[WordPress] 外掛分享： Authyo Passwordless Login

內容簡介

Authyo Passwordless Login 外掛提供安全的 OTP 登入功能，透過電子郵件發送一次性密碼，取代傳統密碼，提升登入安全性並簡化使用者體驗。

【主要功能】
• 使用電子郵件 OTP 進行無密碼登入
• 不需儲存或使用密碼
• 安全的單次使用令牌驗證
• 透過 Authyo 的安全電子郵件服務發送 OTP
• 可選的雙因素驗證應用程式作為備援
• AJAX 驅動的登入流程，無需重新載入頁面

外掛標籤

開發者團隊

原文外掛簡介

Authyo Passwordless Login is a WordPress login security plugin that protects your site with brute-force protection, IP blacklisting, security activity logs, XML-RPC blocking, REST API protection, and a custom login URL. All security features work immediately after activation — no API keys or account registration needed.
Optionally, add Authyo API credentials to enable passwordless OTP login where users log in with a one-time password sent to their email instead of a traditional password.
Security features that work without API keys:

Brute-force protection — Limit login attempts per IP and username with progressive lockout durations. Repeat offenders are automatically blacklisted.
IP Manager — Whitelist trusted IPs and blacklist attackers. Includes search, filter, pagination, and per-page selector for large lists.
Security activity logs — Track every login, logout, failed attempt, lockout, and blocked access. Includes request URL tracking, date filters, search, and CSV export.
Disable XML-RPC — Block xmlrpc.php requests at the server level using .htaccess rules. Removes X-Pingback headers and XML-RPC discovery links. Falls back to PHP blocking on Nginx.
REST API Protection — Restrict access to WordPress REST API endpoints for unauthenticated users. Prevents data enumeration and unauthorized access while keeping essential endpoints functional.
Custom login URL — Hide wp-login.php behind a custom URL slug to prevent automated attacks.
Blocked IP logging — Every access attempt from blacklisted or locked-out IPs is logged with IP address, user agent, and request URL.

Passwordless login features (requires free Authyo API keys):

Email OTP login — Users receive a one-time password via email and log in without a traditional password.
Google Authenticator fallback — Server-side verified 2FA as a backup method after multiple OTP attempts.
Secure login tokens — Cryptographically generated, single-use, browser-bound tokens that expire after 5 minutes.
AJAX-powered login — Smooth login experience with no page reloads.

How It Works
Security (works immediately after activation):

Activate the plugin — brute-force protection and security logs start automatically
Go to Settings > Authyo Passwordless Login > Security tab
Enable XML-RPC Protection, REST API Protection, and Custom Login URL as needed
Visit Authyo Logs to monitor activity and manage IPs

Passwordless login (requires API keys):

User enters their email on the WordPress login page
A one-time password (OTP) is sent to their email
User enters the OTP code
WordPress logs the user in automatically — no password required

External Services
This plugin connects to Authyo’s external API only for passwordless login and Google Authenticator features. All security features (brute-force protection, IP manager, security logs, XML-RPC protection, REST API protection, custom login URL) work locally without any external service.
OTP Authentication:

User email address is sent to Authyo API when requesting an OTP
OTP code and Mask ID are sent to Authyo API for verification

Google Authenticator Verification:

Verification token is sent to Authyo API for server-side validation
The Authyo 2FA SDK script is loaded from https://app.authyo.io/js/v1/auth-2fasdk.js

Usage Tracking (Opt-In Only):
If the user explicitly opts in, plugin version, WordPress version, and site URL are sent when settings are saved. Deactivation feedback is sent when the plugin is deactivated. No tracking data is sent without user consent.
Authentication Flow:

After OTP verification, the plugin generates a secure single-use token using WordPress core functions
Token is browser-bound using a hashed User-Agent signature to prevent session hijacking
Token is stored temporarily in WordPress transients (5-minute expiry) and deleted immediately after use

Data Storage:

OTP session data stored temporarily in WordPress transients (10-minute expiry)
Login tokens stored temporarily in WordPress transients (5-minute expiry, single-use)
Security logs stored in a custom database table with configurable retention
IP whitelist and blacklist stored in a custom database table
No user data is permanently stored beyond security logs

Service URLs:

API: https://app.authyo.io/api/v1/
2FA SDK: https://app.authyo.io/js/v1/auth-2fasdk.js
Tracking: https://app.authyo.io/api/v1/user/WordpressWebhook

Terms of Service: https://authyo.io/terms-service
Privacy Policy: https://authyo.io/privacy-policy

延伸相關外掛

Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force PreventionLimit Login Attempts Reloaded 是一款強大的安全外掛，旨在...All-In-One Security (AIOS) – Security and FirewallAll-In-One Security (AIOS) 是一款功能全面的 WordPress 安...Defender Security – Malware Scanner, Login Security & FirewallDefender Security 是一款全方位 WordPress 安全防護外掛，提...Wordfence Login SecurityWORDFENCE 登入安全性 Wordfence 登入安全性包含在完整的 Wor...BulletProof SecurityWordPress 安全防護：惡意軟體掃描器、防火牆、登入安全、資...DoLogin Security透過一個點擊，您的 WordPress 登入頁面即會啟用智慧式防範 B...Limit Login AttemptsLimit Login Attempts 是一款全方位的 WordPress 登入安全防...Melapress Login Security提高 WordPress 登入安全性，實現自定義安全 WordPress 登入...WordPress Brute Force Protection – Stop Brute Force AttacksGuardGiant 是一款暴力破解防護外掛，透過信任裝置機制區分真...Power Captcha reCAPTCHA以下是對於這篇文章的總結點： - 使用 Google reCAPTCHA 來...Cartpauj Register CaptchaCartpauj Register Captcha 的功能非常簡單，但非常有效。它...Block wp-login 封鎖 wp-login.php 存取的外掛程式 此外掛程式執行以下功能...IP & Country Blocker Lite總結文案: IP＆Country Blocker Lite 是一個功能強大的 WordP...Kaya Login Captcha為什麼要使用「Kaya Login Captcha」？ 這個外掛在登入、註冊...Virus Finder使用 wphospital.hu 外掛，尋找您網站中的病毒。此外掛會分析...