oOMF! Access

oOMF! Access gives WordPress sites a better front door: a polished login page, guided account flows, passwordless magic links, social sign-in, safe redirects, CAPTCHA, hide-admin controls, honeypots, throttling, and lockout protection.

It is built for agencies, membership sites, product teams, and site owners who want a professional sign-in experience without hand-rolling templates, OAuth plumbing, redirect rules, and abuse controls for every project.

Why teams use it

• A login page worth sharing — replace the default WordPress screen with a branded page powered by [oomf_access_form], theme-aware styling, logo controls, custom copy, gradients, and live admin previews.
• One flow for every access moment — keep login, registration, lost password, password reset, logged-in states, and magic-link requests inside the same consistent interface.
• Passwordless and social sign-in — offer email magic links plus Google, Apple, GitHub, Microsoft, and Facebook providers with provider-specific setup hints.
• Redirects you can trust — send people to the right page after login/logout while validating redirect_to values and exposing filters for approved external hosts.
• Layered anti-abuse controls — enable reCAPTCHA, hCaptcha, honeypots, soft throttling, lockouts, secret login paths, and emergency bypass flows from wp-admin.
• Developer-friendly internals — focused hooks and filters let you customize destinations, CAPTCHA behavior, provider handling, inline CSS, and allowed redirect hosts.

Built for the real WordPress admin

The settings screen includes a live preview, grouped controls for content/appearance/behavior/security, provider previews, and setup copy for external services. Frontend and admin assets load only where needed and are versioned with filemtime().

Privacy

oOMF! Access does not send data to oOMF! services. CAPTCHA and social login features connect only when you enable them and provide your own third-party credentials. Removing the plugin deletes its settings, and the generated login page can also be removed via the oomf_access/delete_page_on_uninstall filter.

External services

oOMF! Access connects to outside services only when the related feature is enabled.

Google reCAPTCHA (v2/v3)

• Purpose: spam and abuse protection for access forms.
• Endpoints: https://www.google.com/recaptcha/api.js and https://www.google.com/recaptcha/api/siteverify.
• Data sent: site key/secret, visitor response token, action name, and optionally visitor IP.
• Terms: https://policies.google.com/terms
• Privacy: https://policies.google.com/privacy

hCaptcha

• Purpose: CAPTCHA validation.
• Endpoints: https://js.hcaptcha.com and https://hcaptcha.com/siteverify.
• Data sent: site key/secret, response token, action name, and optionally visitor IP.
• Terms: https://www.hcaptcha.com/terms
• Privacy: https://www.hcaptcha.com/privacy

Google OAuth

• Purpose: sign in with Google.
• Endpoints: accounts.google.com/o/oauth2/v2/auth, oauth2.googleapis.com/token, and openidconnect.googleapis.com/v1/userinfo.
• Data sent: authorization code, code verifier, redirect URI, client credentials, and selected scopes. Returned data can include name, verified email, avatar, and locale.
• Terms: https://policies.google.com/terms
• Privacy: https://policies.google.com/privacy

Apple Sign In

• Purpose: sign in with Apple.
• Endpoints: appleid.apple.com/auth/authorize and appleid.apple.com/auth/token.
• Data sent: authorization code, client ID, redirect URI, and signed JWT assertions generated from your Apple key. Returned data can include name and email.
• Terms: https://www.apple.com/legal/internet-services/terms/site.html
• Privacy: https://www.apple.com/legal/privacy/

GitHub OAuth

• Purpose: sign in with GitHub.
• Endpoints: github.com/login/oauth/authorize, github.com/login/oauth/access_token, api.github.com/user, and api.github.com/user/emails.
• Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.
• Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
• Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

Microsoft OAuth

• Purpose: sign in with Microsoft.
• Endpoints: login.microsoftonline.com/common/oauth2/v2.0/authorize, login.microsoftonline.com/common/oauth2/v2.0/token, and graph.microsoft.com/v1.0/me.
• Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and locale.
• Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/MOSPT
• Privacy: https://privacy.microsoft.com/privacystatement

Facebook Login

• Purpose: sign in with Facebook.
• Endpoints: facebook.com/v18.0/dialog/oauth, graph.facebook.com/v18.0/oauth/access_token, and graph.facebook.com/v18.0/me.
• Data sent: authorization code, app credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.
• Terms: https://www.facebook.com/legal/terms
• Privacy: https://www.facebook.com/policy.php

Hooks & Extension Points

• oomf_access_redirect_destination — override the final destination after login.
• oomf-access/allowed_redirect_hosts — allow approved external redirect hosts.
• oomf-access/captcha/allow_external — control whether CAPTCHA network calls are allowed.
• oomf_access_captcha_is_required — decide whether CAPTCHA is required for a request.
• oomf_access_captcha_validate_result — customize CAPTCHA validation results.
• oomf-access/inline_css — inject extra CSS into the admin preview and frontend.