AuthDock — Login Security, 2FA, Social Login & Brute Force Protection

AuthDock is a professional-grade WordPress authentication and user access management plugin that replaces 5–7 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API, and zero bloat.

Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet — AuthDock gives you full control over how users log in, stay safe, and interact with your site.

🔑 Social Login

Let users sign in with one click using their existing accounts. No more forgotten passwords.

• Google OAuth 2.0 — Sign in with Google using OAuth 2.0 authorization
• Facebook Login — Authenticate via the Facebook Graph API
• GitHub OAuth — Developer-friendly sign in with GitHub
• X (Twitter) OAuth 2.0 — Uses OAuth 2.0 with PKCE (S256) for maximum security
• Button Style — Choose between icon + text, icon only, or text only button styles
• Button Layout — Display buttons vertically or horizontally
• Button Order — Drag and drop to reorder provider buttons
• Default Role — Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)
• Auto-Registration — Automatically create WordPress accounts from social profiles
• Domain Restriction — Restrict social login to specific email domains (e.g., company.com, university.edu)
• Avatar Integration — Automatically set user profile pictures from social account avatars
• Account Linking — Users can link/unlink social accounts from their WordPress profile page
• Shortcode — Place social login buttons anywhere using [authdock_social_login]
• Developer Filters — authdock_allow_social_account_linking and authdock_allow_social_registration for custom control

✉️ Magic Link Login

Passwordless authentication — users receive a one-time login link via email. No passwords to remember or leak.

• Enable/Disable — Master toggle for passwordless login
• Link Expiry — Set how long each magic link stays valid (default: 10 minutes)
• Rate Limiting — Max magic link requests per email per hour (default: 5/hour) to prevent abuse
• Allowed Roles — Restrict magic login to specific user roles (e.g., Subscribers, Editors)
• Force Magic Login Mode — Hide the standard WordPress password form and show only the magic link form
• Custom Email Subject — Personalize the magic link email subject line
• Custom Email Body — Customize using merge tags: {user_name}, {magic_link}, {expiry_time}, {site_name}, {ip_address}
• One-Time Use — Each magic link is cryptographically random and single-use
• Token Invalidation — Magic links are automatically invalidated when a user changes their password
• Anti-Enumeration — Generic success messages prevent attackers from discovering valid email addresses
• Shortcode — Display the form anywhere with [authdock_magic_login] and optional redirect attribute

🔐 Two-Factor Authentication (2FA)

Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.

• Enable/Disable — Master toggle for two-factor authentication
• TOTP Method — Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.
• Email Method — Receive a 6-digit numeric verification code via email
• Enforced Roles — Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA
• Grace Period — Give users configurable days to set up 2FA before enforcement kicks in (default: 3 days)
• Trusted Devices — Allow users to skip 2FA on recognized devices for configurable days (default: 30 days)
• Backup Recovery Codes — Generate 10 one-time-use backup codes for account recovery if the authenticator is lost
• Brute-Force Protection — Rate-limited to 5 verification attempts per session to prevent code guessing
• Encrypted Secret Storage — TOTP secrets encrypted with AES-256-CBC before storing in the database
• Replay Protection — Each TOTP code can only be used once per time window (RFC 6238 §5.2)
• Clock Drift Tolerance — Accepts codes from ±1 time step (30 seconds) to handle minor clock differences
• Interstitial Challenge Screen — Clean, WordPress-native verification screen after primary authentication
• Admin Management — Administrators can view and disable 2FA for any user from the profile page

🛡️ Brute Force Protection (Login Limiter)

Stop brute-force attacks with intelligent lockout rules that escalate automatically.

• Enable/Disable — Master toggle for login attempt limiting
• Max Attempts — Set the number of failed login attempts before lockout (default: 5)
• Lockout Duration — Initial lockout period in minutes (default: 15 minutes)
• Progressive Lockout — Lockouts escalate: 15 min → 1 hour → 24 hours for repeat offenders
• Auto-Blacklist — Permanently ban an IP after a configurable number of lockouts (e.g., after 5)
• IP Whitelist — Allow trusted IPs to bypass login limits (supports exact match, CIDR ranges like 192.168.1.0/24, and wildcards like 10.0.0.*)
• IP Blacklist — Permanently block specific IP addresses, CIDR ranges, or wildcard patterns
• Notify Admin on Lockout — Email alerts when an IP gets locked out
• Notify Threshold — Configure after how many lockouts the notification triggers (default: 1)
• XML-RPC Integration — Automatically block XML-RPC authentication from locked-out IPs
• Login Page Warnings — Display remaining attempt count and lockout timers on the login page
• Log Retention — Configure how long failed login data is retained (default: 30 days)
• Trusted Proxies — Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers

🔄 Dynamic Login & Logout Redirects

Send users exactly where they need to go — based on their role, or if it is their first login.

• Role-Based Login Redirects — Set a custom URL per WordPress role after login (e.g., Editors → /editorial-dashboard, Subscribers → /members-area)
• Role-Based Logout Redirects — Set a custom URL per WordPress role after logout
• First-Login Redirect — Redirect new users to a welcome page, onboarding wizard, or setup screen on their first login
• Relative & Absolute URLs — Supports both relative paths (/dashboard) and full URLs (https://example.com/welcome)
• Open Redirect Prevention — Redirects validated via wp_safe_redirect() and wp_validate_redirect() to prevent open redirect attacks

📋 Audit Logging

Keep a complete, searchable record of every authentication event happening on your site.

• Enable/Disable — Master toggle for audit logging
• Tracked Events — Login success/failure, logout, password reset/change, user registration, profile updates, social login/linking, magic link requests/usage, 2FA changes, session termination, access blocked, lockout events
• Event Details — Each entry records: user ID, event type, IP, user agent, JSON context, and timestamp
• Retention Period — Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited
• Auto-Cleanup — Daily WP-Cron job removes expired entries in batches of 1,000 to prevent database locks
• Filter by Event Type — View specific event categories (e.g., only failed logins)
• Filter by Date Range — Narrow results by date_from and date_to
• Filter by User — View all events for a specific user ID
• Search by IP — Find all events from a particular IP address
• Full-Text Search — Search across event types, IPs, and context data
• CSV Export — Download audit logs as a CSV file with formula injection protection
• JSON Export — Export logs in JSON format for integration with external tools
• Purge All Logs — One-click purge to clear all historical log data
• Admin UI Viewer — Built-in admin page with paginated table, filters, and export buttons
• Custom Database Table — Logs stored in a dedicated authdock_audit_logs table with proper indexes for fast queries

🏰 Security Hardening

Close common WordPress security holes without installing another plugin.

Custom Login URL * Custom Slug — Replace wp-login.php with your own secret URL (e.g., /my-secure-login) * Block Action — Choose what happens when someone visits wp-login.php: return a 404 error or redirect to the homepage * Recovery Key — Access the login page via a secret query parameter even when the custom URL is active

XML-RPC Control * Disable XML-RPC — Completely disable XML-RPC to block remote brute-force attacks * Partial Disable — Remove only authentication methods while keeping pingbacks functional

REST API Restriction * Restrict to Authenticated Users — Block all REST API access for unauthenticated visitors * Namespace Whitelist — Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain public

User Enumeration Prevention * Block Author Archives — Redirect ?author=N enumeration queries to the homepage * Restrict User REST Endpoint — Block /wp-json/wp/v2/users for non-logged-in users * Generic Login Errors — Replace “username not found” or “wrong password” messages with a generic error

Password Strength Enforcement * Force Strong Passwords — Master toggle for password policy enforcement * Minimum Length — Set the minimum password length (default: 8 characters) * Require Uppercase — Mandate at least one uppercase letter * Require Lowercase — Mandate at least one lowercase letter * Require Number — Mandate at least one numeric digit * Require Special Character — Mandate at least one special character (e.g., !@#$%) * Enforced Roles — Apply password rules only to specific roles

Security HTTP Headers * X-Content-Type-Options — Prevents MIME-type sniffing (nosniff) * X-Frame-Options — Blocks clickjacking by restricting iframe embedding (SAMEORIGIN) * X-XSS-Protection — Legacy XSS filter for older browsers (1; mode=block) * Referrer-Policy — Controls referrer information sent with requests (strict-origin-when-cross-origin) * Strict-Transport-Security (HSTS) — Enforces HTTPS connections for 1 year (max-age=31536000; includeSubDomains) * Permissions-Policy — Restricts access to camera, microphone, and geolocation APIs

Role-Based Session Duration * Per-Role Cookie Lifetime — Set different authentication cookie durations per WordPress role (in hours)

📧 Email Notifications

Stay informed about critical security events with real-time email alerts — for admins and users.

Admin Notifications * Multiple Failed Logins — Alert every N failed attempts from the same IP (default: every 3) * IP Lockout — Alert when an IP gets locked out * Admin Login Alert — Notify when an administrator account logs in * New User Registration — Alert on every new user registration * User Promoted to Admin — Alert when any user is promoted to the Administrator role * Admin Password Changed — Alert when an administrator’s password is changed or reset * 2FA Disabled — Alert when any user disables two-factor authentication * Login from New IP — Alert when a user logs in from a previously unseen IP address

User Self-Notifications * Password Changed — Notify the user when their password is changed * Email Changed — Notify at the OLD email address when a user’s email is updated (security measure) * 2FA Status Changed — Notify the user when 2FA is enabled or disabled on their account * Social Account Linked — Notify when a social provider is connected to their account * New Device Login — Notify the user when a login is detected from a new IP address * Account Locked — Notify the user when their account is locked due to failed attempts

Notification Settings * Custom Recipients — Set custom email addresses for admin notifications (defaults to site admin email) * Throttle Period — Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes) * Digest Mode — Option to batch notifications instead of sending them individually * Test Email — Send a test notification to verify email configuration is working

🚪 wp-admin Access Control

Restrict who can access the WordPress dashboard — by role, by IP, or both.

• Enable/Disable — Master toggle for access control
• Blocked Roles — Select which roles are blocked from accessing /wp-admin (e.g., Subscriber, Customer)
• IP Restriction Mode — Enable IP-based restrictions so only whitelisted IPs can access wp-admin
• IP Whitelist — Specify allowed IP addresses and CIDR ranges (e.g., 203.0.113.5, 192.168.1.0/24)
• Hide Admin Bar — Remove the WordPress admin bar from the frontend for blocked roles
• Redirect Action — Choose what happens when access is denied: redirect to homepage, custom URL, or show a 403 Forbidden page
• Custom Redirect URL — Set a specific URL for the access-denied redirect
• Emergency Bypass Key — Secret query parameter (?authdock_bypass=YOUR_KEY) to regain access if locked out
• Smart Exceptions — AJAX requests, WP-Cron, and admin-post.php always allowed through
• Administrator Immunity — Administrators are never blocked, regardless of settings

⏱️ Session Management

Take control of user sessions — limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.

• Enable/Disable — Master toggle for session management
• Concurrent Session Limit — Maximum simultaneous sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded
• Idle Session Timeout — Auto-logout after configurable inactivity period (in minutes, 0 = disabled)
• Per-Role Session Duration — Different session lifetimes for each WordPress role (in hours)
• Admin Session Viewer — View all active sessions via the REST API, including user details and last activity timestamps
• Remote Session Termination — Administrators can terminate all sessions for any user via a single API call
• Throttled Activity Tracking — Last-activity timestamps updated at most once per 5 minutes to minimize database writes

⚡ Performance & Infrastructure

AuthDock is built for speed and follows WordPress best practices from top to bottom.

• Conditional Asset Loading — CSS and JavaScript files load only on pages where they are needed
• Indexed Database Tables — Custom tables use proper indexes for fast lookups
• WP-Cron Maintenance — Audit log cleanup runs via non-blocking WP-Cron
• Transient-Based Tracking — Brute force tracking uses transients (no additional DB queries per login attempt)
• REST API Powered — All admin data operations go through the authdock/v1 namespace with 15+ endpoints
• Hook-Based Architecture — Centralized Loader class registers all hooks for clean dependency management
• Custom Capabilities — authdock_manage_settings, authdock_view_audit_logs, authdock_export_audit_logs, authdock_manage_sessions, authdock_manage_lockouts
• Clean Activation — Creates database tables, sets defaults, registers capabilities, and schedules cron
• Clean Deactivation — Clears cron events but preserves all settings for reactivation
• Full Uninstall — Removes everything: options, user meta, database tables, capabilities, and transients
• Full i18n — All user-facing strings use WordPress internationalization functions with the authdock text domain

🤔 Why Choose AuthDock?

• Replace 5–7 plugins — Social login + magic links + 2FA + brute force + audit logs + session management + access control — all in one
• WordPress-native UI — Looks and feels like core WordPress, not a foreign dashboard
• REST API powered — Modern, secure data handling for all admin operations
• Lightweight & fast — Conditional loading, object caching, zero external frameworks in admin
• Developer-friendly — Extensive hooks, filters, and custom capabilities for extensibility
• WordPress.org compliant — No tracking, no encoded code, no forced upsells, full GPL-2.0+

🔗 Shortcodes

• [authdock_social_login] — Display social login buttons (attributes: layout, style)
• [authdock_magic_login] — Display magic link login form (attributes: redirect)
• [authdock_login_form] — Display login form with 2FA support

External services

• Google OAuth — Terms | Privacy
• Facebook Login — Terms | Privacy
• GitHub OAuth — Terms | Privacy
• X (Twitter) OAuth — Terms | Privacy