How to Add Passwordless Login to WordPress (Email, SMS and QR Code)
Passwords are the weakest part of most WordPress sites. Users pick password123, reuse it across ten services, forget it, and then flood your support inbox with reset requests. Bots, meanwhile, hammer wp-login.php all day trying to guess their way in. Passwordless login fixes both problems at once: users log in with a single-use link or code, and there's no password left for anyone to steal, guess, or brute-force.
This is the complete guide to adding WordPress passwordless login — and unlike most guides out there, it doesn't stop at email. Most passwordless plugins are email-only. We'll cover email, SMS/OTP, and QR-code login, plus how to wire it into WooCommerce and membership sites, and how to keep the whole thing hardened.
What passwordless / magic-link login is — and why it's more secure than passwords
A magic link is a one-time login URL. The user enters their email (or phone number), and instead of typing a password, they receive a link that signs them straight in. The link contains a single-use, time-limited token — once it's clicked, or once it expires, it's dead.
That design quietly removes the two biggest WordPress security risks:
- Weak and reused passwords. There's no password to be weak. Credential-stuffing attacks — where leaked passwords from another breach are replayed against your login — simply have nothing to target.
- Brute-force attacks. You can't guess a one-time token that expires in minutes and only works once. The classic
wp-login.phpguessing attack stops being viable.
It's also genuinely easier for users. No "create a password with one uppercase, one number, and a hieroglyph" friction at signup, and no reset loop later. For mobile users especially, tapping a link beats typing a complex password on a phone keyboard.
A fair point people raise: "isn't email itself the weak link now?" It's a reasonable concern, and the answer is that a time-limited, single-use token is far harder to abuse than a static password sitting in a database or a password manager. And with Magic Link you're not limited to email — SMS and QR-code login give you channels that don't depend on an inbox at all.
Who should use passwordless login
Passwordless isn't only for security-conscious admins. It pays off most for:
- Membership sites. Members log in constantly and abandon at the password prompt. One-click login keeps them coming back — see membership one-click login.
- WooCommerce stores. Every password field at checkout is a chance to lose a sale. Passwordless checkout removes that friction — covered in WooCommerce passwordless login.
- Client and team logins. Agencies handing access to clients, contractors, or staff can skip the "here's a temporary password, please change it" dance. Pair it with temporary login links for time-boxed access.
- Mobile-first audiences. If most of your traffic is on phones, typing passwords is the enemy. A tapped link or a scanned QR code is dramatically faster.
If any of those describe you, the rest of this guide is the setup.
How to set up magic-link (email) login — step by step
Email login is the foundation, so start here. The whole thing takes about five minutes.
Step 1: Install and activate Magic Link
Install Magic Link from the WordPress plugin directory (or upload the Pro zip), then activate it. The first-run walkthrough is documented in Getting Started.
Step 2: Enable email login
In the plugin settings, turn on email magic-link login. This is on by default in most setups — you're confirming the "From" address and the email template look right. Full reference for logging users in from WordPress is in Login from WordPress.
Step 3: Place the login form
You have two ways to show a passwordless login form on the front end:
- Shortcode — drop
[magic_link_login]into any page or post. The full shortcode reference is in Shortcode Login Form. - Block — add the Magic Link login block in the block editor if you prefer a visual placement.
Put the form on a dedicated /login page, or anywhere members expect to sign in.
Step 4: Set link expiry
Decide how long a magic link stays valid. Shorter is safer; too short frustrates users who don't check email immediately. A 15-to-30-minute window is a sensible default for most sites — tighten it for admin-only access. You manage issued links and their lifetimes from Manage Magic Links.
Step 5: Configure post-login redirects
Send users where they actually need to go after login — members to their dashboard, customers to their account page, admins to wp-admin. Role-based redirects are covered in the advanced section below.
That's email login working end to end. If a user reports a link never arrived, that's almost always email deliverability — jump to the SMTP note in the FAQs; it's the single most common support issue in this category.
For the full breakdown of what's free versus Pro, see Features: Free vs Pro.
How to add SMS / OTP login (the channel most plugins skip)
Here's where Magic Link goes beyond the typical email-only competitor. SMS login sends a one-time code (OTP) or a login link to the user's phone instead of their inbox. It's the right choice when:
- Your audience lives on mobile and barely opens email.
- Email deliverability is shaky in your region or industry.
- You want a second channel so a single failed email doesn't lock anyone out.
The flow is the same as email from the user's side — enter your number, receive a code or link, you're in — but it routes through SMS via your configured gateway. Because the token is still single-use and time-limited, you keep all the security benefits while removing the inbox dependency entirely.
SMS login does require an SMS gateway and carries per-message cost, so it's typically reserved for sites where mobile login genuinely matters. To get started, enable it from the plugin settings (see Getting Started), and read the dedicated walkthrough in WordPress SMS / OTP login.
How to add QR-code login
QR-code login is the other channel email-only plugins don't offer — and it's the slickest one for certain scenarios. Instead of typing anything, the user scans a QR code with their phone and is logged in.
It shines for:
- Kiosks, events, and point-of-sale where typing is awkward.
- Cross-device login — show the code on a desktop screen, scan it with an already-authenticated phone, and the desktop session signs in.
- Mobile-first onboarding where a scan is the lowest-friction path imaginable.
The QR encodes the same kind of single-use, expiring token as a magic link, so security is consistent across all three channels. Enable it from the plugin settings, then see the full walkthrough in WordPress QR-code login. (There isn't a separate QR doc page yet — Getting Started and Features: Free vs Pro cover where the toggles live.)
The combination of email + SMS + QR is the practical reason to pick Magic Link over a single-channel competitor: you can meet every user wherever they actually are.
Passwordless login for WooCommerce and membership sites
Login friction costs you the most exactly where logins happen most — stores and membership sites.
WooCommerce. A returning customer who can't remember their password is a customer who either resets (slow) or checks out as a guest (no account, no lifetime value). Passwordless login lets them sign in with one tap and head straight to checkout. Magic Link integrates with WooCommerce so account login and the checkout flow can both go passwordless. Full details in WooCommerce passwordless login.
Membership sites (and EDD). Members log in over and over, and every password prompt is a chance to lose them to a reset loop. Magic Link works with membership setups and Easy Digital Downloads, so members get one-click access to gated content. See membership one-click login for the walkthrough.
Both integrations use the same email/SMS/QR channels and the same hardening described below — so going passwordless doesn't mean going less secure.
Keeping it secure: throttling, brute-force protection, IP and domain restriction
"Passwordless" should also mean "hardened." Removing passwords closes one door; you still want the others locked. Magic Link is built to be passwordless and hardened, with controls that matter especially when login is link-based:
- Login throttling. Rate-limit how many magic links can be requested per user, per IP, in a given window. This stops anyone from spamming the request endpoint or your email/SMS gateway.
- Brute-force protection. Because login is token-based and tokens are single-use and expiring, guessing attacks are off the table — but throttling and lockout add a belt-and-braces layer.
- IP restriction. Limit magic-link login to known IP ranges — useful for staff or client portals that should only be reachable from an office or VPN.
- Domain restriction. Restrict which email domains can request a magic link, so only your team's or members' addresses are eligible.
These turn "convenient login" into "convenient login I can defend in a security review." If something isn't behaving as expected, Troubleshooting covers the common cases.
Advanced: role-based redirects, WP-CLI, REST API, audit log
For agencies and developers, Magic Link goes past a single login button.
- Role-based redirects. Send each role to the right place after login — subscribers to a members area, shop managers to the WooCommerce dashboard, administrators to wp-admin. Configure the rules per role so one login form serves your whole site correctly.
- WP-CLI. Manage magic links and login behavior from the command line — handy for staging, automation, and provisioning scripts.
- REST API. Generate and validate magic links programmatically, so you can trigger passwordless login from external apps, mobile apps, or custom flows.
- Audit log. Keep a record of who logged in, when, and through which channel — the kind of accountability clients and compliance reviews ask for.
These are the features that make passwordless viable on serious, multi-user sites rather than just a personal blog. The free-vs-Pro split for the advanced tooling is in Features: Free vs Pro.
Conclusion
Passwords are the part of WordPress login most likely to fail you — weak, reused, forgotten, and constantly under attack. Passwordless login replaces them with single-use, time-limited tokens that are easier for users and far harder for attackers. The differentiator with Magic Link is that you're not boxed into email: you can offer email, SMS, and QR-code login, wire it into WooCommerce and membership sites, and still harden everything with throttling, IP and domain restriction, and an audit trail.
Start with email login (five minutes), add SMS or QR for your mobile and kiosk users, and turn on the security controls before you go live. If you want to read more on a specific path, start with logging in without a password or compare it as a Magic Login alternative.
FAQs
Is passwordless login safe?
Yes — generally safer than passwords. Magic links use single-use, time-limited tokens, so there's no static password to leak, reuse, or brute-force. Credential-stuffing and password-guessing attacks have nothing to target, and you can add throttling, IP restriction, and domain restriction on top.
Can users still use a password?
Yes. Passwordless login sits alongside standard WordPress login rather than replacing it. You can offer the magic-link form as the primary path while leaving normal password login available for users (and admins) who want it.
What if the email doesn't arrive?
This is the number one support issue with any passwordless plugin, and it's almost always email deliverability, not the plugin. By default WordPress sends mail with PHP mail(), which many hosts and inbox providers silently drop or spam-folder. Install an SMTP plugin and send through an authenticated provider (your host's SMTP, Amazon SES, Postmark, SendGrid, Brevo, etc.) — magic links then arrive reliably and on time. If you still see issues, check Troubleshooting. And for audiences where email is unreliable, switch them to SMS/OTP login so the inbox is out of the loop entirely.
Does it work with WooCommerce?
Yes. Magic Link integrates with WooCommerce (and Easy Digital Downloads) so customers can log in and check out passwordlessly. See WooCommerce passwordless login for the full setup.
How long do magic links stay valid?
You control the expiry. A 15-to-30-minute window suits most sites — long enough that users can check their email or phone, short enough to stay secure. Tighten it for admin or staff access. Every link is also single-use, so it dies the moment it's clicked even before it expires. Manage issued links from Manage Magic Links.