HappyAccess

HappyAccess simplifies the process of granting temporary admin access to support engineers, developers, and agencies – securely, transparently, and GDPR-compliantly.

It removes the need for merchants to manually create/delete admin users or share passwords, while maintaining full control and audit visibility.

Key Features

Access & Authentication

• OTP-Based Authentication: Generate secure 6-digit codes instead of sharing passwords.
• Magic Link Authentication: One-click login links with short expiration (1-10 minutes), single-use.
• OTP Share Links: Generate secure single-view links to share OTP codes safely with auto-expiry.
• Reusable Access Codes: Support engineers can log in multiple times with the same code until it expires.
• One-Time Use Option: Generate codes that automatically revoke after first use for maximum security.
• Role Selection: Assign any WordPress role (Administrator, Editor, Shop Manager, or custom roles).
• Time-Limited Access: Automatically expires after the set duration (1 hour to 30 days).

Access Restrictions

• Admin Menu & Submenu Restrictions: Block temp users from specific admin pages with a visual picker. Supports top-level menus and individual sub-pages (WooCommerce tabs, EDD sections, BuddyPress, or any plugin).
• Direct URL Blocking: Restricted pages are inaccessible even when accessed by typing the URL directly.
• Hide Admin Bar: Option to hide the WordPress admin bar for temporary users.
• Main Admin Protection: Temp users cannot see, edit, or delete the site owner. Dangerous bulk actions are blocked.
• Plugin Self-Protection: HappyAccess is hidden from the plugins list for temp users.
• Activate/Deactivate Toggle: Suspend a temp user’s access without deleting them, and reactivate later with one click.

Security

• reCAPTCHA v3 Protection: Optional invisible bot protection for OTP login.
• IP Allowlist: Optionally restrict access codes to specific IP addresses.
• Rate Limiting: Failed attempt lockouts and IP tracking prevent brute force attacks.
• Emergency Lock: One-click admin bar button to instantly revoke all active tokens.
• Session Management: Logout all temp sessions without revoking tokens.

Monitoring & Compliance

• Full Audit Log: Track all access, logins, restrictions, and actions with filterable event log and CSV export.
• Live Countdown Timer: Real-time expiry countdown in the admin bar with auto-logout.
• Login Count Tracking: See first login vs re-logins in the audit log.
• Active Token Management: View all active codes, see usage status, generate magic links, and revoke anytime.
• Email Notifications: Send access codes and magic links to admin or support email.
• Automatic Cleanup: Temporary users and old logs are deleted automatically when access expires.
• GDPR Compliant: Built-in consent workflow, privacy policy integration, and data export/erasure support.
• Native WordPress UI: Clean interface matching WordPress and WooCommerce admin styles.

How It Works

1. Go to Users → HappyAccess in your WordPress admin.
2. Click Generate Access tab.
3. Choose duration (1 hour to 30 days) and role.
4. Optionally enable email notification.
5. Accept GDPR terms and click Generate Access Code.
6. Share the 6-digit code with your support engineer.
7. They enter the code at your login page – no username/password needed.
8. Access automatically expires and user is deleted.

Perfect For

• Support Engineers – Quick access without password hassles.
• Agencies – Manage client access professionally.
• Store Owners – Maintain security while getting help.
• Developers – Troubleshoot without credential sharing.

GDPR & Security

• All access must be disclosed in your Terms & Conditions.
• Complete audit trail of all actions.
• Data stored locally on your WordPress site.
• Automatic data cleanup after 30 days.
• Rate limiting prevents brute force attacks.

Third-Party Services

This plugin optionally connects to the following third-party service:

Google reCAPTCHA v3 (optional)

When enabled in Settings, HappyAccess loads Google reCAPTCHA v3 on the WordPress login page to protect the OTP field from automated attacks. This sends the user’s IP address, browser information, and interaction data to Google for bot detection.

• Service URL: https://www.google.com/recaptcha/
• Terms of Service: https://policies.google.com/terms
• Privacy Policy: https://policies.google.com/privacy

reCAPTCHA is disabled by default and must be explicitly enabled by an administrator. When disabled, no data is sent to Google.

Privacy Policy

HappyAccess stores access logs locally on your WordPress site. No data is sent to external services unless you enable optional integrations (see Third-Party Services above).

The plugin collects: * IP addresses of users accessing with temporary codes. * Browser information (user agent). * Access times and durations. * Actions performed (audit log).

This data is automatically deleted after 30 days unless configured otherwise.

When Google reCAPTCHA v3 is enabled, the user’s IP address, browser fingerprint, and interaction data are sent to Google for bot detection. See Google’s Privacy Policy for details.

You must disclose in your Terms & Conditions that you may grant admin access to third parties for support purposes.