WordPress QR-Code Login: What Works Today (and What's Coming)
Scan-to-log-in is a genuinely appealing idea: show a code on a screen, the visitor scans it with their phone camera, and they're in — no typing on a tiny keyboard at a kiosk, an event, or a projected demo. If that's what brought you here, let's be straight upfront: Magic Link is email-only today. QR-code login is on the roadmap, not yet available.
The good news is that the trust model behind QR login — a single-use, time-limited token that proves identity — is already what powers Magic Link's passwordless email login today. This guide explains what QR login is, what works right now, and what to expect when scan-to-log-in ships.
What QR-code login is
QR-code login is a passwordless method where the login screen displays a QR code that encodes a single-use, time-limited login token. Instead of typing credentials, the user scans the code with their phone, the token is verified, and the session is authenticated.
It's the same trust model as an email magic link — a one-time token that proves identity — but delivered visually instead of by inbox. That makes it appealing whenever the keyboard is the bottleneck. It is not yet a feature you can turn on in Magic Link; see the roadmap note below.
If you want the broader picture of how passwordless methods fit together, start with the WordPress passwordless login guide.
What works today: passwordless email login
While QR is still on the roadmap, the passwordless method that ships now is email magic-link login. The flow is short:
- The user enters their email address into the login form.
- Magic Link generates a single-use, time-limited token and emails them a link.
- The user taps the link and is signed straight in — the token is burned on use and expires after a short window.
That single-use plus short-expiry combination is exactly what would keep a QR flow secure, and it's live today for email. A link someone glimpses over your shoulder is worthless seconds later.
Set up passwordless email login with Magic Link
1. Install and activate Magic Link
Install Magic Link from your WordPress admin and activate it. The full first-run walkthrough is in Getting Started. See the free vs Pro feature breakdown to confirm what's available on your plan.
2. Confirm email login
Email magic-link login is on by default in most setups. Confirm the "From" address and that the email template looks right in the Magic Link settings.
3. Place the login form where users will see it
Add the Magic Link login form to a page — a member portal, a login page, anywhere users expect to sign in. The simplest route is the [magic_link_form] shortcode; drop it into any page or post. See Shortcode Login Form for the shortcode and its parameters, or use the block if you're on the block editor. You can also manage and inspect issued tokens from Manage Magic Links.
4. Set the token expiry
Choose how long a login token stays valid. Shorter is safer; a 15-to-30-minute window suits most sites. Set this in the Magic Link settings.
5. Test the flow
Open the login page, enter an address you control, and confirm the link authenticates the correct account, that a reused link fails on a second use (single-use is working), and that an expired link is rejected. If a link doesn't authenticate, the troubleshooting guide covers the usual culprits.
On the roadmap: QR-code login (coming soon)
QR-code login is a planned feature, not yet available in Magic Link. There's no QR method to toggle on today, so if you see a guide walking you through "enable the QR login method" for this plugin, it's describing something that hasn't shipped.
Here's what QR login is meant to add once it lands:
- Log in on a second device by scanning with your phone — show the code on a desktop or TV, scan with a phone that's already signed in, no re-typing.
- Kiosk, event, and in-store logins on a shared screen where typing a password is awkward or insecure.
- Fast mobile login without typing, for the screen-meets-phone moment.
Because QR would ride the same single-use, short-expiry token model that email login already uses, the security foundation is in place — it's the scan-and-render layer that's still to come. When it ships, this guide will cover the actual setup. Until then, treat QR login as "coming soon," not "available now."
UX tips for passwordless login today
A passwordless method only works if users understand it.
- Label the form clearly. "Sign in with a magic link — no password needed" removes guesswork.
- Get deliverability right. Send through an authenticated SMTP provider so links arrive in seconds. This is the single biggest factor in whether email login feels fast.
- Refresh expired links gracefully. If a link expires, show a clear "link expired — request a new one" prompt rather than a silent failure.
- Test on real devices. Try the flow on a few phones and browsers before rolling it out.
Go passwordless today with email magic links
Magic Link removes the password prompt right now with single-use, short-expiry email links — with the [magic_link_form] shortcode, token expiry, WooCommerce/EDD support, and role-based redirects. QR-code login is on the roadmap. Get Magic Link
Conclusion
QR-code login is a slick answer to the screen-meets-phone moment — and it's on the Magic Link roadmap, not yet shipping. What you can do today is go fully passwordless with email magic-link login, which rides the same single-use, time-limited token model QR will use. Install Magic Link, confirm email login, drop the [magic_link_form] login form on a page, set a short expiry, and test — you'll be ready to add scan-to-log-in the moment it lands.
FAQs
Can I use QR-code login with Magic Link today?
Not yet. Magic Link is email-only today; QR-code login is on the roadmap ("coming soon"), so there's no QR method to enable right now. What works today is passwordless email magic-link login.
Is passwordless email login secure?
Yes. Each link encodes a single-use, time-limited token — once used or expired, it can't be reused. Combined with Magic Link's throttling and (on Pro) IP/domain restriction, it's a strong, password-free login.
Do users need a special app for magic-link login?
No. Email magic-link login just needs the user to tap the link in their inbox — no dedicated app required. QR-code login, when it ships, will use the phone's built-in camera, which also needs no special app.
What happens if a magic link expires?
The login attempt is rejected — that's by design. Show a "request a new link" prompt so the user can generate a fresh token. Keeping the expiry short is what makes the method secure.
Does magic-link login work on mobile?
Yes. On a phone, tapping the emailed link signs you straight in — no password to type. When QR-code login ships, it'll add the option to scan a code shown on another screen. See the passwordless login guide.