How to Add QR-Code Login to WordPress
Magic Link QR code login WordPress passwordless login

How to Add QR-Code Login to WordPress

By KaizenCoders

You're demoing a members area on a projector, or you've got a checkout kiosk at an event, and you want someone signed in without making them type an email and password on a tiny on-screen keyboard. QR-code login solves exactly this: the screen shows a code, the visitor scans it with their phone camera, and they're in.

Most passwordless plugins stop at email magic links. QR-code login is the differentiator — and it's one of the more useful passwordless methods once you've seen it work. This guide explains what QR login is, when to use it, and how to set it up in WordPress with Magic Link.

What QR-code login is

QR-code login is a passwordless method where the login screen displays a QR code that encodes a single-use, time-limited login token. Instead of typing credentials, the user scans the code with their phone, the token is verified, and the session is authenticated.

It's the same trust model as an email magic link — a one-time token that proves identity — but delivered visually instead of by inbox. That makes it ideal whenever the keyboard is the bottleneck.

If you want the broader picture of how passwordless methods fit together, start with the WordPress passwordless login guide.

Best use cases

QR login isn't for every site. It shines in specific situations:

  • Log in on a second device by scanning with your phone. Show the code on a desktop or TV, scan with the phone that's already signed in — no re-typing.
  • Kiosk, event, and in-store logins. A shared screen where typing a password is awkward or insecure. The visitor scans and goes.
  • Fast mobile login without typing. On a phone, opening the camera and scanning beats fumbling an email field.
  • Demoing a members area. Hand around a code on a slide and let people into a sandbox account instantly.

If your audience is mostly desktop users typing into a normal login form, plain email magic links or SMS may serve you better. QR login is a tool for the screen-meets-phone moment.

How it works conceptually

The flow is short:

  1. The login form renders a QR code that encodes a single-use, time-limited login token (essentially a magic link in visual form).
  2. The user opens their phone camera (no app required on most modern phones) and points it at the code.
  3. The phone opens the encoded link, the token is validated server-side, and the user is authenticated.
  4. The token is then burned — used once, it can't be replayed — and it also expires after a short window whether or not it's used.

That single-use plus short-expiry combination is what keeps the method secure. A code someone glimpses over your shoulder is worthless seconds later.

Magic Link supports email, SMS, and QR-code login from one plugin, so you can offer scan-to-log-in alongside the methods your users already know. Steps below stay generic where exact screen labels vary by version — match the intent, not the pixel.

Install Magic Link from your WordPress admin and activate it. The full first-run walkthrough is in Getting Started. QR login is part of the broader passwordless toolkit — see the free vs Pro feature breakdown to confirm what's available on your plan.

2. Enable the QR login method

In the Magic Link settings, turn on the QR-code login method (alongside email and SMS, which you can leave enabled as fallbacks). This tells the plugin to generate scannable, tokenized login codes.

3. Place the login form where users will see it

Add the Magic Link login form to a page — on a kiosk landing page, an event sign-in page, or your member portal. The simplest route is the login shortcode; drop it into any page or post. See Shortcode Login Form for the exact shortcode and its parameters, or use the block if you're on the block editor.

With QR login enabled, the form renders the QR code as one of the available options. You can also manage and inspect issued tokens from Manage Magic Links.

4. Set the token expiry

Choose how long a login token stays valid. For QR codes shown on a screen, keep the expiry short — a few minutes is plenty for someone to scan. A shorter window means a code can't be photographed and reused later. Set this in the Magic Link settings alongside the method toggles.

5. Test by scanning

Open the login page on one screen, then scan the code with a phone camera. Confirm that:

  • The phone opens the login link and authenticates the correct account.
  • The same code fails on a second scan (single-use is working).
  • An expired code is rejected — wait out the expiry and try again.

If a scan doesn't authenticate, the troubleshooting guide covers the usual culprits — expiry too short, caching serving a stale code, or the method not enabled.

Security: keep QR login tight

QR login is secure when the token rules are right and abuse is throttled.

  • Single-use plus short expiry. This is the core protection. A used or expired token is dead. Don't set the expiry generously "to be safe" — short is safer.
  • Brute-force protection and throttling. Magic Link throttles repeated login attempts so an attacker can't hammer the endpoint. Leave throttling on.
  • Restrict by IP or domain. For internal tools or staff portals, limit where QR (and other) logins are accepted — by IP range or email domain — so codes only work from expected networks or accounts.
  • Show codes on trusted screens. Because anyone who can see the code can scan it, treat a displayed QR like a temporary key. Don't leave one up on an unattended public screen longer than it's needed.

For WooCommerce or Easy Digital Downloads stores, the same login powers customer accounts and checkout, and you can use role-based redirects to send a customer to their account page and an admin somewhere else after a successful scan.

UX tips

A passwordless method only works if users understand it.

  • Label the code. "Scan to log in" next to the QR removes all guesswork.
  • Offer email and SMS fallback. Not everyone is in a position to scan. Keep email magic links and SMS/OTP on the same form as a fallback path.
  • Refresh expired codes gracefully. If a code expires on screen, show a clear "code expired — refresh to get a new one" prompt rather than a silent failure.
  • Test on real phones. Scan with two or three devices under real lighting before you put a kiosk in front of customers.

Conclusion

QR-code login turns the screen-meets-phone moment into a one-scan sign-in — perfect for kiosks, events, demos, and second-device logins where typing a password is friction you don't need. It rides the same single-use, time-limited token model as an email magic link, so it's secure when you keep expiry short and throttling on. Magic Link lets you offer it alongside email and SMS from one plugin, with brute-force protection, IP/domain restriction, WooCommerce/EDD support, and role-based redirects. Install Magic Link, enable the QR method, drop the login form on a page, and test a scan.

FAQs

Is QR-code login secure?

Yes, when configured right. Each code encodes a single-use, time-limited token — once scanned or expired, it can't be reused. Combined with Magic Link's brute-force throttling and optional IP/domain restriction, it's as safe as an email magic link.

Do users need a special app to scan the code?

No. Most modern phones recognize QR codes directly from the built-in camera app, so users just point and tap the link that appears. No dedicated authenticator app is required.

What happens if the QR code expires?

The login attempt is rejected — that's by design. Show a "refresh for a new code" prompt so the user can generate a fresh token and scan again. Keeping the expiry short is what makes the method secure.

Can I combine QR login with email or SMS?

Yes. Magic Link supports email, SMS, and QR login from the same plugin, so you can present all three on one form and let each user pick — or keep email/SMS as a fallback when scanning isn't convenient. See the SMS/OTP login guide.

Does QR login work on mobile?

It does. On a phone you can scan a code shown on another screen, or use email/SMS magic links for same-device login. QR login is most useful when one device shows the code and a second device (the phone) scans it.

All posts
Next
How to Add Passwordless Login to WordPress (Email, SMS and QR Code)