Description

Employee Verification & Document Authentication is a complete HR document management system for WordPress. Issue tamper-proof internship completion letters and experience letters with unique verification IDs and QR codes, then let anyone verify authenticity through a simple public-facing page.

Key Features

Employee Management
* Add, edit, and delete employee profiles with photos
* Track Active, Intern, and Former Employee statuses
* Store joining date, leaving date, internship period, CNIC, father name, and tasks completed
* Bulk import employees via CSV
* Custom fields system — define global fields and fill per employee

Document Generation
* Issue Internship Completion Letters and Experience Letters
* One letter per type per employee — enforced at database level
* Letters render live on every view, always reflecting your current settings
* Print / Save as PDF from the browser (A4 size, printer-ready)

Verification System
* Every letter gets a unique 16-character cryptographically random Verification ID
* QR code on each letter links directly to the document verification page
* Public shortcodes for employee and document verification
* [evda_employee_verification] — search employees by ID, Name, or CNIC
* [evda_document_verification] — verify letters by ID or QR scan

Letter Customization (Settings)
* Company logo on all letters
* Full typography control: font, size, line height, colors
* Editable letter body templates with placeholders
* Optional signature block: name, title, and uploaded signature image
* Custom footer message (office address, phone, website)
* Toggle: QR code, border/shadow, title underline
* All styling changes apply instantly to existing letters — no regeneration needed

Email Notifications
* Auto-email employees when a letter is issued
* Configurable subject and body templates with placeholders
* Email logs with last 100 send attempts
* Test email button

Admin Search Flexibility
* Choose which fields visitors can search on: Employee ID, Full Name, and/or CNIC

Shortcodes

[evda_employee_verification] — Public employee lookup form.
[evda_document_verification] — Public document verification form. Also works via URL: `?id=VERIFICATION_ID`

Privacy

This plugin stores employee data entered by the site administrator. No data is sent to external services except for QR code generation (uses a public QR API or falls back to a local generator). No tracking or analytics are included.

External Services

This plugin optionally connects to two external QR code generation APIs when generating QR codes for employee letters. These APIs are only called server-side (never from the visitor’s browser) when WordPress is generating a letter or verification page.

1. goQR.me API

What it does: Generates a QR code PNG image for a verification URL.
When it is called: When a new letter is generated and the PHP GD extension is unavailable.
Data sent: The public verification URL (e.g. https://yoursite.com/?evda_verify_doc=XXXX). No personal data is transmitted.
Service provider: goQR.me — https://goqr.me
Terms of use: https://goqr.me/terms-of-use/
Privacy policy: https://goqr.me/privacy-policy/

2. Google Charts API

What it does: Fallback QR code PNG generation if the goQR.me API is unavailable.
When it is called: Only if the goQR.me API call fails and the PHP GD extension is unavailable.
Data sent: The public verification URL only. No personal data is transmitted.
Service provider: Google LLC — https://developers.google.com/chart
Terms of use: https://developers.google.com/terms
Privacy policy: https://policies.google.com/privacy

If both external APIs are unavailable (e.g. the server has no outbound internet access), the plugin automatically falls back to a locally-generated QR code using the PHP GD library — no external request is made.

License

This plugin is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or any later version.

Screenshots

Employee list with letter status and quick actions
Add/Edit employee form with all fields
Generated Internship Completion Letter (A4, print-ready)
Public employee verification page
Plugin settings — Styling tab with live preview

Installation

Upload the employee-verification folder to /wp-content/plugins/, or install via Plugins Add New Upload Plugin.
Activate the plugin. Database tables are created automatically.
Create two WordPress pages and add shortcodes:
- A page with [evda_employee_verification]
- A page with [evda_document_verification]
Go to Employee Verify Settings General and assign those pages.
Upload your company logo and configure styling as desired.
Add employees under Employee Verify Employees and start generating letters.

FAQ

Do I need any extra libraries or Composer?: No. The plugin works out of the box with no dependencies. Letters are rendered as printer-friendly HTML pages which users can save as PDF using Ctrl+P Save as PDF.
Are generated letters affected by settings changes?: Yes. Letters are rendered live on every view, so any change to typography, colors, signature, footer message, or other settings is immediately reflected on all existing letters without needing to regenerate them.
Is the verification system secure?: Verification IDs are 16-character uppercase hex strings generated using PHP’s random_bytes() (cryptographically secure). All inputs are sanitized and validated. All admin actions are protected by WordPress nonces. Database queries use $wpdb->prepare().
Can I search employees by CNIC on the public page?: Yes. Go to Settings General Employee Search Fields and enable the CNIC option (along with Employee ID and/or Full Name).
What happens to data when I deactivate the plugin?: Deactivating the plugin removes the plugin’s database version marker but leaves all employee and document data intact. Data is only removed if you uninstall the plugin.
Can I bulk-import employees?: Yes. Go to Employee Verify Employees and use the CSV Import section. A downloadable template is provided.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Employee Verification & Document Authentication” is open source software. The following people have contributed to this plugin.

Saqib K.

Translate “Employee Verification & Document Authentication” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.3.2

Security: Complete nonce & permissions audit — all AJAX handlers verified to use both check_ajax_referer() and current_user_can(); nonce never used alone for authorization.
Security: Full output escaping audit — all echo statements use esc_html(), esc_attr(), esc_url(), wp_kses(), or wp_kses_post() at point of output; no raw variables echoed.
Security: DB error messages no longer exposed to browser in AJAX responses.
Fixed: QR code not displaying on document verification page — wp_kses() was stripping data: URI from img src; fixed with direct echo + esc_attr().
Fixed: QR API timeout reduced from 5s to 3s for faster offline fallback on localhost.
Fixed: Added guaranteed base64 fallback so QR code area never renders as broken image.

1.3.1

Fixed: wp_enqueue compliance — removed all inline / tags; CSS/JS for standalone letter page served via WordPress AJAX endpoints; all color picker event handlers moved to admin.js using data attributes.
Fixed: Nonces & permissions — added current_user_can() + wp_verify_nonce() to page_employees(); public nopriv endpoints use HMAC token (wp_hash) with inline phpcs:ignore and full explanation.
Fixed: Escaping — all echo statements now use esc_html(), esc_attr(), esc_url(), wp_kses(), or phpcs:ignore with justification; replaced direct echo of build_letter() with dedicated output_letter() method.
Fixed: Unsafe SQL — all table name variables wrapped with esc_sql(validate_table()); dbDelta() used for schema management; all queries use inline phpcs:ignore; fixed evda_patch_old_letters(), class-ev-import.php, and uninstall.php.
Fixed: QR code not showing on letters — corrected domain validation in evda_serve_qr_image() to check against site home_url() instead of QR API domains.
Fixed: Removed empty unused folders (templates/, public/, libs/).
Fixed: All global variables in uninstall.php prefixed with evda_.

1.3.0

wp_enqueue compliance: Removed all inline <script> and <style> tags. CSS served via evda_letter_css AJAX endpoint (Content-Type: text/css). JS served via evda_letter_js AJAX endpoint. Print button onclick moved to enqueued JS. All color picker oninput/onchange handlers moved to admin.js using data attributes.
Nonces & permissions: Added current_user_can() + wp_verify_nonce() to page_employees(). Public endpoints (QR image, letter CSS/JS) use HMAC token (wp_hash) with detailed code comments explaining why session nonces cannot be used for public/nopriv endpoints.
Escaping: Replaced echo build_letter() with dedicated EVDA_PDF::output_letter() method that sets Content-Type headers and outputs pre-escaped HTML. All dynamic values inside build_letter() are escaped via esc_html(), esc_attr(), esc_url() at point of construction.
Unsafe SQL: Replaced raw $wpdb->query("CREATE TABLE...") and ALTER TABLE loops with dbDelta() — the WordPress-standard method for schema management. Added EVDA_Database::validate_table() whitelist validator applied to all table name variables before SQL interpolation across all query files.
Prefixing: All ev_/EV_ identifiers renamed to evda_/EVDA_ (classes, functions, defines, AJAX actions, options, nonces, shortcodes, form fields).
Inline CSS removed: All style="" attributes moved to CSS classes in admin.css and public.css. Added evda- prefixed utility classes throughout.
Added saqibabbasi to Contributors in readme.txt.

1.2.7

Added saqibabbasi to Contributors list in readme.txt.
Replaced inline <style> block in letter renderer with a PHP variable to satisfy wp_enqueue requirements.
Added server-side hash token validation to the QR image AJAX endpoint to prevent open proxy abuse.
Wrapped paginate_links() output with wp_kses_post() for proper escaping.
Added detailed code comments on build_letter() echo explaining why wp_kses_post() cannot be used.
Renamed all classes, functions, defines, AJAX actions, option names, nonces, shortcodes, and form fields from ev_/EV_ to evda_/EVDA_ prefix (4+ character unique prefix as required by WordPress.org).
Fixed unsafe SQL in database upgrade path: applied esc_sql() to table names, sanitize_key() + esc_sql() to column names, and $wpdb->prepare() to SHOW COLUMNS queries.

1.2.6

Fixed last Plugin Check warning: added phpcs:ignore on is_uploaded_file() line in class-ev-import.php to suppress InputNotSanitized on $_FILES tmp_name validation check.

1.2.5

Fixed all remaining Plugin Check warnings: wp_unslash() on email color fields, phpcs:disable/enable blocks on multi-line DB queries, phpcs:ignore on insert/update/delete calls, and input sanitization suppressions for array_map patterns.

1.2.4

Fixed admin Settings page tabs not working after JS refactor — rewrote admin.js as a single clean IIFE so all code including tab navigation runs correctly.

1.2.3

Added proper ev_ prefix to shortcodes ([evda_employee_verification], [evda_document_verification]).
Moved all inline <script> and <style> blocks to enqueued admin.js and admin.css files.
Removed external CDN dependency (qrcodejs); QR codes now generated server-side only.
Added External Services documentation in readme.txt for QR API usage disclosure.

1.2.2

Fixed all Plugin Check warnings: added missing wp_unslash(), esc_html/attr/url output escaping, isset() validation for $_POST/$_FILES, and phpcs:ignore suppressions for accepted custom-table DB patterns.

1.1.7

Centered footer text on letters
Updated plugin header to WordPress repository standards
Author updated to SKFreelancers

1.1.6

Tasks/responsibilities now display in a 3-column grid layout on letters

1.1.5

Fixed live letter URL containing dynamic: prefix causing Document not found error

1.1.4

Major: Letters now render live on every view — settings changes apply instantly to all existing letters
No more static HTML files stored on disk
Added one-click migration tool for existing static letters

1.1.3

Fixed document delete not removing the file from disk
Fixed patch counter reporting wrong number

1.1.2

Footer now always pinned to the bottom of the A4 page using flexbox
Added custom footer message field (office address, phone, website)

1.1.1

Fixed fatal error on plugin deactivation (missing EVDA_Database::deactivate method)

1.1.0

Fixed WordPress admin footer appearing inside settings panel (extra closing div)
Letters now fixed at A4 size (794px × 1123px screen, 210mm × 297mm print)

1.0.9

Added signature block setting: enable/disable, name, title, and uploaded image
Added one-click tool to remove old Authorized Signatory block from existing letters

1.0.8

Added configurable employee search fields (Employee ID, Full Name, CNIC)
[evda_employee_verification] shortcode dynamically adapts to enabled search fields

1.0.7

Added Father Name, CNIC, Tasks Completed, and Leaving Date fields
Added custom fields system with per-employee values and show-in-letter toggle
Editable letter templates with full placeholder support
Letter preview in settings
Styling settings: colors, typography, layout, QR toggle
Settings page redesigned with tabbed layout