AuthDock — Login Security, 2FA, Social Login & Brute Force Protection

AuthDock is a professional-grade WordPress authentication and user access management plugin that replaces 5–7 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API integration, and zero bloat.

Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet — AuthDock gives you full control over how users log in, stay safe, and interact with your site.

🔑 Social Login

Let users sign in with one click using their existing accounts. No more forgotten passwords.

• Google OAuth 2.0 — Sign in with Google using OAuth 2.0 authorization
• Facebook Login — Authenticate via the Facebook Graph API
• GitHub OAuth — Developer-friendly sign in with GitHub
• X (Twitter) OAuth 2.0 — Uses OAuth 2.0 with PKCE (S256) for maximum security
• Button Style — Choose between icon + text, icon only, or text only button styles
• Button Layout — Display buttons vertically or horizontally
• Button Order — Drag and drop to reorder provider buttons
• Default Role — Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)
• Auto-Registration — Automatically create WordPress accounts from social profiles
• Domain Restriction — Restrict social login to specific email domains (e.g., company.com, university.edu)
• Avatar Integration — Automatically set user profile pictures from social account avatars
• Account Linking — Users can link/unlink social accounts from their WordPress profile page
• Shortcode — Place social login buttons anywhere using [authdock_social_login]
• Developer Filters — authdock_allow_social_account_linking and authdock_allow_social_registration for custom control

✉️ Magic Link Login

Passwordless authentication — users receive a one-time login link via email. No passwords to remember or leak.

• Enable/Disable — Master toggle for passwordless login
• Link Expiry — Set how long each magic link stays valid (in minutes, default: 10 minutes)
• Rate Limiting — Maximum magic link requests per email per hour (default: 5/hour) to prevent abuse
• Allowed Roles — Restrict magic login to specific user roles (e.g., Subscribers, Editors)
• Force Magic Login Mode — Hide the standard WordPress password form entirely and show only the magic link form
• Custom Email Subject — Personalize the magic link email subject line
• Custom Email Body — Customize the email body using merge tags: {user_name}, {magic_link}, {expiry_time}, {site_name}, {ip_address}
• One-Time Use — Each magic link is cryptographically random and can only be used once
• Token Invalidation — Magic links are automatically invalidated when a user changes their password
• Anti-Enumeration — Generic success messages prevent attackers from discovering valid email addresses
• Shortcode — Display the form anywhere with [authdock_magic_login] and optional redirect attribute

🔐 Two-Factor Authentication (2FA)

Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.

• Enable/Disable — Master toggle for two-factor authentication
• TOTP Method — Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.
• Email Method — Receive a 6-digit numeric verification code via email
• Enforced Roles — Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA
• Grace Period — Give users a configurable number of days to set up 2FA before enforcement kicks in (default: 3 days)
• Trusted Devices — Allow users to skip 2FA on recognized devices for a configurable number of days (default: 30 days)
• Trust Duration — Set how long a device stays trusted (in days)
• Backup Recovery Codes — Generate 10 one-time-use backup codes for account recovery if the authenticator device is lost
• Brute-Force Protection — Rate-limited to 5 verification attempts per session to prevent code guessing
• Encrypted Secret Storage — TOTP secrets are encrypted with AES-256-CBC before storing in the database
• Replay Protection — Each TOTP code can only be used once per time window (RFC 6238 §5.2)
• Clock Drift Tolerance — Accepts codes from ±1 time step (30 seconds) to handle minor clock differences
• Interstitial Challenge Screen — Clean, WordPress-native verification screen shown after primary authentication
• Admin Management — Administrators can view and disable 2FA for any user from the user profile page

🛡️ Brute Force Protection (Login Limiter)

Stop brute-force attacks with intelligent lockout rules that escalate automatically.

• Enable/Disable — Master toggle for login attempt limiting
• Max Attempts — Set the number of failed login attempts before triggering a lockout (default: 5)
• Lockout Duration — Time for the initial lockout period in minutes (default: 15 minutes)
• Progressive Lockout — Lockouts automatically escalate: 15 minutes → 1 hour → 24 hours for repeat offenders
• Auto-Blacklist — Permanently ban an IP after a configurable number of lockouts (e.g., after 5 lockouts)
• IP Whitelist — Allow trusted IP addresses to bypass login limits (supports exact match, CIDR ranges like 192.168.1.0/24, and wildcards like 10.0.0.*)
• IP Blacklist — Permanently block specific IP addresses, CIDR ranges, or wildcard patterns
• Notify Admin on Lockout — Send email alerts to the site administrator when an IP gets locked out
• Notify Threshold — Configure after how many lockouts the notification triggers (default: 1)
• XML-RPC Integration — Automatically block XML-RPC authentication from locked-out IPs
• Login Page Warnings — Display remaining attempt count and lockout timers directly on the login page
• Log Retention — Configure how long failed login attempt data is retained (default: 30 days)
• Trusted Proxies — Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers

🔄 Dynamic Login & Logout Redirects

Send users exactly where they need to go — based on their role, or if it is their first login.

• Role-Based Login Redirects — Set a custom URL for each WordPress role after login (e.g., Editors → /editorial-dashboard, Subscribers → /members-area)
• Role-Based Logout Redirects — Set a custom URL for each WordPress role after logout
• First-Login Redirect — Redirect brand new users to a welcome page, onboarding wizard, or setup screen on their very first login
• Relative & Absolute URLs — Supports both relative paths (/dashboard) and full URLs (https://example.com/welcome)
• Open Redirect Prevention — All redirects are validated via wp_safe_redirect() and wp_validate_redirect() to prevent open redirect attacks

📋 Audit Logging

Keep a complete, searchable record of every authentication event happening on your site.

• Enable/Disable — Master toggle for audit logging
• Tracked Events — Login success, login failure, logout, password reset, password change, user registration, profile updates (email/role changes), social login, social linking/unlinking, magic link requests, magic link usage, 2FA enabled/disabled, session termination, access blocked, lockout events
• Event Details — Each log entry records: user ID, event type, IP address, user agent, JSON context data, and precise timestamp
• Retention Period — Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited (0 = forever)
• Auto-Cleanup — Daily WP-Cron job automatically removes expired log entries in batches of 1,000 to avoid database locks
• Filter by Event Type — View only specific event categories (e.g., show only failed logins)
• Filter by Date Range — Narrow results by date_from and date_to parameters
• Filter by User — View all events for a specific user ID
• Search by IP — Find all events from a particular IP address
• Full-Text Search — Search across event types, IPs, and context data
• CSV Export — Download your complete audit log as a CSV file with formula injection protection
• JSON Export — Export logs in JSON format for integration with external tools
• Purge All Logs — One-click purge to clear all historical log data
• Admin UI Viewer — Built-in admin page with paginated table, filters, and export buttons
• Custom Database Table — Logs are stored in a dedicated authdock_audit_logs table with proper indexes for fast queries

🏰 Security Hardening

Close common WordPress security holes without installing another plugin.

Custom Login URL
* Custom Slug — Replace wp-login.php with your own secret URL (e.g., /my-secure-login)
* Block Action — Choose what happens when someone visits the default wp-login.php: return a 404 error or redirect to the homepage
* Recovery Key — Access the login page in emergencies via a secret query parameter even when the custom URL is active

XML-RPC Control
* Disable XML-RPC — Completely disable the XML-RPC interface to block remote brute-force attacks
* Partial Disable — Remove only authentication methods while keeping pingbacks functional

REST API Restriction
* Restrict to Authenticated Users — Block all REST API access for unauthenticated visitors
* Namespace Whitelist — Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain accessible

User Enumeration Prevention
* Block Author Archives — Redirect ?author=N enumeration queries to the homepage
* Restrict User REST Endpoint — Block /wp-json/wp/v2/users for non-logged-in users
* Generic Login Errors — Replace specific “username not found” or “wrong password” messages with a generic error

Password Strength Enforcement
* Force Strong Passwords — Master toggle for password policy enforcement
* Minimum Length — Set the minimum password length (default: 8 characters)
* Require Uppercase — Mandate at least one uppercase letter
* Require Lowercase — Mandate at least one lowercase letter
* Require Number — Mandate at least one numeric digit
* Require Special Character — Mandate at least one special character (e.g., !@#$%)
* Enforced Roles — Apply password rules only to specific roles

Security HTTP Headers
* X-Content-Type-Options — Prevents MIME-type sniffing (nosniff)
* X-Frame-Options — Blocks clickjacking by restricting iframe embedding (SAMEORIGIN)
* X-XSS-Protection — Legacy XSS filter for older browsers (1; mode=block)
* Referrer-Policy — Controls referrer information sent with requests (strict-origin-when-cross-origin)
* Strict-Transport-Security (HSTS) — Enforces HTTPS connections for 1 year (max-age=31536000; includeSubDomains)
* Permissions-Policy — Restricts access to camera, microphone, and geolocation APIs

Role-Based Session Duration
* Per-Role Cookie Lifetime — Set different authentication cookie durations per WordPress role (in hours)

📧 Email Notifications

Stay informed about critical security events with real-time email alerts — for admins and users.

Admin Notifications
* Multiple Failed Logins — Alert every N failed attempts from the same IP (default: every 3)
* IP Lockout — Alert when an IP address gets locked out
* Admin Login Alert — Notify when an administrator account logs in
* New User Registration — Alert on every new user registration
* User Promoted to Admin — Alert when any user is promoted to the Administrator role
* Admin Password Changed — Alert when an administrator’s password is changed or reset
* 2FA Disabled — Alert when any user disables their two-factor authentication
* Login from New IP — Alert when a user logs in from a previously unseen IP address

User Self-Notifications
* Password Changed — Notify the user when their password is changed
* Email Changed — Notify at the OLD email address when a user’s email is updated (security measure)
* 2FA Status Changed — Notify the user when 2FA is enabled or disabled on their account
* Social Account Linked — Notify when a social provider is connected to their account
* New Device Login — Notify the user when a login is detected from a new IP address
* Account Locked — Notify the user when their account is locked due to failed attempts

Notification Settings
* Custom Recipients — Set custom email addresses for admin notifications (defaults to the site admin email)
* Throttle Period — Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes)
* Digest Mode — Option to batch notifications instead of sending them individually
* Test Email — Send a test notification to verify your email configuration is working

🚪 wp-admin Access Control

Restrict who can access the WordPress dashboard — by role, by IP, or both.

• Enable/Disable — Master toggle for access control
• Blocked Roles — Select which WordPress roles are blocked from accessing /wp-admin (e.g., Subscriber, Customer)
• IP Restriction Mode — Enable IP-based restrictions so only whitelisted IPs can access wp-admin
• IP Whitelist — Specify allowed IP addresses and CIDR ranges (e.g., 203.0.113.5, 192.168.1.0/24)
• Hide Admin Bar — Remove the WordPress admin bar from the frontend for blocked roles
• Redirect Action — Choose what happens when access is denied: redirect to homepage, redirect to a custom URL, or show a 403 Forbidden page
• Custom Redirect URL — Set a specific URL for the access-denied redirect
• Emergency Bypass Key — A secret query parameter (?authdock_bypass=YOUR_KEY) to regain access if you get locked out
• Smart Exceptions — AJAX requests, WP-Cron, and admin-post.php are always allowed through
• Administrator Immunity — Administrators are never blocked, regardless of settings

⏱️ Session Management

Take control of user sessions — limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.

• Enable/Disable — Master toggle for session management
• Concurrent Session Limit — Set the maximum number of simultaneous active sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded
• Idle Session Timeout — Automatically log out users after a configurable period of inactivity (in minutes, 0 = disabled)
• Per-Role Session Duration — Set different session lifetimes for each WordPress role (in hours)
• Admin Session Viewer — View all active user sessions via the REST API, including user details and last activity timestamps
• Remote Session Termination — Administrators can terminate all sessions for any user with a single API call
• Throttled Activity Tracking — Last-activity timestamps are updated at most once per 5 minutes to minimize database writes

⚡ Performance & Infrastructure

AuthDock is built for speed and follows WordPress best practices from top to bottom.

• Conditional Asset Loading — CSS and JavaScript files load only on pages where they are needed
• Indexed Database Tables — Custom tables use proper indexes for fast lookups
• WP-Cron Maintenance — Audit log cleanup runs via non-blocking WP-Cron
• Transient-Based Tracking — Brute force attempt tracking uses transients (no additional DB queries per login attempt)
• REST API Powered — All admin data operations go through the authdock/v1 REST API namespace with 15+ endpoints
• Hook-Based Architecture — Centralized Loader class registers all hooks for clean dependency management
• Custom Capabilities — authdock_manage_settings, authdock_view_audit_logs, authdock_export_audit_logs, authdock_manage_sessions, authdock_manage_lockouts
• Clean Activation — Creates database tables, sets default options, registers capabilities, and schedules cron
• Clean Deactivation — Clears cron events but preserves all settings for reactivation
• Full Uninstall — Removes everything: options, user meta, database tables, capabilities, and transients
• Full i18n — All user-facing strings use proper WordPress internationalization functions with the authdock text domain

🤔 Why Choose AuthDock?

• Replace 5–7 plugins — Social login + magic links + 2FA + brute force + audit logs + session management + access control — all in one
• WordPress-native UI — Looks and feels like core WordPress, not a foreign dashboard
• REST API powered — Modern, secure data handling for all admin operations
• Lightweight & fast — …