How to Log In to WordPress Without a Password (Step by Step)

Passwords are the worst part of logging in to WordPress. People forget them, reuse them across sites, type them wrong, get stuck in reset-email loops, and hand them straight to phishing pages that look just like your login screen. If you run a membership site, a client portal, or a WooCommerce store, every one of those moments is friction — and a support ticket waiting to happen.

The good news: you can let people log in to WordPress without a password at all. This guide shows you how passwordless login works, the three methods available, and an exact step-by-step setup for the simplest one — an email magic link.

Why ditch the password

Passwords fail people in predictable ways, and each one costs you signups, logins, or support time:

Forgotten passwords. The single biggest reason users abandon a login. A passwordless flow removes the thing they keep forgetting.
Reset-email loops. "Forgot password → reset email → new password → forgot again next month." You're already sending an email; passwordless just skips the password step entirely.
Weak and reused passwords. Most people reuse one password everywhere. One breach elsewhere becomes a breach on your site too.
Phishing. A fake login page can steal a typed password. A single-use, time-limited link tied to an inbox is far harder to phish at scale.

Passwordless login doesn't make security looser — done right, it makes it tighter, because there's no static secret sitting in a database or a sticky note to steal.

If you want the full background on the approach before you build it, the passwordless login guide is the pillar that covers the why and the trade-offs in depth.

The three passwordless methods, at a glance

Magic Link gives you three ways to log in without a password. Most plugins in this space do email only — Magic Link covers all three so you can match the method to your audience:

Email magic link. The user enters their email and receives a single-use, time-limited link. They click it and they're in. Simplest to set up; works for everyone with an inbox.
SMS / OTP. The user receives a one-time code by text message and enters it to log in — useful when your users live on their phones or you want a second channel. See WordPress SMS / OTP login.
QR-code login. The user scans a QR code to authenticate — handy for logging a desktop session in from a phone, or for kiosk and event setups. See WordPress QR-code login.

This guide walks through the email magic link in full, because it's the fastest path to a working passwordless login and the foundation the other two build on.

Before the setup, here's the flow your users will experience:

They land on your login form and enter their email address (no password field).
Magic Link generates a single-use, time-limited link and emails it to that address.
They open their inbox and click the link.
The link verifies, consumes itself so it can't be reused, and they're logged in — redirected wherever you choose.

That's it. The secret never lives on your site as a reusable password; it lives for a few minutes in one email and dies on first click.

What you need

A WordPress site.
The Magic Link plugin installed and activated — see Getting Started.
A working outbound email setup (an SMTP plugin is strongly recommended — more on that below).

Step 1: Install and activate Magic Link

In WordPress, go to Plugins → Add New.
Search for Magic Link by KaizenCoders.
Click Install Now, then Activate.

Once active, you'll find its settings under the Magic Link menu. The full install walkthrough is in Getting Started.

Open the Magic Link settings and turn on email magic link login. This is what lets users authenticate by clicking an emailed link instead of typing a password. The exact options and where they live are documented in Login from WordPress.

While you're here, decide whether to keep the standard WordPress login available as well — see the fallback note in Step 6.

You need a place for users to enter their email. Magic Link gives you two ways to add the form:

Shortcode — drop the login shortcode onto any page or post. This is the most flexible option and works in every theme and page builder. See Shortcode login form.
Block — if you use the block editor, add the Magic Link login block to a page.

A common setup is a dedicated /login page:

Create a new page titled Login.
Add the Magic Link login shortcode (or block) to the page body.
Publish, and link to it from your menu or wherever users start.

Step 4: Set the link expiry

A magic link should be short-lived — long enough for a user to switch to their inbox and click, short enough that a stale link in an old email is useless.

In the Magic Link settings, set the link expiry (the validity window). A few minutes to an hour is typical; shorter is more secure, longer is more forgiving for slow inboxes. Pick a value that matches your audience, then test it (Step 7) to make sure it isn't so tight that real users miss the window.

Decide where users land after they click the link. Sending people somewhere useful — a dashboard, an account page, a course — beats dumping everyone on the generic WordPress admin.

Magic Link supports role-based redirects, so you can send customers to their account, members to a members area, and admins to wp-admin, all from the same login. Configure the redirect target (per role if you need it) in the settings. This is also where Magic Link's WP-CLI and REST options live if you're automating user flows.

Step 6: Keep a password fallback for admins

Passwordless is great for members and customers. For administrators, keep the standard password login available as a fallback so you're never locked out if email delivery hiccups. Magic Link is designed to sit alongside normal WordPress auth rather than rip it out — leave the default login reachable for admin accounts, and you get convenience for users without losing your own safety net.

For sites that want extra hardening, Magic Link also includes brute-force protection, login throttling, and IP/domain restriction so the login surface stays locked down even as you open it up to email-based access.

Step 7: Test the full flow

Never ship a login change without walking through it as a real user:

Open your /login page in an incognito window.
Enter the email of a test (non-admin) account.
Switch to that inbox and confirm the magic link email arrived.
Click the link and verify you land on the redirect you set in Step 5.
Go back and click the same link again — it should be rejected, confirming single-use is working.

If the link logs you in once and refuses the second click, your passwordless flow is live. Managing and revoking issued links is covered in Manage Magic Links.

Didn't get the email? A quick SMTP note

If the magic link email never arrives, the problem is almost always WordPress email delivery, not Magic Link itself. By default WordPress sends mail with PHP mail(), which many hosts throttle or which lands in spam.

The fix is to send through a proper SMTP service:

Install an SMTP plugin (WP Mail SMTP, FluentSMTP, or your provider's plugin).
Connect it to an authenticated sender (your host's SMTP, SendGrid, Mailgun, Amazon SES, etc.).
Send a test email to confirm delivery.
Request a new magic link and check that it now arrives — and check the spam folder the first time.

More delivery and setup fixes are in the troubleshooting guide. If email is consistently unreliable for your audience, this is also a good reason to add SMS / OTP login as a second channel.

Comparing what's enabled out of the box

Once Magic Link is set up, you have more than just email login available:

Email magic link, SMS/OTP, and QR-code login — three passwordless methods from one plugin.
WooCommerce and EDD integration for store and download logins.
Brute-force protection, login throttling, and IP/domain restriction.
Role-based redirects, plus WP-CLI and REST for automation.

A side-by-side of what's free versus Pro is in Features: Free vs Pro. And if you ever need to grant someone access without creating a full account, temporary login links cover that case.

Conclusion

Logging in to WordPress without a password isn't a gimmick — it removes the single most common point of failure in any login flow. Install Magic Link, enable email magic link login, drop the form on a page, set a sensible expiry and redirect, keep a password fallback for admins, and test the flow end to end. In about ten minutes you've replaced forgotten-password tickets and reset loops with a single click from an inbox. When you're ready, layer in SMS/OTP or QR login for the audiences that fit them.

FAQs

Yes — often safer than passwords. A magic link is single-use and time-limited, so there's no static secret to steal, reuse, or phish at scale. Magic Link also adds brute-force protection, login throttling, and IP/domain restriction on top.

Can I still use a password?

Yes. Magic Link sits alongside standard WordPress login rather than replacing it. The recommended setup keeps password login available as a fallback, especially for administrator accounts, so you're never locked out.

What if the magic link email doesn't arrive?

It's almost always email delivery, not the plugin. Set up an SMTP service so WordPress sends authenticated mail, then request a fresh link. Check the spam folder the first time, and see the troubleshooting guide for more fixes.

Yes — it works for any user role, from customers and members to editors and admins. With role-based redirects you can send each role to a different destination after login, all from the same form.

How long is a magic link valid?

As long as you decide. You set the link expiry in the settings — typically a few minutes to an hour. Shorter windows are more secure; longer ones are more forgiving for slow inboxes. Each link also stops working after its first successful use.