OAuth2 Account Login

WP OAuth2 adds "Login with WordPress.com" (OAuth2) to your WordPress login screen and a connect/disconnect widget on user profile pages. It's designed for agencies and teams managing multiple sites who want a consistent WordPress.com login without installing Jetpack.

External Service: WordPress.com OAuth2 API – Service purpose: Authenticate users with their WordPress.com accounts. – Data sent: Client ID, redirect URI, OAuth authorization code, and standard HTTP request metadata during the OAuth flow. – Data received: WordPress.com user ID, email, and display name to link or create WordPress users. – Service terms: https://wordpress.com/tos/ – Privacy policy: https://automattic.com/privacy/

Features:

• WordPress.com login (OAuth2 "auth" scope).
• Link or unlink WordPress users to WordPress.com accounts.
• Auto-create users when no matching email exists (optional).
• Allowlist by email domain or WordPress.com user ID (optional).
• Audit log of the last 20 OAuth attempts (optional).
• Stores only WordPress.com user ID in user meta (no access tokens stored).
• Short-lived OAuth state with HttpOnly cookie + transient for CSRF protection.

Setup requires creating a WordPress.com application and adding the redirect URI shown in the plugin settings. Feature toggles let you enable or disable the login button, profile widget, auto-create users, admin notices, allowlists, and the audit log.

Privacy

This plugin connects to WordPress.com to authenticate users. It stores the WordPress.com user ID in WordPress user meta to link accounts. OAuth access tokens are used during the login flow and are not stored. A short-lived HttpOnly cookie and transient are used for OAuth state validation and expire automatically. If the audit log is enabled, the last 20 OAuth attempts are stored (time, status, IP address, and basic details) in a non-autoloaded option. WordPress.com service terms: https://wordpress.com/tos/ and privacy policy: https://automattic.com/privacy/.