Configuration
Every MagicAuth settings field with recommended values.
All settings live at Settings → MagicAuth. Everything is stored as a single serialized array under the magicauth_settings option, so a deactivate-then-reactivate cycle preserves your configuration.
The settings page is split into five sections.
General
Sign-in flow defaults that apply to every visitor.
| Field | Default | Description |
|---|---|---|
| Link & code lifetime | 10 minutes | How long a magic link or code remains valid. Range 1 to 30 minutes. |
| Max link uses | 2 | How many times a single link can be clicked before it self-burns. Default is 2 so an email-scanner prefetch (use 1) does not break the user (use 2). Range 1 to 10. |
| After sign-in, send users to | Auto | Where to redirect after authentication. Auto sends admins to wp-admin and other roles to the homepage. |
Recommended: keep the defaults. The 10-minute TTL balances security against typing the code on a phone after waking your inbox.
Branding
Visual identity for the sign-in card and email.
| Field | Default | Description |
|---|---|---|
| Replace WordPress login screen | off | Redirect wp-login.php to the branded MagicAuth screen. Locked off until your wp-config.php salts pass the safety check. |
| Company name | Site Title | Shown in email subjects, the From line, the login heading, and the logo alt text. Max 60 characters. Leaving it blank falls back to your Site Title at runtime. |
| Logo | none | A logo for the top-left of the sign-in card. PNG, JPG, WebP, or SVG. SVG must already exist in your media library; MagicAuth does not enable SVG uploads. |
| Brand color | #2271b1 | Primary action color (Send Link, Sign in, email button). Text color is computed automatically from the YIQ luminance of your color, so the button label is always legible. |
| Color mode | Light | Light, Dark, or Auto. Auto follows the visitor's prefers-color-scheme. Applies to the sign-in screens, not the email. |
Agency credit
An optional "Built by [Brand]" attribution strip below the sign-in card. The strip only renders when all three fields are filled: name, URL, and favicon.
| Field | Default | Description |
|---|---|---|
| Label | empty | Prefix shown before the brand name (e.g. Built by). Max 40 characters. |
| Name | empty | Brand or agency name. Max 60 characters. |
| URL | empty | Where the link points. Must be https://. |
| Favicon | none | Small icon shown next to the brand name in the strip. |
The strip never appears on wp-admin pages. It is customer-facing only.
Security & throttling
Rate limits applied across the four POST endpoints. Defaults follow OWASP and Auth0 guidance for passwordless flows. Loosen them only if you have a specific reason.
| Field | Default | Description |
|---|---|---|
| Show "Sign in with password" link | on | The password fallback link on the sign-in card. Turning it off hides the link and refuses to process password and lost-password POSTs at the server. |
| Require password for | none | Specific roles (e.g. administrator) that must sign in with a password instead of a magic link. The password fallback link still appears, but the magic-link path returns the generic envelope. |
| Per-email cooldown | 60 seconds | Minimum gap between sign-in requests for the same email. Range 0 to 600s. 0 disables. The cooldown does not extend on retry, so an attacker spamming an inbox cannot lock the legitimate user out for long. |
| Per-IP link requests | 10 per hour | How many sign-in emails one IP can request per window. |
| Per-IP code attempts | 20 per hour | How many wrong code submissions one IP can make per window. |
A few hidden buckets ship at secure defaults that are not yet exposed in the UI: per-IP password submissions (5 / 15 minutes) and per-IP password-reset requests (5 / 60 minutes). These are tighter than the code-submit ceiling because a correct password guess is full account takeover.
When a visitor hits any throttle, the front-end shows an amber warning toast naming the reason and counting down the per-email cooldown.
Diagnostics & recovery
Admin-only tools for unsticking yourself or your users. Every action is manage_options-gated and CSRF-nonced.
Send test email
Sends a non-functional preview of the magic-link email to the logged-in admin's address. Uses a placeholder selector and code (no real token is issued), so you can verify wp_mail and template rendering without polluting the request log.
Revoke all magic-links and codes
Site-wide single-click invalidation of every outstanding token. Useful after a suspected compromise, or as a hygiene step before a long break. Live sessions are not signed out; they continue until normal cookie expiry. Existing users will need to request a new sign-in email next time they log in.
Reset throttle counters
Clears every magicauth_throttle_* transient. Useful when:
- A probe has pinned your per-IP rate limit and locked legitimate users out from a shared NAT.
- Your throttle thresholds have been adjusted and you want a clean slate.
Works correctly under external object caches (Redis, Memcached, Object Cache Pro). MagicAuth maintains a key registry per request, so the flush enumerates the registry rather than relying on a wp_options LIKE scan.
Per-user controls
Settings that apply to individual users live on the Users → All Users → user edit screen. See Usage / Per-user admin actions for what's available.