plugin-icon

Zen Login & Authentication

Frontend login, registration, and password recovery for WordPress and Elementor, with rate limiting, honeypot, and AJAX forms.
Évaluations
Version
2.2.3
Mis à jour récemment
Jul 11, 2026
Zen Login & Authentication

Zen Login & Authentication replaces the default wp-login.php experience with clean, accessible, theme-integrated forms that live on your actual site. It works out of the box on any WordPress theme and ships with first-class Elementor support: five drag-and-drop widgets that fit any page-builder layout, with full Theme Builder compatibility.

The plugin works with no configuration and adds no tracking or « phone home » behaviour. Every feature that contacts an external service is opt-in — Google sign-in, breached-password checking (Have I Been Pwned), and Cloudflare Turnstile — so out of the box the plugin makes no external calls at all. See External services below.

What it does

  • Login with username, email, or either (configurable).
  • Registration with optional user-chosen passwords and auto-login.
  • Lost Password / Reset Password with the full WordPress email flow.
  • Account page — logged-in users edit their first/last name, public display name, email, and password from the frontend, without ever seeing wp-admin. Guests visiting the account page are sent to the login form and return after signing in.
  • Sign in with Google (optional) — a server-side OpenID Connect flow with no Google JavaScript on your pages. New accounts can be auto-created (toggleable) and existing accounts are linked by verified email.
  • Two-factor authentication (optional, opt-in per user) — app-based TOTP with local QR enrollment and one-time recovery codes, managed from the Account page. Once a user turns it on, a second-factor step is required at login.
  • Sign out of other devices — from the Account page, a logged-in user can end every other active session for their account in one click; the current device stays signed in.
  • Passkeys (WebAuthn) (optional, opt-in per user) — users add passkeys from the Account page and sign in with no password using Face ID, a fingerprint, Windows Hello, or a security key. Passwordless sign-ins are phishing-resistant and count as multi-factor, so they skip both the password and any two-factor step. Verified locally; requires HTTPS.
  • New-device login alerts — emails the account owner the first time their account is signed in from an unrecognised device or browser, using your site’s normal email. On by default.
  • URL rewriting so every site-wide wp-login.php link is transparently redirected to your frontend pages.
  • Multisite support — network-activated, per-site settings, signup/activation flow handled.
  • Smart redirects?redirect_to= is honoured everywhere. Subscribers are kept out of wp-admin and sent to a destination you set in Settings → Zen Login & Authentication → Subscriber redirect (a page slug or URL; empty = site home). Privileged users always land where they intended.
  • Login activity dashboard — a « Login Activity » widget on your WordPress dashboard summarising successful logins, failed attempts, and rate-limit lockouts over the past week, with the top failed usernames, the most-blocked IPs, and a recent-events feed. IP addresses are stored anonymised, history is auto-pruned, and the data is removed on uninstall.
  • Cache exclusion — auth pages are automatically excluded from LiteSpeed Cache, Super Page Cache, WP Rocket, W3 Total Cache, and WP Super Cache.

Security

  • Nonce verification on every form submission.
  • Rate limiting — configurable max attempts per IP with a lockout window, per form (login, register, lost-password, reset-password), with optional per-form thresholds.
  • Honeypot spam protection — rotating hidden field (hourly key rotation via HMAC) catches bots; trapped submissions get a fake success response.
  • Spoof-resistant IP detection — rate-limit keys use the real socket address (REMOTE_ADDR) by default; forwarded headers are opt-in via a filter for sites genuinely behind Cloudflare.
  • No password pre-population, bcrypt-compatible (wp_set_password() / wp_signon()), and an 8-character minimum on new passwords.
  • Username-enumeration hardening (on by default) — blocks ?author=N author scans and the REST /wp/v2/users listing for logged-out visitors, and collapses login errors to one neutral message so a valid username is never confirmed. Author archives at /author/name/ and logged-in editors are unaffected.
  • Breached-password blocking (optional) — reject passwords found in the Have I Been Pwned corpus at registration, reset, and account update, using k-anonymity: only the first 5 characters of the password’s SHA-1 hash are sent, never the password. Fails open if the service is unreachable.
  • Cloudflare Turnstile (optional) — a privacy-friendly bot challenge on the login, registration, and lost-password forms, on the plugin’s forms and wp-login.php alike.
  • XML-RPC lockdown (optional) — disable XML-RPC to close the system.multicall brute-force amplifier and pingback abuse.
  • Two-factor authentication (TOTP) — opt-in per user; the shared secret is stored encrypted, recovery codes are hashed and single-use, and the login challenge sets no auth cookie until the second factor verifies.

External services

This plugin contacts an external service only when you enable one of the optional features below. Out of the box it makes no external calls.

  • Google OAuth / OpenID Connect (accounts.google.com and oauth2.googleapis.com). When a user clicks « Continue with Google », they are redirected to Google’s consent screen, and the plugin’s server then exchanges the one-time authorization code for an ID token. The data involved: the OAuth client credentials you configured, the single-use authorization code, and — returned by Google — the user’s verified email address, name, and Google account ID, which are used solely to log the user in or create their account on your site. This service is provided by Google LLC: Terms of Service, Privacy Policy.
  • Have I Been Pwned — Pwned Passwords (api.pwnedpasswords.com). Enabled only when « Block breached passwords » is turned on. When a user sets or changes a password (registration, password reset, or account update), the plugin sends the first 5 characters of the password’s SHA-1 hash to the range API and checks the returned list locally. The password itself, the full hash, and any user identity are never transmitted (k-anonymity model), and the request is cached. This service is provided by Have I Been Pwned: Terms of Use, Privacy Policy, Pwned Passwords.
  • Cloudflare Turnstile (challenges.cloudflare.com). Enabled only when Turnstile is configured. The challenge script is loaded on the protected forms, and on submission the resulting challenge token and the visitor’s IP address are sent to Cloudflare’s siteverify endpoint to confirm the visitor is not a bot. This service is provided by Cloudflare, Inc.: Terms of Service, Privacy Policy.

If none of these features are enabled (the default), the plugin makes no external calls whatsoever.

Elementor integration

Five native widgets registered under a « Zen Login & Authentication » category:

  • Login Form — custom labels, placeholders, toggle text, and link overrides; hidden when logged in (unless reauth=1); picks up ?redirect_to= from the URL.
  • Registration Form — password + confirm fields when user-chosen passwords are enabled, with a live strength meter.
  • Lost Password Form — password-recovery request form.
  • Reset Password Form — reads ?key=&login= from the URL and shows a friendly message when the link is missing or expired.
  • Account Form — frontend profile editing (first/last name, public display name, email, optional password change) for the logged-in user, with the same label/placeholder/style controls as the other widgets.

Every widget has a full style panel (container, title, labels, fields with focus glow, button normal/hover, links, messages, password toggle, strength meter).

Classic widgets

Five WP_Widget subclasses are also registered for classic / block-based widget areas: Login, Register, Lost Password, Reset Password, and Account.

Pages

On activation the plugin sets up a real WordPress page for each auth action so Elementor Theme Builder targeting works. For each default slug it reuses an existing page if one is there (never modifying or deleting it), otherwise creates one. The process is idempotent, so activate/deactivate cycles never duplicate pages, and the plugin also works with no real pages via its virtual URL-rewrite fallback.

Gratuitsur les plans payants
En procédant à l’installation, vous acceptez les Conditions d’utilisation de WordPress.com ainsi que les Conditions de l’extension tierce.
Testé jusqu’à version
WordPress 7.0.1
Cette extension est disponible en téléchargement pour votre site .