/code> filter.<\/p>\n\nExternal services<\/h3>\n\n
oOMF! Access connects to outside services only when the related feature is enabled.<\/p>\n\n
Google reCAPTCHA (v2\/v3)<\/h4>\n\n\n- Purpose: spam and abuse protection for access forms.<\/li>\n
- Endpoints:
https:\/\/www.google.com\/recaptcha\/api.js<\/code> and https:\/\/www.google.com\/recaptcha\/api\/siteverify<\/code>.<\/li>\n- Data sent: site key\/secret, visitor response token, action name, and optionally visitor IP.<\/li>\n
- Terms: https:\/\/policies.google.com\/terms<\/li>\n
- Privacy: https:\/\/policies.google.com\/privacy<\/li>\n<\/ul>\n\n
hCaptcha<\/h4>\n\n\n- Purpose: CAPTCHA validation.<\/li>\n
- Endpoints:
https:\/\/js.hcaptcha.com<\/code> and https:\/\/hcaptcha.com\/siteverify<\/code>.<\/li>\n- Data sent: site key\/secret, response token, action name, and optionally visitor IP.<\/li>\n
- Terms: https:\/\/www.hcaptcha.com\/terms<\/li>\n
- Privacy: https:\/\/www.hcaptcha.com\/privacy<\/li>\n<\/ul>\n\n
Google OAuth<\/h4>\n\n\n- Purpose: sign in with Google.<\/li>\n
- Endpoints:
accounts.google.com\/o\/oauth2\/v2\/auth<\/code>, oauth2.googleapis.com\/token<\/code>, and openidconnect.googleapis.com\/v1\/userinfo<\/code>.<\/li>\n- Data sent: authorization code, code verifier, redirect URI, client credentials, and selected scopes. Returned data can include name, verified email, avatar, and locale.<\/li>\n
- Terms: https:\/\/policies.google.com\/terms<\/li>\n
- Privacy: https:\/\/policies.google.com\/privacy<\/li>\n<\/ul>\n\n
Apple Sign In<\/h4>\n\n\n- Purpose: sign in with Apple.<\/li>\n
- Endpoints:
appleid.apple.com\/auth\/authorize<\/code> and appleid.apple.com\/auth\/token<\/code>.<\/li>\n- Data sent: authorization code, client ID, redirect URI, and signed JWT assertions generated from your Apple key. Returned data can include name and email.<\/li>\n
- Terms: https:\/\/www.apple.com\/legal\/internet-services\/terms\/site.html<\/li>\n
- Privacy: https:\/\/www.apple.com\/legal\/privacy\/<\/li>\n<\/ul>\n\n
GitHub OAuth<\/h4>\n\n\n- Purpose: sign in with GitHub.<\/li>\n
- Endpoints:
github.com\/login\/oauth\/authorize<\/code>, github.com\/login\/oauth\/access_token<\/code>, api.github.com\/user<\/code>, and api.github.com\/user\/emails<\/code>.<\/li>\n- Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.<\/li>\n
- Terms: https:\/\/docs.github.com\/en\/site-policy\/github-terms\/github-terms-of-service<\/li>\n
- Privacy: https:\/\/docs.github.com\/en\/site-policy\/privacy-policies\/github-privacy-statement<\/li>\n<\/ul>\n\n
Microsoft OAuth<\/h4>\n\n\n- Purpose: sign in with Microsoft.<\/li>\n
- Endpoints:
login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize<\/code>, login.microsoftonline.com\/common\/oauth2\/v2.0\/token<\/code>, and graph.microsoft.com\/v1.0\/me<\/code>.<\/li>\n- Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and locale.<\/li>\n
- Terms: https:\/\/www.microsoft.com\/licensing\/terms\/productoffering\/MicrosoftOnlineServices\/MOSPT<\/li>\n
- Privacy: https:\/\/privacy.microsoft.com\/privacystatement<\/li>\n<\/ul>\n\n
Facebook Login<\/h4>\n\n\n- Purpose: sign in with Facebook.<\/li>\n
- Endpoints:
facebook.com\/v18.0\/dialog\/oauth<\/code>, graph.facebook.com\/v18.0\/oauth\/access_token<\/code>, and graph.facebook.com\/v18.0\/me<\/code>.<\/li>\n- Data sent: authorization code, app credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.<\/li>\n
- Terms: https:\/\/www.facebook.com\/legal\/terms<\/li>\n
- Privacy: https:\/\/www.facebook.com\/policy.php<\/li>\n<\/ul>\n\n
Hooks & Extension Points<\/h3>\n\n\noomf_access_redirect_destination<\/code> - override the final destination after login.<\/li>\noomf-access\/allowed_redirect_hosts<\/code> - allow approved external redirect hosts.<\/li>\noomf-access\/captcha\/allow_external<\/code> - control whether CAPTCHA network calls are allowed.<\/li>\noomf_access_captcha_is_required<\/code> - decide whether CAPTCHA is required for a request.<\/li>\noomf_access_captcha_validate_result<\/code> - customize CAPTCHA validation results.<\/li>\noomf-access\/inline_css<\/code> - inject extra CSS into the admin preview and frontend.<\/li>\n<\/ul>\n\n\n\n- Upload the plugin folder to
\/wp-content\/plugins\/<\/code> or install the ZIP from Plugins → Add New.<\/li>\n- Activate oOMF! Access. Activation creates a public \"Login\" page and stores its ID in
oomf_access_page_id<\/code>.<\/li>\n- Open Settings → oOMF! Access to configure branding, text, redirects, magic links, social providers, CAPTCHA, and hide-admin options.<\/li>\n
- Share the generated login URL, usually
\/oomf-access\/<\/code>.<\/li>\n<\/ol>\n\n\n\nWhere is the login page?<\/h3><\/dt>\nActivation creates a WordPress page containing [oomf_access_form]<\/code>. You can edit or move that page. If it is deleted, \/oomf-access\/<\/code> still renders the bundled login template so people are not stranded.<\/p><\/dd>\nDoes it replace my theme template?<\/h3><\/dt>\nThe shortcode inherits your theme when embedded anywhere. The generated login page uses the bundled minimal template at templates\/oomf-access-page-template.php<\/code> so the dedicated access page stays consistent.<\/p><\/dd>\nWhat can I customize?<\/h3><\/dt>\nYou can adjust logos, appearance mode, accent color, spacing, headings, helper text, form labels, button text, magic-link copy, redirect destinations, social providers, CAPTCHA settings, hide-admin behavior, honeypot and throttle settings, and lockout thresholds.<\/p><\/dd>\n
How do redirects work?<\/h3><\/dt>\nIf a safe redirect_to<\/code> value is supplied, it wins. Otherwise oOMF! Access uses the configured post-login destination, then falls back to the WordPress admin. Developers can use oomf-access\/allowed_redirect_hosts<\/code> and oomf_access_redirect_destination<\/code> for custom routing.<\/p><\/dd>\nWhat CAPTCHA providers are supported?<\/h3><\/dt>\noOMF! Access supports reCAPTCHA v2 checkbox, reCAPTCHA v2 invisible, reCAPTCHA v3, and hCaptcha. Scripts load only on access pages and verification happens server-side.<\/p><\/dd>\n
How does Hide Admin work?<\/h3><\/dt>\nWhen enabled, direct access to \/wp-login.php<\/code> and \/wp-admin<\/code> can be obscured for anonymous visitors while a secret login slug remains available. Emergency bypasses are retained for break-glass access.<\/p><\/dd>\n