Easy Secure Login - Google One Tap & Sign-In
| 开发者 | hardtoskip |
|---|---|
| 更新时间 | 2025年10月28日 01:39 |
| 捐献地址: | 去捐款 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 6.8 |
| 版权: | GPL v2 or later |
| 版权网址: | 版权信息 |
详情介绍:
- Optional Passwordless Security: Ability to completely disable standard password logins, forcing all users to authenticate via Google's secure OAuth 2.0.
- Google Sign-In Button: A clean, modern "Continue with Google" button on your login page.
- Google One Tap: Allows logged-in Google users to sign in instantly with a single click via a non-intrusive pop-up.
- Complete User Management: Whitelist specific Google accounts and assign roles, or allow open registration for any Google user.
- Google Profile Picture Sync: Automatically syncs and displays Google profile pictures as user avatars in WordPress.
- Built-in Security Hardening:
- Disable XML-RPC to prevent common attacks.
- Disable the plugin and theme file editor.
- Hide your WordPress version number.
- Restrict REST API access to logged-in users.
- Block direct access to sensitive core files.
- User-Friendly Setup Wizard: A clean, multi-step guide to get your Google Cloud credentials configured in minutes.
- Actively Maintained for the latest WordPress versions. This plugin provides maximum login security while dramatically improving the user experience.
安装:
- Upload the plugin folder to
/wp-content/plugins/or install via Plugins → Add New in WordPress. - Activate the plugin through the Plugins menu.
- Go to Easy Secure Login in the WordPress admin sidebar to launch the setup wizard.
- Follow the setup wizard:
- Create a Google Cloud project and configure OAuth credentials.
- Add the "Authorized redirect URIs" and "Authorized JavaScript origins" provided by the wizard to your Google project.
- Enter your Google Client ID and Client Secret into the plugin settings.
- Configure authorized users or enable public sign-ups with a default role.
- Enable optional Google One Tap on your homepage.
- Review and enable additional security enhancements.
- Test the login flow on your WordPress login page.
常见问题:
Does this completely replace WordPress password login?
You can choose. By default, the plugin adds Google Sign-In as an alternative to the standard password login. For maximum security, you can enable the "Disable Password Login" option in the plugin's security settings. When enabled, all password-related functionality is disabled, including the login form, password reset, and standard registration forms. This protects you from brute-force and password-guessing attacks.
Can I allow only specific users?
Yes. In the "Users" step of the wizard, you can build a whitelist of authorized Google email addresses and assign a specific WordPress role to each.
What if I want to allow any Google user to register?
You can enable the "Allow New User Sign-Ups" option. Any user who authenticates with a Google account will have an account created for them with your chosen default role (Subscriber is recommended for safety).
How does Google One Tap work?
Google One Tap is automatically enabled on the login page. If a user is already signed into their Google account in their browser, a small pop-up will appear, allowing them to log in to your site with a single click, without ever leaving the page. You can also choose to enable this on your homepage.
What happens to existing WordPress users?
They can log in seamlessly using the Google account that matches their existing WordPress user email address. Their account will be linked automatically.
Is this plugin compatible with other login or security plugins?
Because it can completely replace the core WordPress authentication flow, it may conflict with other plugins that modify the login process (like other social logins, 2FA, or login page customizers) if you enable the "Disable Password Login" option. It is designed to be an all-in-one solution for login security.
How secure is this?
Extremely secure. The entire authentication process is handled by Google's OAuth 2.0 servers. The plugin uses recommended security practices like state tokens for CSRF protection and server-side token verification to ensure all logins are legitimate.
更新日志:
- Fatal Error Fix: Resolved a fatal error (
Call to undefined function is_user_logged_in()) caused by the plugin loading before the WordPress core was fully initialized. - "Headers Already Sent" Fix: Eliminated PHP warnings by moving all cookie-setting operations to appropriate early-loading hooks (
template_redirectandlogin_init), preventing conflicts with themes and other plugins. - Code Refactoring: Improved the reliability of the authentication flow by refactoring how the CSRF and OAuth state tokens are generated and handled.
- Feature: Added an option to disable standard WordPress password-based authentication, allowing administrators to enforce a Google-only login policy for enhanced security.
- Enhancement: The login page UI now adapts based on whether password login is disabled, ensuring a seamless user experience.
- Enhancement: Updated plugin description and FAQ to reflect the new optional passwordless functionality.
- Security: Hardened security by adding nonce verification to the login error display and One Tap callback handlers to prevent Cross-Site Request Forgery (CSRF) vulnerabilities.
- Security: Implemented the recommended OAuth 2.0
stateparameter validation during the standard Google Sign-In flow to protect against CSRF attacks. - Security: Improved data sanitization on the admin settings page to ensure redirect URLs are handled securely.
- Fix: Corrected a bug where the "Please configure your Google OAuth credentials" admin notice would persist even after the plugin was fully configured.
- Enhancement: Updated the readme.txt to include a comprehensive "External Services" section, clearly documenting the use of Google APIs as required by WordPress plugin guidelines.