Installation
Install MagicAuth, activate it, and pass the first-run safety checks.
Install
Upload the plugin
Either install via Plugins → Add New in wp-admin and search for "MagicAuth", or upload the zip to /wp-content/plugins/magicauth.
Activate
Activate it through the Plugins screen. Activation does three things:
- Creates the
{prefix}magicauth_requestsdatabase table. - Seeds default settings (10-minute link lifetime, 60-second per-email cooldown, your Site Title as the company name).
- Schedules a daily cron sweep that deletes expired and consumed token rows.
Configure
Open Settings → MagicAuth and review the defaults. The defaults are safe. Adjusting branding (logo, brand color, company name) is the most common first step. See Configuration for every field.
Choose a sign-in surface
Two options. You can use both:
- Shortcode. Drop
[magicauth_login]on any page. A custom/sign-inpage is typical. - Branded
wp-login.php. Turn on Replace WordPress login screen in Configuration to make MagicAuth the primary sign-in surface site-wide.
First-run safety check: WordPress salts
On activation MagicAuth inspects the four authentication salts in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY). If any of them are missing or still contain the literal phrase put your unique phrase here, MagicAuth surfaces an admin notice and refuses to enable the wp-login.php replacement until you fix it.
Why: token verifiers are stored as hash_hmac('sha256', $plaintext, wp_salt('auth')). With placeholder salts, the secret is public.
To fix:
- Visit api.wordpress.org/secret-key.
- Copy the eight
define()lines. - Paste them into
wp-config.php, replacing the existing salts. - Reload any wp-admin page. The notice disappears.
The salt change invalidates existing user sessions. That is expected.
Verify it works
Send yourself a test email from Settings → MagicAuth → Diagnostics & Recovery → Send test email. The test uses a placeholder selector and code, so it never issues a real token. It confirms wp_mail and template rendering both work.
Updating
Update through Plugins → Installed Plugins as normal. MagicAuth runs a schema migration on plugins_loaded (priority 5) for any release that bumps the database version. Migrations are concurrency-locked and never block activation.