{"id":314636,"date":"2026-06-09T15:43:19","date_gmt":"2026-06-09T15:43:19","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/easyauth\/"},"modified":"2026-06-10T09:19:41","modified_gmt":"2026-06-10T09:19:41","slug":"authdock","status":"publish","type":"plugin","link":"https:\/\/es-do.wordpress.org\/plugins\/authdock\/","author":17211928,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.2","stable_tag":"1.0.2","tested":"7.0","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"AuthDock","header_author":"Degird","header_description":"A comprehensive authentication and user access management plugin for WordPress. Social login, magic link login, two-factor authentication, login attempt limiting, dynamic redirects, audit logging, wp-admin access restriction, and core security hardening \u2014 all with a native WordPress UI and REST API integration.","assets_banners_color":"9e9f9f","last_updated":"2026-06-10 09:19:41","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/degird.com","header_plugin_uri":"https:\/\/degird.com\/","header_author_uri":"https:\/\/degird.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":73,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"rakibantor","date":"2026-06-09 15:42:55"},"1.0.1":{"tag":"1.0.1","author":"rakibantor","date":"2026-06-10 09:05:56"},"1.0.2":{"tag":"1.0.2","author":"rakibantor","date":"2026-06-10 09:19:41"}},"upgrade_notice":{"1.0.0":"<p>Initial release of AuthDock. Install to replace multiple security plugins with a single, comprehensive authentication solution.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3566239,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3566239,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3566239,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3566239,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":{"authdock\/login-form":{"$schema":"https:\/\/schemas.wp.org\/trunk\/block.json","apiVersion":3,"name":"authdock\/login-form","version":"1.0.0","title":"AuthDock Login Form","category":"widgets","description":"Display a complete login form with social login buttons, magic link, and 2FA support.","keywords":["login","authentication","social login","magic link","2fa"],"textdomain":"authdock","attributes":{"redirect":{"type":"string","default":""},"labelColor":{"type":"string","default":""},"buttonBgColor":{"type":"string","default":""},"buttonTextColor":{"type":"string","default":""},"buttonFontSize":{"type":"string","default":""},"placeholderColor":{"type":"string","default":""},"socialBtnBgColor":{"type":"string","default":""},"socialBtnTextColor":{"type":"string","default":""}},"supports":{"align":["wide","full","center"],"html":false,"color":{"background":true,"text":true,"link":false,"gradients":false},"spacing":{"margin":true,"padding":true},"typography":{"fontSize":true,"lineHeight":false},"__experimentalBorder":{"radius":true,"width":false,"color":false,"style":false}},"editorScript":"file:.\/index.js","style":"authdock-public"}},"tagged_versions":["1.0.0","1.0.1","1.0.2"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3566239,"resolution":"1","location":"assets","locale":"","width":1280,"height":720},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3566239,"resolution":"2","location":"assets","locale":"","width":1280,"height":720},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3566239,"resolution":"3","location":"assets","locale":"","width":1280,"height":720},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3566239,"resolution":"4","location":"assets","locale":"","width":1280,"height":720},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3566239,"resolution":"5","location":"assets","locale":"","width":1280,"height":720},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3566239,"resolution":"6","location":"assets","locale":"","width":1280,"height":720},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3566239,"resolution":"7","location":"assets","locale":"","width":1280,"height":720}},"screenshots":{"1":"<strong>Dashboard<\/strong> \u2014 Overview of authentication activity with live stats and quick feature toggles.","2":"<strong>Social Login Settings<\/strong> \u2014 Configure Google, Facebook, GitHub, and X OAuth providers with button style options.","3":"<strong>Magic Link Settings<\/strong> \u2014 Configure link expiry, rate limiting, allowed roles, and force-magic mode.","4":"<strong>Two-Factor Authentication<\/strong> \u2014 TOTP and email-based 2FA setup with QR code provisioning and backup codes.","5":"<strong>Login Protection<\/strong> \u2014 Brute force settings with progressive lockout, IP whitelist\/blacklist, and notification options.","6":"<strong>Dynamic Redirects<\/strong> \u2014 Role-based login and logout redirect rules with first-login redirect.","7":"<strong>Audit Logs<\/strong> \u2014 Searchable, filterable log of all authentication events with CSV\/JSON export.","8":"<strong>Security Hardening<\/strong> \u2014 Custom login URL, XML-RPC control, security headers, password policies, and user enumeration prevention.","9":"<strong>Email Notifications<\/strong> \u2014 Admin and user notification settings with throttle control and test email.","10":"<strong>Access Control<\/strong> \u2014 wp-admin restriction by role and IP with emergency bypass and admin bar hiding.","11":"<strong>Session Management<\/strong> \u2014 Concurrent limits, idle timeout, per-role session duration, and remote termination.","12":"<strong>Social Login Buttons<\/strong> \u2014 Clean social login buttons on the WordPress login page."}},"plugin_section":[],"plugin_tags":[1912,46125,1229,2056,1909],"plugin_category":[],"plugin_contributors":[262317],"plugin_business_model":[],"class_list":["post-314636","plugin","type-plugin","status-publish","hentry","plugin_tags-access-control","plugin_tags-brute-force-protection","plugin_tags-login-security","plugin_tags-social-login","plugin_tags-two-factor-authentication","plugin_contributors-rakibantor","plugin_committers-rakibantor"],"banners":{"banner":"https:\/\/ps.w.org\/authdock\/assets\/banner-772x250.png?rev=3566239","banner_2x":"https:\/\/ps.w.org\/authdock\/assets\/banner-1544x500.png?rev=3566239","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/authdock\/assets\/icon-128x128.png?rev=3566239","icon_2x":"https:\/\/ps.w.org\/authdock\/assets\/icon-256x256.png?rev=3566239","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-1.png?rev=3566239","caption":"<strong>Dashboard<\/strong> \u2014 Overview of authentication activity with live stats and quick feature toggles."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-2.png?rev=3566239","caption":"<strong>Social Login Settings<\/strong> \u2014 Configure Google, Facebook, GitHub, and X OAuth providers with button style options."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-3.png?rev=3566239","caption":"<strong>Magic Link Settings<\/strong> \u2014 Configure link expiry, rate limiting, allowed roles, and force-magic mode."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-4.png?rev=3566239","caption":"<strong>Two-Factor Authentication<\/strong> \u2014 TOTP and email-based 2FA setup with QR code provisioning and backup codes."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-5.png?rev=3566239","caption":"<strong>Login Protection<\/strong> \u2014 Brute force settings with progressive lockout, IP whitelist\/blacklist, and notification options."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-6.png?rev=3566239","caption":"<strong>Dynamic Redirects<\/strong> \u2014 Role-based login and logout redirect rules with first-login redirect."},{"src":"https:\/\/ps.w.org\/authdock\/assets\/screenshot-7.png?rev=3566239","caption":"<strong>Audit Logs<\/strong> \u2014 Searchable, filterable log of all authentication events with CSV\/JSON export."}],"raw_content":"<!--section=description-->\n<p><strong>AuthDock<\/strong> is a professional-grade WordPress authentication and user access management plugin that replaces 5\u20137 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API, and zero bloat.<\/p>\n\n<p>Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet \u2014 AuthDock gives you full control over how users log in, stay safe, and interact with your site.<\/p>\n\n<h4>\ud83d\udd11 Social Login<\/h4>\n\n<p>Let users sign in with one click using their existing accounts. No more forgotten passwords.<\/p>\n\n<ul>\n<li><strong>Google OAuth 2.0<\/strong> \u2014 Sign in with Google using OAuth 2.0 authorization<\/li>\n<li><strong>Facebook Login<\/strong> \u2014 Authenticate via the Facebook Graph API<\/li>\n<li><strong>GitHub OAuth<\/strong> \u2014 Developer-friendly sign in with GitHub<\/li>\n<li><strong>X (Twitter) OAuth 2.0<\/strong> \u2014 Uses OAuth 2.0 with PKCE (S256) for maximum security<\/li>\n<li><strong>Button Style<\/strong> \u2014 Choose between icon + text, icon only, or text only button styles<\/li>\n<li><strong>Button Layout<\/strong> \u2014 Display buttons vertically or horizontally<\/li>\n<li><strong>Button Order<\/strong> \u2014 Drag and drop to reorder provider buttons<\/li>\n<li><strong>Default Role<\/strong> \u2014 Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)<\/li>\n<li><strong>Auto-Registration<\/strong> \u2014 Automatically create WordPress accounts from social profiles<\/li>\n<li><strong>Domain Restriction<\/strong> \u2014 Restrict social login to specific email domains (e.g., <code>company.com<\/code>, <code>university.edu<\/code>)<\/li>\n<li><strong>Avatar Integration<\/strong> \u2014 Automatically set user profile pictures from social account avatars<\/li>\n<li><strong>Account Linking<\/strong> \u2014 Users can link\/unlink social accounts from their WordPress profile page<\/li>\n<li><strong>Shortcode<\/strong> \u2014 Place social login buttons anywhere using <code>[authdock_social_login]<\/code><\/li>\n<li><strong>Developer Filters<\/strong> \u2014 <code>authdock_allow_social_account_linking<\/code> and <code>authdock_allow_social_registration<\/code> for custom control<\/li>\n<\/ul>\n\n<h4>\u2709\ufe0f Magic Link Login<\/h4>\n\n<p>Passwordless authentication \u2014 users receive a one-time login link via email. No passwords to remember or leak.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for passwordless login<\/li>\n<li><strong>Link Expiry<\/strong> \u2014 Set how long each magic link stays valid (default: 10 minutes)<\/li>\n<li><strong>Rate Limiting<\/strong> \u2014 Max magic link requests per email per hour (default: 5\/hour) to prevent abuse<\/li>\n<li><strong>Allowed Roles<\/strong> \u2014 Restrict magic login to specific user roles (e.g., Subscribers, Editors)<\/li>\n<li><strong>Force Magic Login Mode<\/strong> \u2014 Hide the standard WordPress password form and show only the magic link form<\/li>\n<li><strong>Custom Email Subject<\/strong> \u2014 Personalize the magic link email subject line<\/li>\n<li><strong>Custom Email Body<\/strong> \u2014 Customize using merge tags: <code>{user_name}<\/code>, <code>{magic_link}<\/code>, <code>{expiry_time}<\/code>, <code>{site_name}<\/code>, <code>{ip_address}<\/code><\/li>\n<li><strong>One-Time Use<\/strong> \u2014 Each magic link is cryptographically random and single-use<\/li>\n<li><strong>Token Invalidation<\/strong> \u2014 Magic links are automatically invalidated when a user changes their password<\/li>\n<li><strong>Anti-Enumeration<\/strong> \u2014 Generic success messages prevent attackers from discovering valid email addresses<\/li>\n<li><strong>Shortcode<\/strong> \u2014 Display the form anywhere with <code>[authdock_magic_login]<\/code> and optional <code>redirect<\/code> attribute<\/li>\n<\/ul>\n\n<h4>\ud83d\udd10 Two-Factor Authentication (2FA)<\/h4>\n\n<p>Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for two-factor authentication<\/li>\n<li><strong>TOTP Method<\/strong> \u2014 Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.<\/li>\n<li><strong>Email Method<\/strong> \u2014 Receive a 6-digit numeric verification code via email<\/li>\n<li><strong>Enforced Roles<\/strong> \u2014 Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA<\/li>\n<li><strong>Grace Period<\/strong> \u2014 Give users configurable days to set up 2FA before enforcement kicks in (default: 3 days)<\/li>\n<li><strong>Trusted Devices<\/strong> \u2014 Allow users to skip 2FA on recognized devices for configurable days (default: 30 days)<\/li>\n<li><strong>Backup Recovery Codes<\/strong> \u2014 Generate 10 one-time-use backup codes for account recovery if the authenticator is lost<\/li>\n<li><strong>Brute-Force Protection<\/strong> \u2014 Rate-limited to 5 verification attempts per session to prevent code guessing<\/li>\n<li><strong>Encrypted Secret Storage<\/strong> \u2014 TOTP secrets encrypted with AES-256-CBC before storing in the database<\/li>\n<li><strong>Replay Protection<\/strong> \u2014 Each TOTP code can only be used once per time window (RFC 6238 \u00a75.2)<\/li>\n<li><strong>Clock Drift Tolerance<\/strong> \u2014 Accepts codes from \u00b11 time step (30 seconds) to handle minor clock differences<\/li>\n<li><strong>Interstitial Challenge Screen<\/strong> \u2014 Clean, WordPress-native verification screen after primary authentication<\/li>\n<li><strong>Admin Management<\/strong> \u2014 Administrators can view and disable 2FA for any user from the profile page<\/li>\n<\/ul>\n\n<h4>\ud83d\udee1\ufe0f Brute Force Protection (Login Limiter)<\/h4>\n\n<p>Stop brute-force attacks with intelligent lockout rules that escalate automatically.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for login attempt limiting<\/li>\n<li><strong>Max Attempts<\/strong> \u2014 Set the number of failed login attempts before lockout (default: 5)<\/li>\n<li><strong>Lockout Duration<\/strong> \u2014 Initial lockout period in minutes (default: 15 minutes)<\/li>\n<li><strong>Progressive Lockout<\/strong> \u2014 Lockouts escalate: 15 min \u2192 1 hour \u2192 24 hours for repeat offenders<\/li>\n<li><strong>Auto-Blacklist<\/strong> \u2014 Permanently ban an IP after a configurable number of lockouts (e.g., after 5)<\/li>\n<li><strong>IP Whitelist<\/strong> \u2014 Allow trusted IPs to bypass login limits (supports exact match, CIDR ranges like <code>192.168.1.0\/24<\/code>, and wildcards like <code>10.0.0.*<\/code>)<\/li>\n<li><strong>IP Blacklist<\/strong> \u2014 Permanently block specific IP addresses, CIDR ranges, or wildcard patterns<\/li>\n<li><strong>Notify Admin on Lockout<\/strong> \u2014 Email alerts when an IP gets locked out<\/li>\n<li><strong>Notify Threshold<\/strong> \u2014 Configure after how many lockouts the notification triggers (default: 1)<\/li>\n<li><strong>XML-RPC Integration<\/strong> \u2014 Automatically block XML-RPC authentication from locked-out IPs<\/li>\n<li><strong>Login Page Warnings<\/strong> \u2014 Display remaining attempt count and lockout timers on the login page<\/li>\n<li><strong>Log Retention<\/strong> \u2014 Configure how long failed login data is retained (default: 30 days)<\/li>\n<li><strong>Trusted Proxies<\/strong> \u2014 Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers<\/li>\n<\/ul>\n\n<h4>\ud83d\udd04 Dynamic Login &amp; Logout Redirects<\/h4>\n\n<p>Send users exactly where they need to go \u2014 based on their role, or if it is their first login.<\/p>\n\n<ul>\n<li><strong>Role-Based Login Redirects<\/strong> \u2014 Set a custom URL per WordPress role after login (e.g., Editors \u2192 <code>\/editorial-dashboard<\/code>, Subscribers \u2192 <code>\/members-area<\/code>)<\/li>\n<li><strong>Role-Based Logout Redirects<\/strong> \u2014 Set a custom URL per WordPress role after logout<\/li>\n<li><strong>First-Login Redirect<\/strong> \u2014 Redirect new users to a welcome page, onboarding wizard, or setup screen on their first login<\/li>\n<li><strong>Relative &amp; Absolute URLs<\/strong> \u2014 Supports both relative paths (<code>\/dashboard<\/code>) and full URLs (<code>https:\/\/example.com\/welcome<\/code>)<\/li>\n<li><strong>Open Redirect Prevention<\/strong> \u2014 Redirects validated via <code>wp_safe_redirect()<\/code> and <code>wp_validate_redirect()<\/code> to prevent open redirect attacks<\/li>\n<\/ul>\n\n<h4>\ud83d\udccb Audit Logging<\/h4>\n\n<p>Keep a complete, searchable record of every authentication event happening on your site.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for audit logging<\/li>\n<li><strong>Tracked Events<\/strong> \u2014 Login success\/failure, logout, password reset\/change, user registration, profile updates, social login\/linking, magic link requests\/usage, 2FA changes, session termination, access blocked, lockout events<\/li>\n<li><strong>Event Details<\/strong> \u2014 Each entry records: user ID, event type, IP, user agent, JSON context, and timestamp<\/li>\n<li><strong>Retention Period<\/strong> \u2014 Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited<\/li>\n<li><strong>Auto-Cleanup<\/strong> \u2014 Daily WP-Cron job removes expired entries in batches of 1,000 to prevent database locks<\/li>\n<li><strong>Filter by Event Type<\/strong> \u2014 View specific event categories (e.g., only failed logins)<\/li>\n<li><strong>Filter by Date Range<\/strong> \u2014 Narrow results by <code>date_from<\/code> and <code>date_to<\/code><\/li>\n<li><strong>Filter by User<\/strong> \u2014 View all events for a specific user ID<\/li>\n<li><strong>Search by IP<\/strong> \u2014 Find all events from a particular IP address<\/li>\n<li><strong>Full-Text Search<\/strong> \u2014 Search across event types, IPs, and context data<\/li>\n<li><strong>CSV Export<\/strong> \u2014 Download audit logs as a CSV file with formula injection protection<\/li>\n<li><strong>JSON Export<\/strong> \u2014 Export logs in JSON format for integration with external tools<\/li>\n<li><strong>Purge All Logs<\/strong> \u2014 One-click purge to clear all historical log data<\/li>\n<li><strong>Admin UI Viewer<\/strong> \u2014 Built-in admin page with paginated table, filters, and export buttons<\/li>\n<li><strong>Custom Database Table<\/strong> \u2014 Logs stored in a dedicated <code>authdock_audit_logs<\/code> table with proper indexes for fast queries<\/li>\n<\/ul>\n\n<h4>\ud83c\udff0 Security Hardening<\/h4>\n\n<p>Close common WordPress security holes without installing another plugin.<\/p>\n\n<p><strong>Custom Login URL<\/strong>\n* <strong>Custom Slug<\/strong> \u2014 Replace <code>wp-login.php<\/code> with your own secret URL (e.g., <code>\/my-secure-login<\/code>)\n* <strong>Block Action<\/strong> \u2014 Choose what happens when someone visits <code>wp-login.php<\/code>: return a 404 error or redirect to the homepage\n* <strong>Recovery Key<\/strong> \u2014 Access the login page via a secret query parameter even when the custom URL is active<\/p>\n\n<p><strong>XML-RPC Control<\/strong>\n* <strong>Disable XML-RPC<\/strong> \u2014 Completely disable XML-RPC to block remote brute-force attacks\n* <strong>Partial Disable<\/strong> \u2014 Remove only authentication methods while keeping pingbacks functional<\/p>\n\n<p><strong>REST API Restriction<\/strong>\n* <strong>Restrict to Authenticated Users<\/strong> \u2014 Block all REST API access for unauthenticated visitors\n* <strong>Namespace Whitelist<\/strong> \u2014 Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain public<\/p>\n\n<p><strong>User Enumeration Prevention<\/strong>\n* <strong>Block Author Archives<\/strong> \u2014 Redirect <code>?author=N<\/code> enumeration queries to the homepage\n* <strong>Restrict User REST Endpoint<\/strong> \u2014 Block <code>\/wp-json\/wp\/v2\/users<\/code> for non-logged-in users\n* <strong>Generic Login Errors<\/strong> \u2014 Replace \"username not found\" or \"wrong password\" messages with a generic error<\/p>\n\n<p><strong>Password Strength Enforcement<\/strong>\n* <strong>Force Strong Passwords<\/strong> \u2014 Master toggle for password policy enforcement\n* <strong>Minimum Length<\/strong> \u2014 Set the minimum password length (default: 8 characters)\n* <strong>Require Uppercase<\/strong> \u2014 Mandate at least one uppercase letter\n* <strong>Require Lowercase<\/strong> \u2014 Mandate at least one lowercase letter\n* <strong>Require Number<\/strong> \u2014 Mandate at least one numeric digit\n* <strong>Require Special Character<\/strong> \u2014 Mandate at least one special character (e.g., <code>!@#$%<\/code>)\n* <strong>Enforced Roles<\/strong> \u2014 Apply password rules only to specific roles<\/p>\n\n<p><strong>Security HTTP Headers<\/strong>\n* <strong>X-Content-Type-Options<\/strong> \u2014 Prevents MIME-type sniffing (<code>nosniff<\/code>)\n* <strong>X-Frame-Options<\/strong> \u2014 Blocks clickjacking by restricting iframe embedding (<code>SAMEORIGIN<\/code>)\n* <strong>X-XSS-Protection<\/strong> \u2014 Legacy XSS filter for older browsers (<code>1; mode=block<\/code>)\n* <strong>Referrer-Policy<\/strong> \u2014 Controls referrer information sent with requests (<code>strict-origin-when-cross-origin<\/code>)\n* <strong>Strict-Transport-Security (HSTS)<\/strong> \u2014 Enforces HTTPS connections for 1 year (<code>max-age=31536000; includeSubDomains<\/code>)\n* <strong>Permissions-Policy<\/strong> \u2014 Restricts access to camera, microphone, and geolocation APIs<\/p>\n\n<p><strong>Role-Based Session Duration<\/strong>\n* <strong>Per-Role Cookie Lifetime<\/strong> \u2014 Set different authentication cookie durations per WordPress role (in hours)<\/p>\n\n<h4>\ud83d\udce7 Email Notifications<\/h4>\n\n<p>Stay informed about critical security events with real-time email alerts \u2014 for admins and users.<\/p>\n\n<p><strong>Admin Notifications<\/strong>\n* <strong>Multiple Failed Logins<\/strong> \u2014 Alert every N failed attempts from the same IP (default: every 3)\n* <strong>IP Lockout<\/strong> \u2014 Alert when an IP gets locked out\n* <strong>Admin Login Alert<\/strong> \u2014 Notify when an administrator account logs in\n* <strong>New User Registration<\/strong> \u2014 Alert on every new user registration\n* <strong>User Promoted to Admin<\/strong> \u2014 Alert when any user is promoted to the Administrator role\n* <strong>Admin Password Changed<\/strong> \u2014 Alert when an administrator's password is changed or reset\n* <strong>2FA Disabled<\/strong> \u2014 Alert when any user disables two-factor authentication\n* <strong>Login from New IP<\/strong> \u2014 Alert when a user logs in from a previously unseen IP address<\/p>\n\n<p><strong>User Self-Notifications<\/strong>\n* <strong>Password Changed<\/strong> \u2014 Notify the user when their password is changed\n* <strong>Email Changed<\/strong> \u2014 Notify at the OLD email address when a user's email is updated (security measure)\n* <strong>2FA Status Changed<\/strong> \u2014 Notify the user when 2FA is enabled or disabled on their account\n* <strong>Social Account Linked<\/strong> \u2014 Notify when a social provider is connected to their account\n* <strong>New Device Login<\/strong> \u2014 Notify the user when a login is detected from a new IP address\n* <strong>Account Locked<\/strong> \u2014 Notify the user when their account is locked due to failed attempts<\/p>\n\n<p><strong>Notification Settings<\/strong>\n* <strong>Custom Recipients<\/strong> \u2014 Set custom email addresses for admin notifications (defaults to site admin email)\n* <strong>Throttle Period<\/strong> \u2014 Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes)\n* <strong>Digest Mode<\/strong> \u2014 Option to batch notifications instead of sending them individually\n* <strong>Test Email<\/strong> \u2014 Send a test notification to verify email configuration is working<\/p>\n\n<h4>\ud83d\udeaa wp-admin Access Control<\/h4>\n\n<p>Restrict who can access the WordPress dashboard \u2014 by role, by IP, or both.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for access control<\/li>\n<li><strong>Blocked Roles<\/strong> \u2014 Select which roles are blocked from accessing <code>\/wp-admin<\/code> (e.g., Subscriber, Customer)<\/li>\n<li><strong>IP Restriction Mode<\/strong> \u2014 Enable IP-based restrictions so only whitelisted IPs can access wp-admin<\/li>\n<li><strong>IP Whitelist<\/strong> \u2014 Specify allowed IP addresses and CIDR ranges (e.g., <code>203.0.113.5<\/code>, <code>192.168.1.0\/24<\/code>)<\/li>\n<li><strong>Hide Admin Bar<\/strong> \u2014 Remove the WordPress admin bar from the frontend for blocked roles<\/li>\n<li><strong>Redirect Action<\/strong> \u2014 Choose what happens when access is denied: redirect to homepage, custom URL, or show a 403 Forbidden page<\/li>\n<li><strong>Custom Redirect URL<\/strong> \u2014 Set a specific URL for the access-denied redirect<\/li>\n<li><strong>Emergency Bypass Key<\/strong> \u2014 Secret query parameter (<code>?authdock_bypass=YOUR_KEY<\/code>) to regain access if locked out<\/li>\n<li><strong>Smart Exceptions<\/strong> \u2014 AJAX requests, WP-Cron, and <code>admin-post.php<\/code> always allowed through<\/li>\n<li><strong>Administrator Immunity<\/strong> \u2014 Administrators are never blocked, regardless of settings<\/li>\n<\/ul>\n\n<h4>\u23f1\ufe0f Session Management<\/h4>\n\n<p>Take control of user sessions \u2014 limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.<\/p>\n\n<ul>\n<li><strong>Enable\/Disable<\/strong> \u2014 Master toggle for session management<\/li>\n<li><strong>Concurrent Session Limit<\/strong> \u2014 Maximum simultaneous sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded<\/li>\n<li><strong>Idle Session Timeout<\/strong> \u2014 Auto-logout after configurable inactivity period (in minutes, 0 = disabled)<\/li>\n<li><strong>Per-Role Session Duration<\/strong> \u2014 Different session lifetimes for each WordPress role (in hours)<\/li>\n<li><strong>Admin Session Viewer<\/strong> \u2014 View all active sessions via the REST API, including user details and last activity timestamps<\/li>\n<li><strong>Remote Session Termination<\/strong> \u2014 Administrators can terminate all sessions for any user via a single API call<\/li>\n<li><strong>Throttled Activity Tracking<\/strong> \u2014 Last-activity timestamps updated at most once per 5 minutes to minimize database writes<\/li>\n<\/ul>\n\n<h4>\u26a1 Performance &amp; Infrastructure<\/h4>\n\n<p>AuthDock is built for speed and follows WordPress best practices from top to bottom.<\/p>\n\n<ul>\n<li><strong>Conditional Asset Loading<\/strong> \u2014 CSS and JavaScript files load only on pages where they are needed<\/li>\n<li><strong>Indexed Database Tables<\/strong> \u2014 Custom tables use proper indexes for fast lookups<\/li>\n<li><strong>WP-Cron Maintenance<\/strong> \u2014 Audit log cleanup runs via non-blocking WP-Cron<\/li>\n<li><strong>Transient-Based Tracking<\/strong> \u2014 Brute force tracking uses transients (no additional DB queries per login attempt)<\/li>\n<li><strong>REST API Powered<\/strong> \u2014 All admin data operations go through the <code>authdock\/v1<\/code> namespace with 15+ endpoints<\/li>\n<li><strong>Hook-Based Architecture<\/strong> \u2014 Centralized Loader class registers all hooks for clean dependency management<\/li>\n<li><strong>Custom Capabilities<\/strong> \u2014 <code>authdock_manage_settings<\/code>, <code>authdock_view_audit_logs<\/code>, <code>authdock_export_audit_logs<\/code>, <code>authdock_manage_sessions<\/code>, <code>authdock_manage_lockouts<\/code><\/li>\n<li><strong>Clean Activation<\/strong> \u2014 Creates database tables, sets defaults, registers capabilities, and schedules cron<\/li>\n<li><strong>Clean Deactivation<\/strong> \u2014 Clears cron events but preserves all settings for reactivation<\/li>\n<li><strong>Full Uninstall<\/strong> \u2014 Removes everything: options, user meta, database tables, capabilities, and transients<\/li>\n<li><strong>Full i18n<\/strong> \u2014 All user-facing strings use WordPress internationalization functions with the <code>authdock<\/code> text domain<\/li>\n<\/ul>\n\n<h4>\ud83e\udd14 Why Choose AuthDock?<\/h4>\n\n<ul>\n<li><strong>Replace 5\u20137 plugins<\/strong> \u2014 Social login + magic links + 2FA + brute force + audit logs + session management + access control \u2014 all in one<\/li>\n<li><strong>WordPress-native UI<\/strong> \u2014 Looks and feels like core WordPress, not a foreign dashboard<\/li>\n<li><strong>REST API powered<\/strong> \u2014 Modern, secure data handling for all admin operations<\/li>\n<li><strong>Lightweight &amp; fast<\/strong> \u2014 Conditional loading, object caching, zero external frameworks in admin<\/li>\n<li><strong>Developer-friendly<\/strong> \u2014 Extensive hooks, filters, and custom capabilities for extensibility<\/li>\n<li><strong>WordPress.org compliant<\/strong> \u2014 No tracking, no encoded code, no forced upsells, full GPL-2.0+<\/li>\n<\/ul>\n\n<h4>\ud83d\udd17 Shortcodes<\/h4>\n\n<ul>\n<li><code>[authdock_social_login]<\/code> \u2014 Display social login buttons (attributes: <code>layout<\/code>, <code>style<\/code>)<\/li>\n<li><code>[authdock_magic_login]<\/code> \u2014 Display magic link login form (attributes: <code>redirect<\/code>)<\/li>\n<li><code>[authdock_login_form]<\/code> \u2014 Display login form with 2FA support<\/li>\n<\/ul>\n\n<h3>External services<\/h3>\n\n<ul>\n<li><strong>Google OAuth<\/strong> \u2014 <a href=\"https:\/\/policies.google.com\/terms\">Terms<\/a> | <a href=\"https:\/\/policies.google.com\/privacy\">Privacy<\/a><\/li>\n<li><strong>Facebook Login<\/strong> \u2014 <a href=\"https:\/\/www.facebook.com\/legal\/terms\">Terms<\/a> | <a href=\"https:\/\/www.facebook.com\/privacy\/policy\/\">Privacy<\/a><\/li>\n<li><strong>GitHub OAuth<\/strong> \u2014 <a href=\"https:\/\/docs.github.com\/en\/site-policy\/github-terms\/github-terms-of-service\">Terms<\/a> | <a href=\"https:\/\/docs.github.com\/en\/site-policy\/privacy-policies\/github-general-privacy-statement\">Privacy<\/a><\/li>\n<li><strong>X (Twitter) OAuth<\/strong> \u2014 <a href=\"https:\/\/x.com\/en\/tos\">Terms<\/a> | <a href=\"https:\/\/x.com\/en\/privacy\">Privacy<\/a><\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>authdock<\/code> folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>Go to <strong>AuthDock<\/strong> in the admin menu to configure settings<\/li>\n<li>Enable the features you want to use<\/li>\n<\/ol>\n\n<p>Or install directly from the WordPress plugin repository:<\/p>\n\n<ol>\n<li>Go to <strong>Plugins \u2192 Add New<\/strong> in your WordPress admin<\/li>\n<li>Search for \"AuthDock\"<\/li>\n<li>Click <strong>Install Now<\/strong>, then <strong>Activate<\/strong><\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20authdock%20work%20with%20woocommerce%3F\"><h3>Does AuthDock work with WooCommerce?<\/h3><\/dt>\n<dd><p>Yes. Social login buttons appear on WooCommerce login and checkout pages when WooCommerce is active. Role-based redirects also work with WooCommerce customer roles.<\/p><\/dd>\n<dt id=\"is%20authdock%20multisite%20compatible%3F\"><h3>Is AuthDock multisite compatible?<\/h3><\/dt>\n<dd><p>Yes. Each subsite in a WordPress multisite network has independent settings and its own audit log table.<\/p><\/dd>\n<dt id=\"will%20authdock%20slow%20down%20my%20site%3F\"><h3>Will AuthDock slow down my site?<\/h3><\/dt>\n<dd><p>No. AuthDock uses conditional asset loading \u2014 CSS and JavaScript load only where needed. Database queries use proper indexing, and brute force tracking uses lightweight transients instead of database writes.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20deactivate%20the%20plugin%3F\"><h3>What happens when I deactivate the plugin?<\/h3><\/dt>\n<dd><p>Cron events are cleaned up, but your settings, database tables, and user data are preserved so you can reactivate later without losing configuration.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20delete%20the%20plugin%3F\"><h3>What happens when I delete the plugin?<\/h3><\/dt>\n<dd><p>All plugin data is completely removed: options, user meta (social IDs, 2FA secrets, trusted devices), custom database tables, capabilities, and transients.<\/p><\/dd>\n<dt id=\"can%20i%20use%20social%20login%20and%202fa%20together%3F\"><h3>Can I use social login and 2FA together?<\/h3><\/dt>\n<dd><p>Yes. When a user logs in via social login, they must still complete the 2FA challenge if enabled for their account or role. AuthDock ensures 2FA cannot be bypassed regardless of login method.<\/p><\/dd>\n<dt id=\"what%20authenticator%20apps%20work%20with%20authdock%202fa%3F\"><h3>What authenticator apps work with AuthDock 2FA?<\/h3><\/dt>\n<dd><p>Any TOTP-compatible app works, including Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and FreeOTP.<\/p><\/dd>\n<dt id=\"what%20if%20i%20get%20locked%20out%20by%20the%20custom%20login%20url%3F\"><h3>What if I get locked out by the custom login URL?<\/h3><\/dt>\n<dd><p>AuthDock includes a recovery key parameter. Access your login page via <code>?authdock_recover=YOUR_KEY<\/code> to bypass the custom login URL block. The recovery key is set in your security settings.<\/p><\/dd>\n<dt id=\"does%20brute%20force%20protection%20work%20with%20cloudflare%20or%20reverse%20proxies%3F\"><h3>Does brute force protection work with Cloudflare or reverse proxies?<\/h3><\/dt>\n<dd><p>Yes. Configure trusted proxy IPs in the login limiter settings, and AuthDock will correctly read the real client IP from <code>X-Forwarded-For<\/code> headers.<\/p><\/dd>\n<dt id=\"can%20i%20export%20my%20audit%20logs%3F\"><h3>Can I export my audit logs?<\/h3><\/dt>\n<dd><p>Yes. Audit logs can be exported in CSV and JSON formats via the REST API or admin UI. CSV exports include formula injection protection for safe spreadsheet use.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Social Login with Google, Facebook, GitHub, and X (Twitter) via OAuth 2.0<\/li>\n<li>Magic Link passwordless login with configurable expiry, rate limiting, and force-magic mode<\/li>\n<li>Two-Factor Authentication \u2014 TOTP (RFC 6238) and email-based 2FA with encrypted secret storage, backup codes, trusted devices, and per-role enforcement<\/li>\n<li>Brute force protection with configurable attempts, progressive lockout escalation, IP whitelist\/blacklist with CIDR and wildcard support, and auto-blacklist<\/li>\n<li>Dynamic login\/logout redirects with per-role configuration and first-login redirect<\/li>\n<li>Comprehensive audit logging to custom database table with retention, filters, CSV\/JSON export, and auto-cleanup<\/li>\n<li>Security hardening \u2014 custom login URL with recovery key, XML-RPC control, REST API restriction, user enumeration prevention, password strength enforcement, and 6 security HTTP headers<\/li>\n<li>wp-admin access control with role-based and IP-based restrictions, admin bar hiding, emergency bypass key, and smart AJAX\/cron exceptions<\/li>\n<li>Session management \u2014 concurrent session limiting, idle timeout, per-role session duration, admin session viewer, and remote termination<\/li>\n<li>Email notification system with 8 admin triggers, 6 user self-notification triggers, configurable throttling, custom recipients, and test email<\/li>\n<li>REST API namespace <code>authdock\/v1<\/code> with 15+ endpoints for all data operations<\/li>\n<li>5 custom capabilities for granular permission control<\/li>\n<li>Full i18n support with <code>.pot<\/code> file<\/li>\n<li>WordPress.org compliance \u2014 GPL-2.0+, no tracking, no encoded code, third-party service disclosure<\/li>\n<\/ul>","raw_excerpt":"All-in-one WordPress authentication: social login, magic links, 2FA, brute force protection, session management &amp; security hardening.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/314636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=314636"}],"author":[{"embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/rakibantor"}],"wp:attachment":[{"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=314636"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=314636"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=314636"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=314636"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=314636"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/es-do.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=314636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}