Wondering how you can create those cool WordPress auto-login links where you don’t need to enter your username/password combination? This article explains how and it is really simple by the way. Keep in mind also that this implementation is ready for WordPress Multisite installs.
But before we start, a quick heads up about security. If you decide to use the method described below, please make sure that you implement it properly and add extra security layers that may be needed in your particular situation.
Here’s what we are going to do:
- Add a new user and include a custom field that contains a secret login key. If the user already exists, then all we need to do is add the custom field
- Add a WordPress custom endpoint to handle the custom auto-login link
- Send an e-mail to our user with the auto-login link
Adding a new user with a secret key field
The code below shows how to do this. The secret key field is going to be used on the auto-login link. It is basically an extra layer of security, because if we implement this script without that secret key, anyone would access the WordPress admin area as long as they knew the e-mail that is associated with a specific user. Here’s the PHP code that you can add to the theme functions.php file:
Adding a WordPress custom endpoint with validation
The idea here is to create a special route/link to handle the auto-login request. When someone opens this type of link, a special handler/function checks if the username and secret key match. If yes the user logs into his dashboard (once again this is multisite ready). If not an error message is returned. Here’s the PHP code that you can add to the theme functions.php file:
Send an e-mail with the auto-login link
This is the final step. Read info from user and send an e-mail with the auto-login link using the endpoint we create on the previous step. Once again, here’s the PHP code that you can add to the theme functions.php file:
As always, if you have any feedback on this tutorial or got stuck somewhere, please send me a message using the contact form below. I would love to hear from you.
But how can the user know that secret key?
The secret key is not the login password. That is why we send an email with the auto-login link. After logging in the user can change his password.
He can also ask for a password recovery using WordPress’ default functionalities.