Magic Link Authentication

Implement secure, passwordless authentication for WordPress admin access using our Magic Link system. Eliminate password-related security risks while maintaining convenient access.

How Magic Link Works

Authentication Flow

Request Access: User enters email address
Generate Token: System creates secure, time-limited token
Send Email: Token sent via email with secure link
Verify Access: User clicks link to gain admin access
Auto-Expiry: Token expires after short time period

Security Benefits

No Password Storage: Eliminates password database risks
Time-Limited Access: Tokens expire automatically
Single-Use Tokens: Each link can only be used once
IP-Based Security: Optional IP restrictions
Audit Trail: Complete access logging

Setup and Configuration

Enable Magic Link Authentication

Access Settings
- Go to Settings → Magic Link
- Enable Magic Link Authentication

Configure Options

// Magic Link settings
define('MAGIC_LINK_ENABLED', true);
define('MAGIC_LINK_EXPIRY', 900); // 15 minutes
define('MAGIC_LINK_MAX_ATTEMPTS', 3);

Email Configuration

// Email settings
define('MAGIC_LINK_FROM_EMAIL', 'admin@yoursite.com');
define('MAGIC_LINK_FROM_NAME', 'WordPress Admin');

User Permissions

Administrator Access

Full Admin Access: Complete WordPress administration
Plugin Management: Install, activate, deactivate plugins
Theme Management: Upload and manage themes
User Management: Add, edit, remove users

Editor Access

Content Management: Create, edit, publish posts/pages
Media Library: Upload and manage media files
Comments: Moderate and manage comments
Categories/Tags: Manage taxonomy terms

Custom Roles

// Define custom magic link roles
$magic_roles = array(
    'content_editor' => array(
        'capabilities' => array('edit_posts', 'edit_pages'),
        'expiry' => 3600 // 1 hour
    ),
    'plugin_manager' => array(
        'capabilities' => array('activate_plugins', 'deactivate_plugins'),
        'expiry' => 1800 // 30 minutes
    )
);

Magic Link Generation

Manual Link Generation

// Generate magic link programmatically
function generate_magic_link($user_id, $role = 'administrator', $expiry = 900) {
    $token = wp_generate_password(32, false);
    $link_id = wp_insert_post(array(
        'post_title' => 'Magic Link: ' . $user_id,
        'post_content' => '',
        'post_status' => 'publish',
        'post_type' => 'magic_link'
    ));

    update_post_meta($link_id, '_magic_token', $token);
    update_post_meta($link_id, '_magic_user_id', $user_id);
    update_post_meta($link_id, '_magic_role', $role);
    update_post_meta($link_id, '_magic_expiry', time() + $expiry);

    return home_url('/magic-login/?token=' . $token . '&id=' . $link_id);
}

Admin Interface

Generate Link
- Go to Users → Magic Links
- Select user and desired permissions
- Set expiry time
- Generate and copy link
Bulk Generation
- Create multiple links at once
- Set different permission levels
- Schedule link generation

Link Verification and Access

Token Validation

function validate_magic_token($token, $link_id) {
    $stored_token = get_post_meta($link_id, '_magic_token', true);
    $expiry = get_post_meta($link_id, '_magic_expiry', true);
    $used = get_post_meta($link_id, '_magic_used', true);

    if ($token !== $stored_token) {
        return new WP_Error('invalid_token', 'Invalid magic link token');
    }

    if (time() > $expiry) {
        return new WP_Error('expired_token', 'Magic link has expired');
    }

    if ($used) {
        return new WP_Error('used_token', 'Magic link has already been used');
    }

    return true;
}

User Authentication

function authenticate_magic_user($link_id) {
    $user_id = get_post_meta($link_id, '_magic_user_id', true);
    $role = get_post_meta($link_id, '_magic_role', true);

    // Set user role temporarily
    $user = get_user_by('id', $user_id);
    $user->set_role($role);

    // Log the access
    magic_link_log_access($user_id, $link_id);

    // Mark link as used
    update_post_meta($link_id, '_magic_used', true);

    return $user;
}

Email Templates

Default Magic Link Email

Subject: Your WordPress Admin Access Link

Hi {user_name},

You have requested access to {site_name} WordPress admin.

Click the link below to access the admin panel:
{magic_link}

This link will expire in {expiry_time} minutes and can only be used once.

If you didn't request this access, please ignore this email.

Best regards,
{site_name} Team

Custom Email Templates

function custom_magic_link_email($user_id, $magic_link, $expiry) {
    $user = get_user_by('id', $user_id);
    $site_name = get_bloginfo('name');

    $subject = "🔐 Secure Admin Access - {$site_name}";
    $message = "
    <h2>WordPress Admin Access</h2>
    <p>Hello {$user->display_name},</p>
    <p>You have requested secure access to {$site_name}.</p>
    <p><strong>Your magic link:</strong></p>
    <p><a href='{$magic_link}' style='background:#007cba;color:white;padding:10px 20px;text-decoration:none;border-radius:5px;'>Access Admin Panel</a></p>
    <p><small>This link expires in {$expiry} minutes and can only be used once.</small></p>
    ";

    return array('subject' => $subject, 'message' => $message);
}

Security Features

Access Control

IP Whitelisting: Restrict access to specific IP addresses
Device Fingerprinting: Track device information
Geographic Restrictions: Limit access by country/region
Time-Based Access: Restrict access to business hours

Monitoring and Logging

function magic_link_log_access($user_id, $link_id, $ip_address, $user_agent) {
    global $wpdb;

    $wpdb->insert(
        $wpdb->prefix . 'magic_link_logs',
        array(
            'user_id' => $user_id,
            'link_id' => $link_id,
            'ip_address' => $ip_address,
            'user_agent' => $user_agent,
            'access_time' => current_time('mysql'),
            'action' => 'login'
        )
    );
}

Rate Limiting

Request Limits: Maximum requests per hour per IP
Failed Attempts: Lockout after multiple failed attempts
Cooldown Periods: Waiting time between requests

Advanced Configuration

Multi-Site Support

// Multi-site magic link configuration
define('MAGIC_LINK_MULTISITE', true);
define('MAGIC_LINK_SITE_SPECIFIC', true);

// Site-specific tokens
function generate_site_magic_link($user_id, $site_id, $role) {
    // Generate site-specific magic link
    $site_url = get_site_url($site_id);
    $token = generate_magic_token($user_id, $site_id);

    return $site_url . '/magic-login/?token=' . $token;
}

API Integration

// REST API endpoint for magic links
add_action('rest_api_init', function() {
    register_rest_route('magic-link/v1', '/generate', array(
        'methods' => 'POST',
        'callback' => 'api_generate_magic_link',
        'permission_callback' => function() {
            return current_user_can('manage_options');
        }
    ));
});

function api_generate_magic_link($request) {
    $user_id = $request->get_param('user_id');
    $role = $request->get_param('role');
    $expiry = $request->get_param('expiry') ?: 900;

    $magic_link = generate_magic_link($user_id, $role, $expiry);

    return new WP_REST_Response(array(
        'success' => true,
        'magic_link' => $magic_link,
        'expires_at' => time() + $expiry
    ), 200);
}

User Experience

Enter Email: User enters email address
Receive Email: Magic link sent instantly
Click Link: One-click access to admin
Automatic Login: No password required
Session Management: Proper session handling

Mobile Optimization

Responsive Design: Works on all devices
Touch-Friendly: Easy mobile interaction
Quick Access: Fast mobile login process
Offline Support: Basic offline functionality

Troubleshooting

Common Issues

Links Not Working

Check Expiry: Ensure link hasn't expired
Single Use: Links can only be used once
Browser Issues: Try different browser or incognito mode
Email Filters: Check spam/junk folders

Email Delivery Problems

SMTP Configuration: Verify email settings
SPF/DKIM: Check email authentication
Blacklists: Ensure domain not blacklisted
Rate Limits: Check email sending limits

Permission Issues

Role Assignment: Verify correct role assignment
Capability Conflicts: Check for plugin conflicts
User Status: Ensure user account is active
Site Access: Verify multi-site permissions

Debug Mode

// Enable magic link debugging
define('MAGIC_LINK_DEBUG', true);

// Log all magic link activities
add_action('magic_link_generated', function($link_id, $user_id) {
    error_log("Magic link generated: {$link_id} for user: {$user_id}");
});

add_action('magic_link_used', function($link_id, $user_id) {
    error_log("Magic link used: {$link_id} by user: {$user_id}");
});

Best Practices

Security Best Practices

Short Expiry Times: Use short token lifetimes (5-15 minutes)
Single-Use Tokens: Each link should be usable only once
IP Logging: Log all access attempts and IP addresses
Regular Audits: Review access logs regularly

User Experience Best Practices

Clear Instructions: Provide clear email instructions
Branded Emails: Use branded email templates
Mobile Friendly: Ensure mobile compatibility
Fallback Options: Provide alternative login methods

Performance Best Practices

Database Optimization: Clean up expired tokens regularly
Caching: Cache user and role information
Email Queuing: Use email queuing for better performance
CDN Integration: Use CDN for email template assets

Secure, passwordless WordPress authentication made simple with Magic Link.

Magic Link

On this page