FAQ
Quick answers to common MagicAuth questions.
Setup and recovery
Does MagicAuth replace passwords?
By default, no. Passwords still work. Enable Replace WordPress login screen in Configuration to make MagicAuth the primary sign-in surface. The password link remains visible for recovery.
I'm locked out. How do I get back in?
Three layers, in order of effort:
- Use the always-visible Sign in with password link on the sign-in form. Falls back to MagicAuth's branded password screen.
- Append
?magicauth=offto yourwp-login.phpURL. - Add
define('MAGICAUTH_DISABLE', true);towp-config.php.
Full details on the Troubleshooting / Lockout recovery page.
Compatibility
Does MagicAuth work with multisite?
Not in v1.x. MagicAuth is a single-site plugin. You can activate it on individual sites within a multisite network, but there is no network-mode rollup or shared configuration.
What about WooCommerce?
MagicAuth does not interfere with WooCommerce checkout, account, or order flows. Customers can sign in via MagicAuth and proceed through checkout normally. There is no WooCommerce-specific UI integration in v1.x.
Will it conflict with security plugins like Wordfence or Limit Login Attempts?
No. MagicAuth's password fallback fires wp_login_failed on a wrong password, so brute-force-defence plugins still account for misses even though authentication runs through admin-post.php rather than wp-login.php. Successful magic-link sign-ins fire wp_login for the same reason.
Privacy and security
Does the user's email show up in the URL?
No. URLs use an opaque 16-character selector that is meaningless to anyone without the corresponding 64-character verifier. user_id never appears in any URL.
What data is stored?
For each issued token: user_id, an HMAC of the email address, an HMAC of the (truncated) IP, and timestamps. Verifiers are never stored in plaintext, only as hash_hmac('sha256', $value, wp_salt('auth')). Plaintext lives only in the URL the user receives by email.
A WordPress privacy exporter and eraser are registered automatically.
How long is data retained?
The {prefix}magicauth_requests table holds one row per issued token. A daily cron sweeps consumed and expired rows, so the table stays small.
On uninstall, MagicAuth drops the table, removes the settings option, and deletes the per-user magicauth_disabled meta. To preserve all data on uninstall, define MAGICAUTH_KEEP_DATA in wp-config.php.
How many failed code attempts before I'm locked out?
Per-row: 5 wrong code submissions burn that row. Per-IP: 20 wrong submissions per hour by default (configurable). Per-IP exhaustion blocks all code submissions from that IP, not just the one user. See Troubleshooting / Throttle blocks.
Customisation and development
Can I customise the email or sign-in UI?
Yes. Templates can be overridden by copying them into your-theme/magicauth/. Filters cover the subject line, From address, headers, and the rendered HTML and plaintext bodies. See:
What email-from address is used?
By default, From: {Company name} <{admin_email}>. Override either piece with the magicauth_email_from filter.
Can I issue magic links from my own code?
Yes. MagicAuth\Auth\TokenManager::issue() and MagicAuth\Email\Mailer::send_magic_link() are public static. See Developers / Programmatic API.