外掛標籤
開發者團隊
② 後台搜尋「AuthDock — Login Security, 2FA, Social Login & Brute Force Protection」→ 直接安裝(推薦)
原文外掛簡介
AuthDock is a professional-grade WordPress authentication and user access management plugin that replaces 5–7 separate security plugins with a single, unified solution. Built with WordPress-native UI, REST API, and zero bloat.
Whether you run a membership site, WooCommerce store, multi-author blog, or corporate intranet — AuthDock gives you full control over how users log in, stay safe, and interact with your site.
🔑 Social Login
Let users sign in with one click using their existing accounts. No more forgotten passwords.
Google OAuth 2.0 — Sign in with Google using OAuth 2.0 authorization
Facebook Login — Authenticate via the Facebook Graph API
GitHub OAuth — Developer-friendly sign in with GitHub
X (Twitter) OAuth 2.0 — Uses OAuth 2.0 with PKCE (S256) for maximum security
Button Style — Choose between icon + text, icon only, or text only button styles
Button Layout — Display buttons vertically or horizontally
Button Order — Drag and drop to reorder provider buttons
Default Role — Assign a specific WordPress role to new social registrations (e.g., Subscriber, Customer)
Auto-Registration — Automatically create WordPress accounts from social profiles
Domain Restriction — Restrict social login to specific email domains (e.g., company.com, university.edu)
Avatar Integration — Automatically set user profile pictures from social account avatars
Account Linking — Users can link/unlink social accounts from their WordPress profile page
Shortcode — Place social login buttons anywhere using [authdock_social_login]
Developer Filters — authdock_allow_social_account_linking and authdock_allow_social_registration for custom control
✉️ Magic Link Login
Passwordless authentication — users receive a one-time login link via email. No passwords to remember or leak.
Enable/Disable — Master toggle for passwordless login
Link Expiry — Set how long each magic link stays valid (default: 10 minutes)
Rate Limiting — Max magic link requests per email per hour (default: 5/hour) to prevent abuse
Allowed Roles — Restrict magic login to specific user roles (e.g., Subscribers, Editors)
Force Magic Login Mode — Hide the standard WordPress password form and show only the magic link form
Custom Email Subject — Personalize the magic link email subject line
Custom Email Body — Customize using merge tags: {user_name}, {magic_link}, {expiry_time}, {site_name}, {ip_address}
One-Time Use — Each magic link is cryptographically random and single-use
Token Invalidation — Magic links are automatically invalidated when a user changes their password
Anti-Enumeration — Generic success messages prevent attackers from discovering valid email addresses
Shortcode — Display the form anywhere with [authdock_magic_login] and optional redirect attribute
🔐 Two-Factor Authentication (2FA)
Add a second layer of security to every login. Supports TOTP authenticator apps and email-based verification codes.
Enable/Disable — Master toggle for two-factor authentication
TOTP Method — Time-based One-Time Passwords (RFC 6238) with QR code provisioning via Google Authenticator, Authy, Microsoft Authenticator, etc.
Email Method — Receive a 6-digit numeric verification code via email
Enforced Roles — Force specific WordPress roles (e.g., Administrator, Editor) to enable 2FA
Grace Period — Give users configurable days to set up 2FA before enforcement kicks in (default: 3 days)
Trusted Devices — Allow users to skip 2FA on recognized devices for configurable days (default: 30 days)
Backup Recovery Codes — Generate 10 one-time-use backup codes for account recovery if the authenticator is lost
Brute-Force Protection — Rate-limited to 5 verification attempts per session to prevent code guessing
Encrypted Secret Storage — TOTP secrets encrypted with AES-256-CBC before storing in the database
Replay Protection — Each TOTP code can only be used once per time window (RFC 6238 §5.2)
Clock Drift Tolerance — Accepts codes from ±1 time step (30 seconds) to handle minor clock differences
Interstitial Challenge Screen — Clean, WordPress-native verification screen after primary authentication
Admin Management — Administrators can view and disable 2FA for any user from the profile page
🛡️ Brute Force Protection (Login Limiter)
Stop brute-force attacks with intelligent lockout rules that escalate automatically.
Enable/Disable — Master toggle for login attempt limiting
Max Attempts — Set the number of failed login attempts before lockout (default: 5)
Lockout Duration — Initial lockout period in minutes (default: 15 minutes)
Progressive Lockout — Lockouts escalate: 15 min → 1 hour → 24 hours for repeat offenders
Auto-Blacklist — Permanently ban an IP after a configurable number of lockouts (e.g., after 5)
IP Whitelist — Allow trusted IPs to bypass login limits (supports exact match, CIDR ranges like 192.168.1.0/24, and wildcards like 10.0.0.*)
IP Blacklist — Permanently block specific IP addresses, CIDR ranges, or wildcard patterns
Notify Admin on Lockout — Email alerts when an IP gets locked out
Notify Threshold — Configure after how many lockouts the notification triggers (default: 1)
XML-RPC Integration — Automatically block XML-RPC authentication from locked-out IPs
Login Page Warnings — Display remaining attempt count and lockout timers on the login page
Log Retention — Configure how long failed login data is retained (default: 30 days)
Trusted Proxies — Specify trusted reverse proxy IPs for accurate client IP detection behind load balancers
🔄 Dynamic Login & Logout Redirects
Send users exactly where they need to go — based on their role, or if it is their first login.
Role-Based Login Redirects — Set a custom URL per WordPress role after login (e.g., Editors → /editorial-dashboard, Subscribers → /members-area)
Role-Based Logout Redirects — Set a custom URL per WordPress role after logout
First-Login Redirect — Redirect new users to a welcome page, onboarding wizard, or setup screen on their first login
Relative & Absolute URLs — Supports both relative paths (/dashboard) and full URLs (https://example.com/welcome)
Open Redirect Prevention — Redirects validated via wp_safe_redirect() and wp_validate_redirect() to prevent open redirect attacks
📋 Audit Logging
Keep a complete, searchable record of every authentication event happening on your site.
Enable/Disable — Master toggle for audit logging
Tracked Events — Login success/failure, logout, password reset/change, user registration, profile updates, social login/linking, magic link requests/usage, 2FA changes, session termination, access blocked, lockout events
Event Details — Each entry records: user ID, event type, IP, user agent, JSON context, and timestamp
Retention Period — Choose how long to keep logs: 30, 60, 90, 180, 365 days, or unlimited
Auto-Cleanup — Daily WP-Cron job removes expired entries in batches of 1,000 to prevent database locks
Filter by Event Type — View specific event categories (e.g., only failed logins)
Filter by Date Range — Narrow results by date_from and date_to
Filter by User — View all events for a specific user ID
Search by IP — Find all events from a particular IP address
Full-Text Search — Search across event types, IPs, and context data
CSV Export — Download audit logs as a CSV file with formula injection protection
JSON Export — Export logs in JSON format for integration with external tools
Purge All Logs — One-click purge to clear all historical log data
Admin UI Viewer — Built-in admin page with paginated table, filters, and export buttons
Custom Database Table — Logs stored in a dedicated authdock_audit_logs table with proper indexes for fast queries
🏰 Security Hardening
Close common WordPress security holes without installing another plugin.
Custom Login URL
* Custom Slug — Replace wp-login.php with your own secret URL (e.g., /my-secure-login)
* Block Action — Choose what happens when someone visits wp-login.php: return a 404 error or redirect to the homepage
* Recovery Key — Access the login page via a secret query parameter even when the custom URL is active
XML-RPC Control
* Disable XML-RPC — Completely disable XML-RPC to block remote brute-force attacks
* Partial Disable — Remove only authentication methods while keeping pingbacks functional
REST API Restriction
* Restrict to Authenticated Users — Block all REST API access for unauthenticated visitors
* Namespace Whitelist — Allow specific third-party REST namespaces (e.g., WooCommerce, Jetpack) to remain public
User Enumeration Prevention
* Block Author Archives — Redirect ?author=N enumeration queries to the homepage
* Restrict User REST Endpoint — Block /wp-json/wp/v2/users for non-logged-in users
* Generic Login Errors — Replace “username not found” or “wrong password” messages with a generic error
Password Strength Enforcement
* Force Strong Passwords — Master toggle for password policy enforcement
* Minimum Length — Set the minimum password length (default: 8 characters)
* Require Uppercase — Mandate at least one uppercase letter
* Require Lowercase — Mandate at least one lowercase letter
* Require Number — Mandate at least one numeric digit
* Require Special Character — Mandate at least one special character (e.g., !@#$%)
* Enforced Roles — Apply password rules only to specific roles
Security HTTP Headers
* X-Content-Type-Options — Prevents MIME-type sniffing (nosniff)
* X-Frame-Options — Blocks clickjacking by restricting iframe embedding (SAMEORIGIN)
* X-XSS-Protection — Legacy XSS filter for older browsers (1; mode=block)
* Referrer-Policy — Controls referrer information sent with requests (strict-origin-when-cross-origin)
* Strict-Transport-Security (HSTS) — Enforces HTTPS connections for 1 year (max-age=31536000; includeSubDomains)
* Permissions-Policy — Restricts access to camera, microphone, and geolocation APIs
Role-Based Session Duration
* Per-Role Cookie Lifetime — Set different authentication cookie durations per WordPress role (in hours)
📧 Email Notifications
Stay informed about critical security events with real-time email alerts — for admins and users.
Admin Notifications
* Multiple Failed Logins — Alert every N failed attempts from the same IP (default: every 3)
* IP Lockout — Alert when an IP gets locked out
* Admin Login Alert — Notify when an administrator account logs in
* New User Registration — Alert on every new user registration
* User Promoted to Admin — Alert when any user is promoted to the Administrator role
* Admin Password Changed — Alert when an administrator’s password is changed or reset
* 2FA Disabled — Alert when any user disables two-factor authentication
* Login from New IP — Alert when a user logs in from a previously unseen IP address
User Self-Notifications
* Password Changed — Notify the user when their password is changed
* Email Changed — Notify at the OLD email address when a user’s email is updated (security measure)
* 2FA Status Changed — Notify the user when 2FA is enabled or disabled on their account
* Social Account Linked — Notify when a social provider is connected to their account
* New Device Login — Notify the user when a login is detected from a new IP address
* Account Locked — Notify the user when their account is locked due to failed attempts
Notification Settings
* Custom Recipients — Set custom email addresses for admin notifications (defaults to site admin email)
* Throttle Period — Configurable cooldown in minutes to prevent notification flooding (default: 60 minutes)
* Digest Mode — Option to batch notifications instead of sending them individually
* Test Email — Send a test notification to verify email configuration is working
🚪 wp-admin Access Control
Restrict who can access the WordPress dashboard — by role, by IP, or both.
Enable/Disable — Master toggle for access control
Blocked Roles — Select which roles are blocked from accessing /wp-admin (e.g., Subscriber, Customer)
IP Restriction Mode — Enable IP-based restrictions so only whitelisted IPs can access wp-admin
IP Whitelist — Specify allowed IP addresses and CIDR ranges (e.g., 203.0.113.5, 192.168.1.0/24)
Hide Admin Bar — Remove the WordPress admin bar from the frontend for blocked roles
Redirect Action — Choose what happens when access is denied: redirect to homepage, custom URL, or show a 403 Forbidden page
Custom Redirect URL — Set a specific URL for the access-denied redirect
Emergency Bypass Key — Secret query parameter (?authdock_bypass=YOUR_KEY) to regain access if locked out
Smart Exceptions — AJAX requests, WP-Cron, and admin-post.php always allowed through
Administrator Immunity — Administrators are never blocked, regardless of settings
⏱️ Session Management
Take control of user sessions — limit concurrent logins, enforce idle timeouts, and terminate sessions remotely.
Enable/Disable — Master toggle for session management
Concurrent Session Limit — Maximum simultaneous sessions per user (0 = unlimited). Oldest sessions are destroyed when the limit is exceeded
Idle Session Timeout — Auto-logout after configurable inactivity period (in minutes, 0 = disabled)
Per-Role Session Duration — Different session lifetimes for each WordPress role (in hours)
Admin Session Viewer — View all active sessions via the REST API, including user details and last activity timestamps
Remote Session Termination — Administrators can terminate all sessions for any user via a single API call
Throttled Activity Tracking — Last-activity timestamps updated at most once per 5 minutes to minimize database writes
⚡ Performance & Infrastructure
AuthDock is built for speed and follows WordPress best practices from top to bottom.
Conditional Asset Loading — CSS and JavaScript files load only on pages where they are needed
Indexed Database Tables — Custom tables use proper indexes for fast lookups
WP-Cron Maintenance — Audit log cleanup runs via non-blocking WP-Cron
Transient-Based Tracking — Brute force tracking uses transients (no additional DB queries per login attempt)
REST API Powered — All admin data operations go through the authdock/v1 namespace with 15+ endpoints
Hook-Based Architecture — Centralized Loader class registers all hooks for clean dependency management
Custom Capabilities — authdock_manage_settings, authdock_view_audit_logs, authdock_export_audit_logs, authdock_manage_sessions, authdock_manage_lockouts
Clean Activation — Creates database tables, sets defaults, registers capabilities, and schedules cron
Clean Deactivation — Clears cron events but preserves all settings for reactivation
Full Uninstall — Removes everything: options, user meta, database tables, capabilities, and transients
Full i18n — All user-facing strings use WordPress internationalization functions with the authdock text domain
🤔 Why Choose AuthDock?
Replace 5–7 plugins — Social login + magic links + 2FA + brute force + audit logs + session management + access control — all in one
WordPress-native UI — Looks and feels like core WordPress, not a foreign dashboard
REST API powered — Modern, secure data handling for all admin operations
Lightweight & fast — Conditional loading, object caching, zero external frameworks in admin
Developer-friendly — Extensive hooks, filters, and custom capabilities for extensibility
WordPress.org compliant — No tracking, no encoded code, no forced upsells, full GPL-2.0+
🔗 Shortcodes
[authdock_social_login] — Display social login buttons (attributes: layout, style)
[authdock_magic_login] — Display magic link login form (attributes: redirect)
[authdock_login_form] — Display login form with 2FA support
External services
Google OAuth — Terms | Privacy
Facebook Login — Terms | Privacy
GitHub OAuth — Terms | Privacy
X (Twitter) OAuth — Terms | Privacy
