Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Login ID Type

By default, WordPress lets users log in with either their username or email address. That’s flexible, but it also gives attackers two things to guess. Want to reduce that attack surface? This module lets you restrict login to username-only (blocking email enumeration) or email-only (for email-centric workflows).

Use Cases

  • Prevent email enumeration by requiring username-only login
  • Simplify login for users who always forget their username (email-only)
  • Standardize login behavior across your organization
  • Reduce attack surface by limiting authentication options
  • Match login requirements to your user management workflow

How It Works

Navigate to Switchboard → Security → Login ID Type and choose your mode:

ModeWhat Users EnterError Message
Both (Default)Username or emailNormal WordPress behavior
Username OnlyUsername“Please login with your username, not email.”
Email OnlyEmail address“Please login with your email address, not username.”

The restriction is enforced at the authentication level — before WordPress checks the password.

Settings

SettingOptionsDefault
Login ID TypeBoth / Username Only / Email OnlyBoth

Why Restrict Login Type?

Username Only Benefits

  1. Blocks email enumeration — Attackers can’t verify if an email exists on your site
  2. Separates public and private info — Emails are often public; usernames can be private
  3. Reduces attack surface — Only one identifier to guess
  4. Consistent with security policies — Some organizations require username-based auth

Email Only Benefits

  1. Easier for users — People remember their email better than usernames
  2. Natural for email-centric sites — E-commerce, memberships, newsletters
  3. Avoids “what was my username?” problem — Everyone knows their email
  4. Works well with SSO — Email-based identity is standard for integrations

What Users See

When someone tries to log in with the wrong type:

Username Only mode, user enters email:

“Please login with your username, not email.”

Email Only mode, user enters username:

“Please login with your email address, not username.”

The error appears immediately, before password validation.

Email Enumeration Attack

Here’s why “username only” can improve security:

The attack:

  1. Attacker has a list of email addresses
  2. They try each as a WordPress login
  3. WordPress says “invalid email” vs “incorrect password”
  4. Different messages reveal which emails have accounts

With username only:

  • Attacker can’t use email addresses at all
  • They must know usernames to even attempt login
  • Email list is useless for reconnaissance

Modern WordPress tries to use generic error messages to prevent enumeration, but forcing username-only is an extra layer of protection.

Registration Considerations

This module affects login only, not registration:

  • Users can still register with their email
  • Password reset still uses email
  • Only the login form behavior changes

If you use email-only login, make sure your users know to:

  1. Register with their email (as normal)
  2. Log in using that same email address

Verification

After configuring:

  1. Log out of WordPress
  2. Go to the login page
  3. Try logging in with the restricted type
  4. Should see the appropriate error message
  5. Log in with the allowed type — should work normally

FAQ

What if users forget which to use?The error message tells them exactly what to use. You can also customize your login page (via theme or plugin) to indicate “Enter your username” or “Enter your email”.
Does this affect wp-login.php only or other login methods too?It hooks into WordPress authentication, so it affects any login that uses the standard WordPress authentication system — wp-login.php, login forms in themes, WooCommerce, etc.
Can users still reset passwords with their email?Yes. Password reset is separate from login authentication. Users can request password resets using their email regardless of this setting.
What about the REST API?The REST API uses different authentication mechanisms (Application Passwords, cookies, etc.). This module specifically targets form-based login where users enter credentials.
Will this affect SSO or social login?SSO and social login plugins typically bypass the standard WordPress authentication flow. They should continue to work. Test with your specific SSO plugin to confirm.
What happens if I change from email-only to username-only?Users who’ve been logging in with email will need to use their username instead. Make sure to communicate the change. Their accounts still work — only the login method changes.

Combining with Other Security Modules

For comprehensive login security:

ModuleProtection
Login ID TypeControl what credentials are accepted
Limit Login AttemptsBlock brute force after failed attempts
Username BlacklistPrevent risky usernames from existing
Disable XML-RPCBlock XML-RPC brute force attacks

Together, these create multiple layers of login protection.

For maximum security: Use “Username Only” combined with strong, unique usernames that aren’t publicly visible (don’t use author slugs as usernames).

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Custom Post Order
Next
Custom Taxonomy Order