Description
WP OAuth2 adds “Login with WordPress.com” (OAuth2) to your WordPress login screen and a connect/disconnect widget on user profile pages. It’s designed for agencies and teams managing multiple sites who want a consistent WordPress.com login without installing Jetpack.
External Service: WordPress.com OAuth2 API
– Service purpose: Authenticate users with their WordPress.com accounts.
– Data sent: Client ID, redirect URI, OAuth authorization code, and standard HTTP request metadata during the OAuth flow.
– Data received: WordPress.com user ID, email, and display name to link or create WordPress users.
– Service terms: https://wordpress.com/tos/
– Privacy policy: https://automattic.com/privacy/
Features:
- WordPress.com login (OAuth2 “auth” scope).
- Link or unlink WordPress users to WordPress.com accounts.
- Auto-create users when no matching email exists (optional).
- Allowlist by email domain or WordPress.com user ID (optional).
- Audit log of the last 20 OAuth attempts (optional).
- Stores only WordPress.com user ID in user meta (no access tokens stored).
- Short-lived OAuth state with HttpOnly cookie + transient for CSRF protection.
Setup requires creating a WordPress.com application and adding the redirect URI shown in the plugin settings. Feature toggles let you enable or disable the login button, profile widget, auto-create users, admin notices, allowlists, and the audit log.
Privacy
This plugin connects to WordPress.com to authenticate users. It stores the WordPress.com user ID in WordPress user meta to link accounts. OAuth access tokens are used during the login flow and are not stored. A short-lived HttpOnly cookie and transient are used for OAuth state validation and expire automatically. If the audit log is enabled, the last 20 OAuth attempts are stored (time, status, IP address, and basic details) in a non-autoloaded option. WordPress.com service terms: https://wordpress.com/tos/ and privacy policy: https://automattic.com/privacy/.
Installation
- Upload the plugin folder to
/wp-content/plugins/or install via the WordPress plugin uploader. - Activate the plugin through the Plugins menu.
- Go to WP OAuth2 in the WordPress admin menu and enter your WordPress.com App Client ID and Client Secret.
- Copy the Redirect URI shown on the settings page into your WordPress.com app configuration.
- Use the login button on the WordPress login screen or link accounts from profile screens.
FAQ
-
Do I need Jetpack?
-
No. This plugin uses WordPress.com OAuth2 directly and does not require Jetpack.
-
What permissions are requested?
-
The OAuth request uses the WordPress.com “auth” scope to authenticate the user.
-
What data is stored?
-
The plugin stores the WordPress.com user ID in user meta to link accounts. It does not store OAuth access tokens. A short-lived state cookie and transient are used during the OAuth flow and expire automatically.
-
How do allowlists work?
-
You can restrict login to specific email domains and/or WordPress.com user IDs from the settings page. When enabled, an empty list blocks all logins.
-
What does the audit log store?
-
When enabled, the plugin stores the last 20 OAuth attempts (time, status, and basic details) in a non-autoloaded option for debugging.
-
Can it auto-create users?
-
Yes. If a WordPress.com user has no linked account and no matching email, a new user is created.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“OAuth2 Account Login” is open source software. The following people have contributed to this plugin.
Contributors
Translate “OAuth2 Account Login” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0
- Initial release with WordPress.com OAuth2 login, account linking, feature toggles, allowlists, and audit log.