Back
oOMF! Access

oOMF! Access

By oOMF!
Details
View on WordPress
Back

oOMF! Access delivers a polished WordPress login experience with guided flows for login, registration, lost password, and password reset. Offer passwordless magic links, social sign-in, and smart redirect control while layering in hide-admin, CAPTCHA, honeypot, and soft throttling safeguards — all without writing custom code.

Key features
– Branded login page rendered via the [oomf_access_form] shortcode, with activation creating a dedicated page stored in oomf_access_page_id—and the /oomf-access/ route continues to load the bundled template even if that page is removed.
– Smart and safe post-login redirects with Redirects::validate_safe_redirect() and pluggable filters.
– Passwordless magic link login plus social providers (Google, Apple, GitHub, Microsoft, Facebook) with admin previews.
– Multiple CAPTCHA providers (reCAPTCHA v2 checkbox, v2 invisible, v3, and hCaptcha) and honeypot/throttle helpers to slow abuse.
– Hide Admin / secret login path support to obscure /wp-login.php and /wp-admin from anonymous users while keeping emergency bypasses available.
– Minimal asset footprint: frontend/admin JS & CSS load only where needed and are versioned with filemtime().
– Developer hooks and filters to customize redirects, captcha behavior, allowed hosts, provider scopes, and more.

Privacy

oOMF! Access does not send data to oOMF! services. If you enable CAPTCHA or Social Login, your site sends authentication and verification requests to those third-party providers as described in the External services section below. Removing the plugin deletes its settings (and the generated login page if you opt in via the oomf_access/delete_page_on_uninstall filter).

External services

oOMF! Access only connects to outside services when you enable the related feature and provide your own credentials. Each integration below explains what is sent and links to the provider policies:

Google reCAPTCHA (v2/v3)

  • Purpose: spam/abuse protection for the login forms.
  • Endpoints: loads scripts from https://www.google.com/recaptcha/api.js and validates tokens via https://www.google.com/recaptcha/api/siteverify.
  • Data sent: your site key/secret, the visitor’s reCAPTCHA token, the page action name, and optionally the visitor IP if you enable the strict remote IP check.
  • Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy

hCaptcha

  • Purpose: CAPTCHA validation when you switch to the hCaptcha provider.
  • Endpoints: loads scripts from https://js.hcaptcha.com and validates tokens via https://hcaptcha.com/siteverify.
  • Data sent: your site key/secret, the response token, the page action, and optionally the visitor IP per hCaptcha requirements.
  • Terms: https://www.hcaptcha.com/terms — Privacy: https://www.hcaptcha.com/privacy

Google OAuth (Social Login)

  • Purpose: allow users to sign in with their Google account.
  • Endpoints: Google Accounts OAuth screen at https://accounts.google.com/o/oauth2/v2/auth, token exchange at https://oauth2.googleapis.com/token, and profile data from https://openidconnect.googleapis.com/v1/userinfo.
  • Data sent: OAuth authorization code, code verifier (for PKCE), redirect URI, and the scopes you configure. After exchanging the code we request the profile name, verified email, avatar, and locale.
  • Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy

Apple Sign In

  • Purpose: Sign in with Apple for Social Login.
  • Endpoints: OAuth screen at https://appleid.apple.com/auth/authorize and token exchange at https://appleid.apple.com/auth/token.
  • Data sent: OAuth authorization code, client ID, redirect URI, and signed JWT assertions generated from the private key you upload. Apple returns the user’s name and email (when available).
  • Terms: https://www.apple.com/legal/internet-services/terms/site.html — Privacy: https://www.apple.com/legal/privacy/

GitHub OAuth

  • Purpose: Social login via GitHub accounts.
  • Endpoints: OAuth screen at https://github.com/login/oauth/authorize, token exchange at https://github.com/login/oauth/access_token, and profile APIs at https://api.github.com/user and https://api.github.com/user/emails.
  • Data sent: OAuth authorization code, client ID/secret, redirect URI, and scope list. After exchanging the code GitHub returns the user’s numeric ID, primary email(s), display name, and avatar URL.
  • Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service — Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

Microsoft (Azure AD / Entra ID)

  • Purpose: allow sign-in with Microsoft accounts.
  • Endpoints: OAuth screen at https://login.microsoftonline.com/common/oauth2/v2.0/authorize and token exchange at https://login.microsoftonline.com/common/oauth2/v2.0/token. Profile data is requested from https://graph.microsoft.com/v1.0/me.
  • Data sent: client ID, redirect URI, and selected scopes when the visitor starts Microsoft sign-in; then (on callback) the returned OAuth authorization code plus the configured client secret for token exchange. Microsoft returns the profile ID, email, name, and locale when available.
  • Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/MOSPT — Privacy: https://privacy.microsoft.com/privacystatement

Facebook Login

  • Purpose: Social login via Facebook accounts.
  • Endpoints: OAuth screen at https://www.facebook.com/v18.0/dialog/oauth and token/profile APIs at https://graph.facebook.com/v18.0/oauth/access_token and https://graph.facebook.com/v18.0/me.
  • Data sent: OAuth authorization code, app ID/secret, redirect URI, and scopes. Facebook returns the user ID, email (if available), and profile name/avatar.
  • Terms: https://www.facebook.com/legal/terms — Privacy: https://www.facebook.com/policy.php

Hooks & Extension Points

Notable filters/actions you can rely on when extending oOMF! Access:
oomf_access_redirect_destination — override the final destination after login.
oomf-access/allowed_redirect_hosts — allow specific external redirect hosts.
oomf-access/captcha/allow_external — control whether provider network calls are allowed on privacy-restricted sites.
oomf_access_captcha_is_required — decide if captcha is required for a particular request.
oomf_access_captcha_validate_result — customize captcha validation results.
oomf-access/inline_css — inject extra CSS into admin preview and frontend styles.

For developer notes on autoloading, templates, and class layout, see the repo README.md.

Details

Plugin code:
oomf-access
Plugin version:
1.0.0
Author:
oOMF!
Outdated:
No
WP version:
6.2 or higher
PHP version:
8.1 or higher
Test up to WP version:
6.9.4
Total installations:
0
Last updated:
2026-05-13
Rating:
Times rated:
0
authentication
branding
login
redirects
security

Related plugins

Plugins that also contain the tag authentication

Limit Login Attempts
Limit Login Attempts
InfiniteWP Client
InfiniteWP Client
WPS Limit Login
WPS Limit Login
Two Factor
Two Factor
WP-Members Membership Plugin
WP-Members Membership Plugin
Google Authenticator
Google Authenticator
We use cookies on our website to enhance your browsing experience. By using our site, you agree to the use of cookies, including those from Google Analytics and Google AdSense, for analytics and personalized advertising. You can view our full privacy policy by clicking here. Thank you for visiting!
Got it
Searchable WordPress plugin database - Plugin for that
Popular tags
statistics
booking
share
search
gutenberg
gallery
google
stats
content
dashboard
css
feed
page
tags
products
notification
comments
category
automation
newsletter
About

Plugin for that tries to help you find the WordPress plugin you are looking for.

Please enjoy an image of Crush (this awesome turtle) and have a lovely day!Crush

We do not own any plugin listed on this site and do not work for or work with WordPress.com or it's associated companies. We simply provide a searchable list of the available WordPress plugins.

Plugin for that - Created with by Intology