外掛標籤
開發者團隊
原文外掛簡介
oOMF! Access gives WordPress sites a better front door: a polished login page, guided account flows, passwordless magic links, social sign-in, safe redirects, CAPTCHA, hide-admin controls, honeypots, throttling, and lockout protection.
It is built for agencies, membership sites, product teams, and site owners who want a professional sign-in experience without hand-rolling templates, OAuth plumbing, redirect rules, and abuse controls for every project.
Why teams use it
A login page worth sharing – replace the default WordPress screen with a branded page powered by [oomf_access_form], theme-aware styling, logo controls, custom copy, gradients, and live admin previews.
One flow for every access moment – keep login, registration, lost password, password reset, logged-in states, and magic-link requests inside the same consistent interface.
Passwordless and social sign-in – offer email magic links plus Google, Apple, GitHub, Microsoft, and Facebook providers with provider-specific setup hints.
Redirects you can trust – send people to the right page after login/logout while validating redirect_to values and exposing filters for approved external hosts.
Layered anti-abuse controls – enable reCAPTCHA, hCaptcha, honeypots, soft throttling, lockouts, secret login paths, and emergency bypass flows from wp-admin.
Developer-friendly internals – focused hooks and filters let you customize destinations, CAPTCHA behavior, provider handling, inline CSS, and allowed redirect hosts.
Built for the real WordPress admin
The settings screen includes a live preview, grouped controls for content/appearance/behavior/security, provider previews, and setup copy for external services. Frontend and admin assets load only where needed and are versioned with filemtime().
Privacy
oOMF! Access does not send data to oOMF! services. CAPTCHA and social login features connect only when you enable them and provide your own third-party credentials. Removing the plugin deletes its settings, and the generated login page can also be removed via the oomf_access/delete_page_on_uninstall filter.
External services
oOMF! Access connects to outside services only when the related feature is enabled.
Google reCAPTCHA (v2/v3)
Purpose: spam and abuse protection for access forms.
Endpoints: https://www.google.com/recaptcha/api.js and https://www.google.com/recaptcha/api/siteverify.
Data sent: site key/secret, visitor response token, action name, and optionally visitor IP.
Terms: https://policies.google.com/terms
Privacy: https://policies.google.com/privacy
hCaptcha
Purpose: CAPTCHA validation.
Endpoints: https://js.hcaptcha.com and https://hcaptcha.com/siteverify.
Data sent: site key/secret, response token, action name, and optionally visitor IP.
Terms: https://www.hcaptcha.com/terms
Privacy: https://www.hcaptcha.com/privacy
Google OAuth
Purpose: sign in with Google.
Endpoints: accounts.google.com/o/oauth2/v2/auth, oauth2.googleapis.com/token, and openidconnect.googleapis.com/v1/userinfo.
Data sent: authorization code, code verifier, redirect URI, client credentials, and selected scopes. Returned data can include name, verified email, avatar, and locale.
Terms: https://policies.google.com/terms
Privacy: https://policies.google.com/privacy
Apple Sign In
Purpose: sign in with Apple.
Endpoints: appleid.apple.com/auth/authorize and appleid.apple.com/auth/token.
Data sent: authorization code, client ID, redirect URI, and signed JWT assertions generated from your Apple key. Returned data can include name and email.
Terms: https://www.apple.com/legal/internet-services/terms/site.html
Privacy: https://www.apple.com/legal/privacy/
GitHub OAuth
Purpose: sign in with GitHub.
Endpoints: github.com/login/oauth/authorize, github.com/login/oauth/access_token, api.github.com/user, and api.github.com/user/emails.
Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.
Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
Microsoft OAuth
Purpose: sign in with Microsoft.
Endpoints: login.microsoftonline.com/common/oauth2/v2.0/authorize, login.microsoftonline.com/common/oauth2/v2.0/token, and graph.microsoft.com/v1.0/me.
Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and locale.
Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/MOSPT
Privacy: https://privacy.microsoft.com/privacystatement
Facebook Login
Purpose: sign in with Facebook.
Endpoints: facebook.com/v18.0/dialog/oauth, graph.facebook.com/v18.0/oauth/access_token, and graph.facebook.com/v18.0/me.
Data sent: authorization code, app credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.
Terms: https://www.facebook.com/legal/terms
Privacy: https://www.facebook.com/policy.php
Hooks & Extension Points
oomf_access_redirect_destination – override the final destination after login.
oomf-access/allowed_redirect_hosts – allow approved external redirect hosts.
oomf-access/captcha/allow_external – control whether CAPTCHA network calls are allowed.
oomf_access_captcha_is_required – decide whether CAPTCHA is required for a request.
oomf_access_captcha_validate_result – customize CAPTCHA validation results.
oomf-access/inline_css – inject extra CSS into the admin preview and frontend.
