Description
oOMF! Access gives WordPress sites a better front door: a polished login page, guided account flows, passwordless magic links, social sign-in, safe redirects, CAPTCHA, hide-admin controls, honeypots, throttling, and lockout protection.
It is built for agencies, membership sites, product teams, and site owners who want a professional sign-in experience without hand-rolling templates, OAuth plumbing, redirect rules, and abuse controls for every project.
Why teams use it
- A login page worth sharing – replace the default WordPress screen with a branded page powered by
[oomf_access_form], theme-aware styling, logo controls, custom copy, gradients, and live admin previews. - One flow for every access moment – keep login, registration, lost password, password reset, logged-in states, and magic-link requests inside the same consistent interface.
- Passwordless and social sign-in – offer email magic links plus Google, Apple, GitHub, Microsoft, and Facebook providers with provider-specific setup hints.
- Redirects you can trust – send people to the right page after login/logout while validating
redirect_tovalues and exposing filters for approved external hosts. - Layered anti-abuse controls – enable reCAPTCHA, hCaptcha, honeypots, soft throttling, lockouts, secret login paths, and emergency bypass flows from wp-admin.
- Developer-friendly internals – focused hooks and filters let you customize destinations, CAPTCHA behavior, provider handling, inline CSS, and allowed redirect hosts.
Built for the real WordPress admin
The settings screen includes a live preview, grouped controls for content/appearance/behavior/security, provider previews, and setup copy for external services. Frontend and admin assets load only where needed and are versioned with filemtime().
Privacy
oOMF! Access does not send data to oOMF! services. CAPTCHA and social login features connect only when you enable them and provide your own third-party credentials. Removing the plugin deletes its settings, and the generated login page can also be removed via the oomf_access/delete_page_on_uninstall filter.
External services
oOMF! Access connects to outside services only when the related feature is enabled.
Google reCAPTCHA (v2/v3)
- Purpose: spam and abuse protection for access forms.
- Endpoints:
https://www.google.com/recaptcha/api.jsandhttps://www.google.com/recaptcha/api/siteverify. - Data sent: site key/secret, visitor response token, action name, and optionally visitor IP.
- Terms: https://policies.google.com/terms
- Privacy: https://policies.google.com/privacy
hCaptcha
- Purpose: CAPTCHA validation.
- Endpoints:
https://js.hcaptcha.comandhttps://hcaptcha.com/siteverify. - Data sent: site key/secret, response token, action name, and optionally visitor IP.
- Terms: https://www.hcaptcha.com/terms
- Privacy: https://www.hcaptcha.com/privacy
Google OAuth
- Purpose: sign in with Google.
- Endpoints:
accounts.google.com/o/oauth2/v2/auth,oauth2.googleapis.com/token, andopenidconnect.googleapis.com/v1/userinfo. - Data sent: authorization code, code verifier, redirect URI, client credentials, and selected scopes. Returned data can include name, verified email, avatar, and locale.
- Terms: https://policies.google.com/terms
- Privacy: https://policies.google.com/privacy
Apple Sign In
- Purpose: sign in with Apple.
- Endpoints:
appleid.apple.com/auth/authorizeandappleid.apple.com/auth/token. - Data sent: authorization code, client ID, redirect URI, and signed JWT assertions generated from your Apple key. Returned data can include name and email.
- Terms: https://www.apple.com/legal/internet-services/terms/site.html
- Privacy: https://www.apple.com/legal/privacy/
GitHub OAuth
- Purpose: sign in with GitHub.
- Endpoints:
github.com/login/oauth/authorize,github.com/login/oauth/access_token,api.github.com/user, andapi.github.com/user/emails. - Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.
- Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
- Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
Microsoft OAuth
- Purpose: sign in with Microsoft.
- Endpoints:
login.microsoftonline.com/common/oauth2/v2.0/authorize,login.microsoftonline.com/common/oauth2/v2.0/token, andgraph.microsoft.com/v1.0/me. - Data sent: authorization code, client credentials, redirect URI, and scopes. Returned data can include ID, email, name, and locale.
- Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/MOSPT
- Privacy: https://privacy.microsoft.com/privacystatement
Facebook Login
- Purpose: sign in with Facebook.
- Endpoints:
facebook.com/v18.0/dialog/oauth,graph.facebook.com/v18.0/oauth/access_token, andgraph.facebook.com/v18.0/me. - Data sent: authorization code, app credentials, redirect URI, and scopes. Returned data can include ID, email, name, and avatar.
- Terms: https://www.facebook.com/legal/terms
- Privacy: https://www.facebook.com/policy.php
Hooks & Extension Points
oomf_access_redirect_destination– override the final destination after login.oomf-access/allowed_redirect_hosts– allow approved external redirect hosts.oomf-access/captcha/allow_external– control whether CAPTCHA network calls are allowed.oomf_access_captcha_is_required– decide whether CAPTCHA is required for a request.oomf_access_captcha_validate_result– customize CAPTCHA validation results.oomf-access/inline_css– inject extra CSS into the admin preview and frontend.
Screenshots
Branded login screen with social sign-in, remember-me, magic link, and recovery links. 
Magic link request screen for passwordless email sign-in. 
Password reset screen with reset link request and alternate login paths. 
Registration screen with social sign-in and username/email account creation. 
Logged-in account card with dashboard, logout, profile, and site links. 
Mobile login layout with stacked social buttons and responsive form controls. 
Settings home with Hide Admin notice, navigation tabs, and live login preview. 
Appearance and spacing controls with live preview updates. 
Social login provider options for OAuth credentials, redirect URIs, roles, and scopes. 
Behavior settings for login redirects, logout redirects, and site link visibility. 
Security settings for CAPTCHA, honeypot, time trap, throttling, and lockout controls. 
Hide Admin and emergency access controls with secret login path settings.
Installation
- Upload the plugin folder to
/wp-content/plugins/or install the ZIP from Plugins → Add New. - Activate oOMF! Access. Activation creates a public “Login” page and stores its ID in
oomf_access_page_id. - Open Settings → oOMF! Access to configure branding, text, redirects, magic links, social providers, CAPTCHA, and hide-admin options.
- Share the generated login URL, usually
/oomf-access/.
FAQ
-
Where is the login page?
-
Activation creates a WordPress page containing
[oomf_access_form]. You can edit or move that page. If it is deleted,/oomf-access/still renders the bundled login template so people are not stranded. -
Does it replace my theme template?
-
The shortcode inherits your theme when embedded anywhere. The generated login page uses the bundled minimal template at
templates/oomf-access-page-template.phpso the dedicated access page stays consistent. -
What can I customize?
-
You can adjust logos, appearance mode, accent color, spacing, headings, helper text, form labels, button text, magic-link copy, redirect destinations, social providers, CAPTCHA settings, hide-admin behavior, honeypot and throttle settings, and lockout thresholds.
-
How do redirects work?
-
If a safe
redirect_tovalue is supplied, it wins. Otherwise oOMF! Access uses the configured post-login destination, then falls back to the WordPress admin. Developers can useoomf-access/allowed_redirect_hostsandoomf_access_redirect_destinationfor custom routing. -
What CAPTCHA providers are supported?
-
oOMF! Access supports reCAPTCHA v2 checkbox, reCAPTCHA v2 invisible, reCAPTCHA v3, and hCaptcha. Scripts load only on access pages and verification happens server-side.
-
How does Hide Admin work?
-
When enabled, direct access to
/wp-login.phpand/wp-admincan be obscured for anonymous visitors while a secret login slug remains available. Emergency bypasses are retained for break-glass access. -
Google, Apple, GitHub, Microsoft, and Facebook can be configured from Settings → oOMF! Access → Social. Each provider shows the callback URL and setup notes you need for its OAuth app.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“oOMF! Access” is open source software. The following people have contributed to this plugin.
Contributors
Translate “oOMF! Access” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0 – 2026-03-24
- Fixed: Magic link nonce verification now derives the nonce action from validated token data.
- Fixed: Settings AJAX handler now reads serialized form data with a sanitizing filter up front.
- Added: CAPTCHA provider integrations for reCAPTCHA v2/v3 and hCaptcha.
- Added: Hide Admin with configurable secret login slug and emergency bypass flows.
- Improved: Social login setup, including Sign in with Apple and provider previews.
- Improved: Asset loading and versioning via
filemtime(). - Developer: New filters and clearer extension points for redirects and CAPTCHA.