WordPress.org

Plugin Directory

Autologin Links

WARNING: THIS PLUGIN CAN BE INSECURE IF NOT USED CAUTIOUSLY. Allows selected users to autologin to your WordPress website via autologin links.

This plugin allows admininstators to generate autologin links for their WordPress website, logging in visitors under a certain user name. Administrators can edit (generate and delete) autologin links for users, users can only view their autologin links. Note that This plugin bypasses the standard authentication method of wordpress via login and password and should only be used if you understand the security issues mentioned below and on the plugin website.

Usage

Once this plugin is activated, administrators can generate autologin links on the edit profile administration pages for different users. Users can view their autlogin links on their profile pages. Autologin links are of the form:

http://yourwebsite/[subdirectory/]?autologin_code=ABC123

For more convenience it is possible since version 1.05 to generate login links directly using the wordpress, site-preview functionality. When viewing the page while being logged in as an administrator, the top-bar will show an extra item "Auto-login link". When pointing at the menu item, a dropdown list will list all users for whom autologin links were generated on their profile pages. When clicking on one of the users, a popup will open showing the link that will automatically login a visitor as the selected user and bring him to the current page.

Security issues

Since autologin links are meant to be an OPEN way to login to your website and can be viewed by users on their profile, it might be considered an INSECURE plugin for WordPress. I did my best to make it as secure as possible to fit my own needs, but this lead to some design choices which might not sit well with all administrators:

Autologin codes are saved as plain text. This means that anyone who can execute queries on the WordPress database (plugins, administrators, system administrators) can obtain the autologin code for a certain user. I planned an extension of this plugin where login codes are hashed. However, this again has the disadvantage that noone can redisplay a once generated login link.

This is the most severe problem. For a full self-assesment of possible security issues regarding this problem, please visit the plugin website.

Requires: 3.1 or higher
Compatible up to: 4.4.4
Last Updated: 6 months ago
Active Installs: 1,000+

Ratings

5 out of 5 stars

Support

0 of 1 support threads in the last two months have been marked resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

0 people say it works.
0 people say it's broken.

100,1,1
100,1,1
100,1,1