WARNING: THIS PLUGIN CAN BE INSECURE IF NOT USED CAUTIOUSLY. Allows selected users to autologin to your WordPress website via autologin links.
This plugin allows admininstators to generate autologin links for their WordPress website, logging in visitors under a certain user name. Administrators can edit (generate and delete) autologin links for users, users can only view their autologin links. Note that This plugin bypasses the standard authentication method of wordpress via login and password and should only be used if you understand the security issues mentioned below and on the plugin website.
Once this plugin is activated, administrators can generate autologin links on the edit profile administration pages for different users. Users can view their autlogin links on their profile pages. Autologin links are of the form:
The login code thereby is 30 tonkens long (randomly generated for security reasons). The example above will bring you to your mainpage. You can also generate create autologin links to specifc pages. For this you change the link and append additional GET requests or specify further subdirectories:
The plugin will redirect the visitor to the corresponding page after logging in under the username that is linked to ABC123.
Since autologin links are meant to be an OPEN way to login to your website and can be viewed by users on their profile, it might be considered an INSECURE plugin for WordPress. I did my best to make it as secure as possible to fit my own needs, but this lead to some design choices which might not sit well with all administrators:
Autologin codes are saved as plain text. This means that anyone who can execute queries on the WordPress database (plugins, administrators, system administrators) can obtain the autologin code for a certain user. I planned an extension of this plugin where login codes are hashed. However, this again has the disadvantage that noone can redisplay a once generated login link.
This is the most severe problem. For a full self-assesment of possible security issues regarding this problem, please visit the plugin website.
|Author||Paul Konstantin Gerke
|Tags||auto, automatic, link, login|
- Download autologin.zip
- Extract the contents of autologin.zip into /wp-contents/plugins
- Activate the plugin through the 'Plugins' menu in WordPress
- First published version
- Fixed directory name to match conventions on wordpress.org
- Quick-fix was too quick, more inline directory strings changes were necessary