Title: Authyo Passwordless Login
Author: Konceptwise Digital Media Pvt Ltd
Published: <strong>1. januar, 2026</strong>
Last modified: 8. juni, 2026

---

Søg plugins

![](https://ps.w.org/authyo-passwordless-login/assets/banner-772x250.png?rev=3520880)

![](https://ps.w.org/authyo-passwordless-login/assets/icon-256x256.png?rev=3430366)

# Authyo Passwordless Login

 Af [Konceptwise Digital Media Pvt Ltd](https://profiles.wordpress.org/konceptwise/)

[Download](https://downloads.wordpress.org/plugin/authyo-passwordless-login.1.0.8.zip)

 * [Detaljer](https://da.wordpress.org/plugins/authyo-passwordless-login/#description)
 * [Vurderinger](https://da.wordpress.org/plugins/authyo-passwordless-login/#reviews)
 *  [Installation](https://da.wordpress.org/plugins/authyo-passwordless-login/#installation)
 * [Udvikling](https://da.wordpress.org/plugins/authyo-passwordless-login/#developers)

 [Support](https://wordpress.org/support/plugin/authyo-passwordless-login/)

## Beskrivelse

Authyo Passwordless Login is a WordPress login security plugin that protects your
site with brute-force protection, IP blacklisting, security activity logs, XML-RPC
blocking, REST API protection, and a custom login URL. All security features work
immediately after activation — no API keys or account registration needed.

Optionally, add Authyo API credentials to enable passwordless OTP login where users
log in with a one-time password sent to their email instead of a traditional password.

**Security features that work without API keys:**

 * **Brute-force protection** — Limit login attempts per IP and username with progressive
   lockout durations. Repeat offenders are automatically blacklisted.
 * **IP Manager** — Whitelist trusted IPs and blacklist attackers. Includes search,
   filter, pagination, and per-page selector for large lists.
 * **Security activity logs** — Track every login, logout, failed attempt, lockout,
   and blocked access. Includes request URL tracking, date filters, search, and 
   CSV export.
 * **Disable XML-RPC** — Block xmlrpc.php requests at the server level using .htaccess
   rules. Removes X-Pingback headers and XML-RPC discovery links. Falls back to 
   PHP blocking on Nginx.
 * **REST API Protection** — Restrict access to WordPress REST API endpoints for
   unauthenticated users. Prevents data enumeration and unauthorized access while
   keeping essential endpoints functional.
 * **Custom login URL** — Hide wp-login.php behind a custom URL slug to prevent 
   automated attacks.
 * **Blocked IP logging** — Every access attempt from blacklisted or locked-out 
   IPs is logged with IP address, user agent, and request URL.

**Passwordless login features (requires free Authyo API keys):**

 * **Email OTP login** — Users receive a one-time password via email and log in 
   without a traditional password.
 * **Google Authenticator fallback** — Server-side verified 2FA as a backup method
   after multiple OTP attempts.
 * **Secure login tokens** — Cryptographically generated, single-use, browser-bound
   tokens that expire after 5 minutes.
 * **AJAX-powered login** — Smooth login experience with no page reloads.

### How It Works

**Security (works immediately after activation):**

 1. Activate the plugin — brute-force protection and security logs start automatically
 2. Go to Settings > Authyo Passwordless Login > Security tab
 3. Enable XML-RPC Protection, REST API Protection, and Custom Login URL as needed
 4. Visit Authyo Logs to monitor activity and manage IPs

**Passwordless login (requires API keys):**

 1. User enters their email on the WordPress login page
 2. A one-time password (OTP) is sent to their email
 3. User enters the OTP code
 4. WordPress logs the user in automatically — no password required

### External Services

This plugin connects to Authyo’s external API only for passwordless login and Google
Authenticator features. All security features (brute-force protection, IP manager,
security logs, XML-RPC protection, REST API protection, custom login URL) work locally
without any external service.

**OTP Authentication:**

 * User email address is sent to Authyo API when requesting an OTP
 * OTP code and Mask ID are sent to Authyo API for verification

**Google Authenticator Verification:**

 * Verification token is sent to Authyo API for server-side validation
 * The Authyo 2FA SDK script is loaded from [https://app.authyo.io/js/v1/auth-2fasdk.js](https://app.authyo.io/js/v1/auth-2fasdk.js)

**Usage Tracking (Opt-In Only):**

If the user explicitly opts in, plugin version, WordPress version, and site URL 
are sent when settings are saved. Deactivation feedback is sent when the plugin 
is deactivated. No tracking data is sent without user consent.

**Authentication Flow:**

 * After OTP verification, the plugin generates a secure single-use token using 
   WordPress core functions
 * Token is browser-bound using a hashed User-Agent signature to prevent session
   hijacking
 * Token is stored temporarily in WordPress transients (5-minute expiry) and deleted
   immediately after use

**Data Storage:**

 * OTP session data stored temporarily in WordPress transients (10-minute expiry)
 * Login tokens stored temporarily in WordPress transients (5-minute expiry, single-
   use)
 * Security logs stored in a custom database table with configurable retention
 * IP whitelist and blacklist stored in a custom database table
 * No user data is permanently stored beyond security logs

**Service URLs:**

 * API: [https://app.authyo.io/api/v1/](https://app.authyo.io/api/v1/)
 * 2FA SDK: [https://app.authyo.io/js/v1/auth-2fasdk.js](https://app.authyo.io/js/v1/auth-2fasdk.js)

**Terms of Service:** [https://authyo.io/terms-service](https://authyo.io/terms-service)
**
Privacy Policy:** [https://authyo.io/privacy-policy](https://authyo.io/privacy-policy)

## Skærmbilleder

[⌊Authyo WordPress Passwordless Login⌉⌊Authyo WordPress Passwordless Login⌉[

Authyo WordPress Passwordless Login

[⌊Authyo WordPress Passwordless Login Admin Panel⌉⌊Authyo WordPress Passwordless
Login Admin Panel⌉[

Authyo WordPress Passwordless Login Admin Panel

## Installation

 1. Upload the `authyo-passwordless-login` folder to `/wp-content/plugins/`
 2. Activate the plugin from the Plugins menu
 3. Security features start working immediately
 4. For passwordless login: go to Settings > Authyo Passwordless Login and enter your
    Authyo API credentials from [authyo.io](https://authyo.io)

## FAQ

### Do I need API keys to use the security features?

No. Brute-force protection, IP manager, security logs, XML-RPC protection, REST 
API protection, and custom login URL all work without any API keys. You only need
Authyo API keys for the passwordless OTP login feature.

### How does brute-force protection work?

The plugin tracks failed login attempts per IP address and per username. After exceeding
the configured threshold, the IP or username is temporarily locked out. Each subsequent
lockout lasts longer (progressive durations). Repeat offenders can be automatically
blacklisted permanently.

### What does REST API Protection do?

It restricts access to WordPress REST API endpoints for unauthenticated users. By
default, WordPress exposes REST API endpoints like /wp-json/wp/v2/users that can
reveal usernames and other site data. When enabled, only logged-in users can access
the REST API while essential public endpoints continue to work normally.

### What does XML-RPC protection do?

It blocks all requests to xmlrpc.php at the server level using .htaccess rules on
Apache and LiteSpeed servers. On Nginx servers, a PHP-level fallback handles the
blocking. It also removes the X-Pingback header and XML-RPC discovery links. Whitelisted
IPs are exempt.

### How does passwordless login work?

Users enter their email address on the login page, receive a one-time password via
email, enter the OTP code, and are logged in automatically. No password is needed.
Requires Authyo API keys.

### How do I manage blocked IPs?

Go to Authyo Logs > IP Manager. You can search by IP or label, filter, and paginate
through whitelisted and blacklisted IPs. The page also shows active lockouts with
options to unlock or permanently blacklist IPs.

### Can I use this with custom login pages?

Yes. Use the shortcode `[authyo_login]` on any page, or call `authyo_passwordless_login_form()`
in your theme templates.

### Is this plugin secure?

Yes. The plugin implements multiple security layers including XML-RPC blocking at
server level, REST API protection, brute-force protection with progressive lockouts,
nonce verification for all AJAX requests, cryptographically secure token generation,
browser-bound single-use tokens, server-side Google Authenticator verification, 
open redirect prevention, and blocked IP logging.

## Anmeldelser

Der er ingen anmeldelser for denne widget.

## Bidragsydere & udviklere

“Authyo Passwordless Login” er open source-software. Følgende personer har bidraget
til dette plugin.

Bidragsydere

 *   [ Konceptwise Digital Media Pvt Ltd ](https://profiles.wordpress.org/konceptwise/)

[Oversæt “Authyo Passwordless Login” til dit eget sprog.](https://translate.wordpress.org/projects/wp-plugins/authyo-passwordless-login)

### Interesseret i udvikling?

[Gennemse koden](https://plugins.trac.wordpress.org/browser/authyo-passwordless-login/),
tjek [SVN repository](https://plugins.svn.wordpress.org/authyo-passwordless-login/),
eller abonner på [udviklerloggen](https://plugins.trac.wordpress.org/log/authyo-passwordless-login/)
via [RSS](https://plugins.trac.wordpress.org/log/authyo-passwordless-login/?limit=100&mode=stop_on_copy&format=rss).

## Ændringslog

#### 1.0.8

 * Performance improvements

#### 1.0.7

 * Performance improvements and stability enhancements

#### 1.0.6

 * Added REST API Protection to restrict unauthorized access to WordPress REST API
   endpoints

#### 1.0.5

 * Added XML-RPC protection with server-level .htaccess blocking and PHP fallback
 * Added request URL tracking in security logs
 * Added blocked IP logging for blacklisted and locked-out access attempts
 * Added search and pagination to IP Manager with per-page selector (20, 50, 100)
 * Added whitelist and blacklist count summary in IP Manager
 * Added server-side verification for Google Authenticator
 * Migrated IP whitelist/blacklist data from wp_options to a dedicated database 
   table
 * Improved login token security and validation
 * Improved redirect security across login flows
 * Fixed “page not found” issue with custom login URL after OTP verification
 * Fixed database compatibility with MySQL strict mode
 * Fixed database upgrade reliability on various server environments
 * Multiple security hardening improvements
 * General bug fixes and performance improvements

#### 1.0.4

 * Added new security logs feature

#### 1.0.3

 * Added video tutorial to readme
 * Improved Google Authenticator fallback logic to hide on non-existent users
 * Minor bug fixes

#### 1.0.2

 * Added two factor authenticator as backup method
 * Performance improvements

#### 1.0.1

 * Performance improvements
 * Screenshot addon

#### 1.0.0

 * Initial release
 * Passwordless login with OTP verification
 * Secure token-based authentication
 * WordPress login page integration
 * Custom login shortcode
 * Admin settings page
 * AJAX-powered login flow

## Meta

 *  Version **1.0.8**
 *  Senest opdateret **3 uger siden**
 *  Aktive installationer **Færre end 10**
 *  WordPress-version ** 5.0 eller højere **
 *  Testet op til **7.0**
 *  PHP-version ** 7.2 eller højere **
 *  Sprog
 * [English (US)](https://wordpress.org/plugins/authyo-passwordless-login/)
 * Tags
 * [brute force protection](https://da.wordpress.org/plugins/tags/brute-force-protection/)
   [disable xmlrpc](https://da.wordpress.org/plugins/tags/disable-xmlrpc/)[login security](https://da.wordpress.org/plugins/tags/login-security/)
   [passwordless login](https://da.wordpress.org/plugins/tags/passwordless-login/)
   [rest api security](https://da.wordpress.org/plugins/tags/rest-api-security/)
 *  [Avanceret visning](https://da.wordpress.org/plugins/authyo-passwordless-login/advanced/)

## Bedømmelser

Der er endnu ikke indsendt nogen anmeldelser.

[Your review](https://wordpress.org/support/plugin/authyo-passwordless-login/reviews/#new-post)

[Se alle anmeldelser.](https://wordpress.org/support/plugin/authyo-passwordless-login/reviews/)

## Bidragsydere

 *   [ Konceptwise Digital Media Pvt Ltd ](https://profiles.wordpress.org/konceptwise/)

## Support

Har du noget at sige? Har du brug for hjælp?

 [Vis supportforum](https://wordpress.org/support/plugin/authyo-passwordless-login/)