How to Add Passwordless Login to WordPress (Complete Guide)
Passwords are the weakest part of most WordPress sites. Users pick password123, reuse it across ten services, forget it, and then flood your support inbox with reset requests. Bots, meanwhile, hammer wp-login.php all day trying to guess their way in. Passwordless login fixes both problems at once: users log in with a single-use link or code, and there's no password left for anyone to steal, guess, or brute-force.
This is the complete guide to adding WordPress passwordless login with Magic Link. Magic Link is email-only today — this guide covers email magic-link login end to end, how to wire it into WooCommerce and membership sites, and how to keep the whole thing hardened. SMS/OTP and QR-code login are on the roadmap (coming soon), and we'll flag where they'll fit once they ship.
What passwordless / magic-link login is — and why it's more secure than passwords
A magic link is a one-time login URL. The user enters their email, and instead of typing a password, they receive a link that signs them straight in. The link contains a single-use, time-limited token — once it's clicked, or once it expires, it's dead.
That design quietly removes the two biggest WordPress security risks:
- Weak and reused passwords. There's no password to be weak. Credential-stuffing attacks — where leaked passwords from another breach are replayed against your login — simply have nothing to target.
- Brute-force attacks. You can't guess a one-time token that expires in minutes and only works once. The classic
wp-login.phpguessing attack stops being viable.
It's also genuinely easier for users. No "create a password with one uppercase, one number, and a hieroglyph" friction at signup, and no reset loop later. For mobile users especially, tapping a link beats typing a complex password on a phone keyboard.
A fair point people raise: "isn't email itself the weak link now?" It's a reasonable concern, and the answer is that a time-limited, single-use token is far harder to abuse than a static password sitting in a database or a password manager. Get your email deliverability right (more on that below) and a magic link is both faster and safer than the password it replaces.
Who should use passwordless login
Passwordless isn't only for security-conscious admins. It pays off most for:
- Membership sites. Members log in constantly and abandon at the password prompt. One-click login keeps them coming back — see membership one-click login.
- WooCommerce stores. Every password field at checkout is a chance to lose a sale. Passwordless checkout removes that friction — covered in WooCommerce passwordless login.
- Client and team logins. Agencies handing access to clients, contractors, or staff can skip the "here's a temporary password, please change it" dance. Pair it with temporary login links for time-boxed access.
- Mobile-first audiences. If most of your traffic is on phones, typing passwords is the enemy. A tapped link is dramatically faster.
If any of those describe you, the rest of this guide is the setup.
How to set up magic-link (email) login — step by step
Email login is the foundation, so start here. The whole thing takes about five minutes.
Step 1: Install and activate Magic Link
Install Magic Link from the WordPress plugin directory (or upload the Pro zip), then activate it. The first-run walkthrough is documented in Getting Started.
Step 2: Enable email login
In the plugin settings, turn on email magic-link login. This is on by default in most setups — you're confirming the "From" address and the email template look right. Full reference for logging users in from WordPress is in Login from WordPress.
Step 3: Place the login form
You have two ways to show a passwordless login form on the front end:
- Shortcode — drop
[magic_link_form]into any page or post. The full shortcode reference is in Shortcode Login Form. - Block — add the Magic Link login block in the block editor if you prefer a visual placement.
Put the form on a dedicated /login page, or anywhere members expect to sign in.
Step 4: Set link expiry
Decide how long a magic link stays valid. Shorter is safer; too short frustrates users who don't check email immediately. A 15-to-30-minute window is a sensible default for most sites — tighten it for admin-only access. You manage issued links and their lifetimes from Manage Magic Links.
Step 5: Configure post-login redirects
Send users where they actually need to go after login — members to their dashboard, customers to their account page, admins to wp-admin. Role-based redirects are covered in the advanced section below.
That's email login working end to end. If a user reports a link never arrived, that's almost always email deliverability — jump to the SMTP note in the FAQs; it's the single most common support issue in this category.
For the full breakdown of what's free versus Pro, see Features: Free vs Pro.
On the roadmap: SMS and QR login (coming soon)
Two more channels are planned for Magic Link but not yet available — treat them as coming soon, not something you can enable today:
- SMS / OTP login. Send a one-time code or login link to the user's phone instead of their inbox — useful when your audience lives on mobile, email deliverability is shaky, or you want a fallback channel. SMS requires a gateway and carries per-message cost, which is part of why it's being built deliberately. For the current state, see WordPress SMS / OTP login.
- QR-code login. Show a scannable code on a screen and let a phone camera sign the user in — ideal for kiosks, events, and cross-device login. See WordPress QR-code login for what works today.
Both would ride the same single-use, time-limited token model email login uses, so the security foundation is already in place — it's the delivery channels that are still to come. Until they ship, email magic-link login is the concrete, actionable path, and it's what the setup above gets you.
Passwordless login for WooCommerce and membership sites
Login friction costs you the most exactly where logins happen most — stores and membership sites.
WooCommerce. A returning customer who can't remember their password is a customer who either resets (slow) or checks out as a guest (no account, no lifetime value). Passwordless login lets them sign in with one tap and head straight to checkout. Magic Link integrates with WooCommerce so account login and the checkout flow can both go passwordless. Full details in WooCommerce passwordless login.
Membership sites (and EDD). Members log in over and over, and every password prompt is a chance to lose them to a reset loop. Magic Link works with membership setups and Easy Digital Downloads, so members get one-click access to gated content. See membership one-click login for the walkthrough.
Both integrations use the same email magic-link login and the same hardening described below — so going passwordless doesn't mean going less secure.
Keeping it secure: throttling, brute-force protection, IP and domain restriction
"Passwordless" should also mean "hardened." Removing passwords closes one door; you still want the others locked. Magic Link is built to be passwordless and hardened, with controls that matter especially when login is link-based:
- Login throttling. Rate-limit how many magic links can be requested per user, per IP, in a given window. This stops anyone from spamming the request endpoint or your email/SMS gateway.
- Brute-force protection. Because login is token-based and tokens are single-use and expiring, guessing attacks are off the table — but throttling and lockout add a belt-and-braces layer.
- IP restriction. Limit magic-link login to known IP ranges — useful for staff or client portals that should only be reachable from an office or VPN.
- Domain restriction. Restrict which email domains can request a magic link, so only your team's or members' addresses are eligible.
These turn "convenient login" into "convenient login I can defend in a security review." If something isn't behaving as expected, Troubleshooting covers the common cases.
Advanced: role-based redirects, WP-CLI, REST API, audit log
For agencies and developers, Magic Link goes past a single login button.
- Role-based redirects. Send each role to the right place after login — subscribers to a members area, shop managers to the WooCommerce dashboard, administrators to wp-admin. Configure the rules per role so one login form serves your whole site correctly.
- WP-CLI. Manage magic links and login behavior from the command line — handy for staging, automation, and provisioning scripts.
- REST API. Generate and validate magic links programmatically, so you can trigger passwordless login from external apps, mobile apps, or custom flows.
- Audit log. Keep a record of who logged in and when — the kind of accountability clients and compliance reviews ask for.
These are the features that make passwordless viable on serious, multi-user sites rather than just a personal blog. The free-vs-Pro split for the advanced tooling is in Features: Free vs Pro.
Passwordless and hardened, from one plugin
Magic Link delivers passwordless email magic-link login today — wired into WooCommerce and membership sites, with throttling, IP/domain restriction, role-based redirects, and an audit log. SMS/OTP and QR login are on the roadmap. Get Magic Link
Conclusion
Passwords are the part of WordPress login most likely to fail you — weak, reused, forgotten, and constantly under attack. Passwordless login replaces them with single-use, time-limited tokens that are easier for users and far harder for attackers. Today, Magic Link delivers this with email magic-link login — wired into WooCommerce and membership sites, and hardened with throttling, IP and domain restriction, and an audit trail. SMS/OTP and QR-code login are on the roadmap for when you need channels beyond the inbox.
Set up email login (about five minutes) and turn on the security controls before you go live. If you want to read more on a specific path, start with logging in without a password or compare it as a Magic Login alternative.
FAQs
Is passwordless login safe?
Yes — generally safer than passwords. Magic links use single-use, time-limited tokens, so there's no static password to leak, reuse, or brute-force. Credential-stuffing and password-guessing attacks have nothing to target, and you can add throttling, IP restriction, and domain restriction on top.
Can users still use a password?
Yes. Passwordless login sits alongside standard WordPress login rather than replacing it. You can offer the magic-link form as the primary path while leaving normal password login available for users (and admins) who want it.
What if the email doesn't arrive?
This is the number one support issue with any passwordless plugin, and it's almost always email deliverability, not the plugin. By default WordPress sends mail with PHP mail(), which many hosts and inbox providers silently drop or spam-folder. Install an SMTP plugin and send through an authenticated provider (your host's SMTP, Amazon SES, Postmark, SendGrid, Brevo, etc.) — magic links then arrive reliably and on time. If you still see issues, check Troubleshooting. For audiences where email is unreliable, SMS/OTP login is on the roadmap as an inbox-free alternative.
Does it work with WooCommerce?
Yes. Magic Link integrates with WooCommerce (and Easy Digital Downloads) so customers can log in and check out passwordlessly. See WooCommerce passwordless login for the full setup.
How long do magic links stay valid?
You control the expiry. A 15-to-30-minute window suits most sites — long enough that users can check their email or phone, short enough to stay secure. Tighten it for admin or staff access. Every link is also single-use, so it dies the moment it's clicked even before it expires. Manage issued links from Manage Magic Links.