Jump to Section
Documentation
Everything you need to know about Magic Login – the passwordless authentication plugin for WordPress.
Introduction
#Magic Login replaces traditional password-based authentication with secure magic links and cryptographically verified passkeys. Users simply enter their email, click a link, and they're logged in. No passwords to remember, reset, or compromise.
Magic Links
Secure, one-time login links sent via email. Users click and authenticate instantly.
Passkeys
Biometric authentication using Touch ID, Face ID, or Windows Hello.
WP-CLI
Generate magic links from the command line for automation workflows.
Full Branding
Customize every aspect of the login experience to match your brand.
One Session
Enforce a single active session per user across all devices.
Installation
#Install Magic Login just like any other WordPress plugin. Choose your preferred method below.
Method 1: WordPress Admin
-
Go to Plugins → Add New
Navigate to your WordPress admin dashboard and click "Plugins" then "Add New".
-
Search for "Magic Login"
Type "Magic Login" in the search box and find the plugin in results.
-
Install and Activate
Click "Install Now" then "Activate" to enable the plugin.
Method 2: Manual Upload
cd /wp-content/plugins/
unzip magic-login.zip
Requirements
- WordPress 5.0 or higher
- PHP 7.4 or higher
- HTTPS required for Passkeys feature
Quick Start
#Get up and running in minutes. Magic Login works out of the box with sensible defaults.
-
Activate the Plugin
Once activated, Magic Login automatically replaces the default WordPress login form.
-
Visit the Login Page
Navigate to
/wp-login.phpto see your new passwordless login form. -
Enter Email
Users enter their email address and receive a magic link instantly.
-
Click the Link
Users click the link in their email, confirm their identity, and they're logged in.
Configure settings at Settings → Magic Login to customize branding, expiration times, and security options.
Magic Links
#Magic links are secure, one-time-use URLs that authenticate users without passwords. Each link contains a cryptographically secure token that expires after use or after a configured time period.
How Magic Links Work
- User enters their email on the login form
- Plugin generates a unique, hashed token
- Magic link is sent to the user's email
- User clicks link and sees confirmation screen
- After confirmation, user is authenticated
- Token is marked as "used" and cannot be reused
Admin-Generated Links
Administrators can generate magic links for users directly from the admin dashboard:
-
Go to Magic Login → Create Link
Access the link creation interface from the admin menu.
-
Select User
Choose a user from the dropdown or enter username/email manually.
-
Configure Options
Set expiration time, enable IP lock, or configure auto-logout.
-
Generate & Share
Send via email or copy the link manually.
Passkeys
#Passkeys enable passwordless authentication using biometrics (Touch ID, Face ID, Windows Hello) or hardware security keys. This feature uses the WebAuthn protocol with strict cryptographic verification for maximum security.
Passkeys require HTTPS and a compatible browser. Available in the Pro version.
Supported Authenticators
- Touch ID (macOS, iOS)
- Face ID (iOS)
- Windows Hello (Windows 10+)
- Hardware security keys (YubiKey, Titan, etc.)
- Android biometrics
User Registration Flow
After logging in with a magic link, users are prompted to register a passkey. They can register multiple passkeys for different devices.
WP-CLI Commands
#Generate magic links from the command line. Perfect for automation scripts, cron jobs, and development workflows.
Create a Magic Link
wp magic-login create admin
wp magic-login create user@example.com
wp magic-login create 123
Set Custom Expiration
wp magic-login create admin --expires=60
# Expire in 24 hours (1440 minutes)
wp magic-login create admin --expires=1440
Script-Friendly Output
wp magic-login create admin --porcelain
# Use in scripts
LINK=$(wp magic-login create admin --porcelain)
echo "Login link: $LINK"
Branding & Customization
#Customize every aspect of the login experience to match your brand. Access settings at Settings → Magic Login.
Login Form Customization
| Setting | Description |
|---|---|
Logo |
Upload custom logo image |
Logo Width |
Adjust logo size (20-400px) |
Page Title |
Custom title text |
Button Text |
Customize submit button |
Button Color |
Primary button color |
Background |
Page background color or image |
Email Template Variables
Use these variables in your custom email templates:
| Variable | Description |
|---|---|
{site_name} |
Your website title |
{user_email} |
Recipient's email address |
{magic_link} |
The login URL |
{expiry} |
Link expiration time |
{ip_address} |
Requester's IP (if IP locked) |
Security Features
#Magic Login is built with security as the top priority. Here's how we protect your users.
SHA-256 Hashing
All tokens are cryptographically hashed before storage. Database breaches cannot expose valid tokens.
Auto-Expiration
Every link expires after a configured time period. Default: 60 minutes.
One-Time Use
Tokens are invalidated immediately after successful authentication.
Nonce Verification
All admin actions and forms are protected by WordPress nonces.
One Session
#Enforce single active session limits across all browsers and devices for enhanced security and account sharing prevention.
- Optional feature, easily toggled from Settings
- Immediately invalidates old sessions upon new login
- Protects against unauthorized account sharing
- No impact on active legitimate users
Enable the Single Session option under Settings → Magic Login → Advanced Auth.
Rate Limiting
#Built-in rate limiting protects against abuse and brute-force attacks.
- Configurable attempt limits per 30-minute window
- Tracked via browser session (not IP)
- User-friendly error messages
- Prevents magic link spam
Adjust rate limiting settings at Settings → Magic Login → Security.
IP Locking
#Restrict magic links to specific IP addresses for enhanced security. If enabled, the link can only be used from the IP address that requested it.
When to Use IP Locking
- Admin accounts with elevated privileges
- Corporate/intranet environments
- High-security applications
- Compliance requirements (HIPAA, PCI-DSS)
IP locking can cause issues for users on mobile networks or VPNs. Use sparingly.
Email Variables Reference
#Complete reference for email template customization.
| Variable | Type | Example Output |
|---|---|---|
{site_name} |
String | My WordPress Site |
{user_email} |
String | user@example.com |
{magic_link} |
URL | https://site.com/magic-login?token=... |
{expiry} |
String | 60 minutes |
{ip_address} |
String | 192.168.1.1 |
Hooks & Filters
#Extend Magic Login with WordPress hooks.
Actions
do_action('magic_login_user_logged_in', $user_id);
// Fires when a magic link is created
do_action('magic_login_link_created', $token, $user_id);
Filters
$expiry = apply_filters('magic_login_token_expiry', $minutes);
// Customize email subject
$subject = apply_filters('magic_login_email_subject', $subject, $user);