I had the need to create a link that would log in a person to a WordPress site automatically. That is, hitting the URL alone would log the user in and provide them with features on the site that were otherwise hidden from the general public. This sounds like a security nightmare to some perhaps, but the script I’ve written will only work for “subscribers” and nothing higher, can be hard coded to work with a specific user you create, or can be dynamic and pass the user’s login name as a parameter. There is never a need to pass or even show a password with this script.
Why might you want such a script?
- For some sites, registration can be too big of a barrier to use and yet you want specific people to have access to your non-public content.
- Leaving registration open can also be an invitation to spam registrations and bots.
- You have a user base that only needs to access the content of your website on an irregular basis and thus has greater difficulty remembering and maintaining their username and password information.
- Your site is used within an iFramed environment some of the time and you want all users to be logged in when viewing within this iFrame. (That was the case for me.)
- Consider using more than one auto-login script — one dynamic, one hardcoded – to suit your needs.
For some users, you can go another step and obfuscate the location of the script, too, but giving it a randomized name and perhaps even adding a mod_rewrite rule to handle such requests. However, given it only logs in a user with a subscriber level of access, I see little need for such obfuscation. If you couple the use of this script with the following plugins, you can create a WordPress site that has more features for some users but is either completely hidden to the general public, or hidden altogether.
- User Access Manager – Use this plugin to hide subscriber level navigation and pages from the general public
- Hide Admin Bar From Non-admins – Just what it says it does.
- Remove Dashboard Access – Perhaps overkill, but another plugin to block users from the backend if you desire.
- Password Protected – Using this plugin can allow you to block the general public from viewing your site and only the auto-login users can see what you want them to see. (You have to configure this plugin to permit logged in viewers to bypass the single password you create on the site as a whole in the preferences for this plugin.)
If you are an admin and use the auto-login script yourself you will need to log out to properly login again as an admin. There are several ways to do this, but it would depend on the site security setup you are using as well. (The iThemes Security plugin can create greater challenges to using this script as well.) If you are using the script in a dynamic fashion, passing a username parameter, using a link to your script that passes a bogus parameter will log you out properly. Something like yourdomain.com/auto-login.php?logmeout for example. Alternatively, you can bookmark a link to your login page (which may not be the standard location if you are using the iThemes Security plugin) and log yourself out that way.
Below is a link to a zip archive of the script I’ve created and you are free to use and customize as you see fit. Comments in the code are provided but feel free to ask questions of The Design Mission, too.
UPDATE and clarification: This script is a PHP page that sits beside, or in front of, your WordPress site. It is not a WordPress plugin.