Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Magic Login

Passwords are a hassle. Users forget them, reuse them, and create weak ones. Magic Login lets users sign in with just their email address — they receive a secure link or code, click or enter it, and they’re in. No password required.

Use Cases

  • Simplify login for users who forget passwords
  • Provide quick access links in transactional emails
  • Offer code-based login for mobile users
  • Enable QR code scanning for fast mobile authentication

How It Works

  1. User enters their email on the login form
  2. They receive an email with a secure, one-time link
  3. Clicking the link logs them in immediately
  4. Link expires after configured time (default: 15 minutes)

Code-Based Login

  1. User enters their email on the login form
  2. They receive an email with a 6-digit code
  3. They enter the code on the verification screen
  4. Correct code logs them in

QR Code Login

  1. User requests a magic link email
  2. Email includes a scannable QR code
  3. Scanning on mobile opens the link directly
  4. User is logged in on their mobile device

Settings

SettingTypeDefaultDescription
Link ExpiryNumber15Minutes until magic links expire
Allow Code LoginToggleOnLet users choose to receive codes instead
Include QR CodeToggleOnAdd QR code to magic link emails
Redirect After LoginURLWhere to send users after login (blank = admin)
Email SubjectTextCustom email subject line
Email ContentTextareaCustom email template with placeholders

Email Placeholders

Use these in custom email templates:

PlaceholderDescription
{{MAGIC_LINK}}The one-click login URL
{{MAGIC_CODE}}The 6-digit verification code
{{USER_NAME}}User’s display name
{{SITE_NAME}}Your site name
{{EXPIRY}}Link expiration time

Auto-Login in Emails

The {{MAGIC_LINK}} placeholder works in any WordPress email, not just magic login emails. Use it to include one-click login links in:

  • WooCommerce order confirmations
  • Membership welcome emails
  • Newsletter links
  • Support ticket responses

Example in an email template:

Click here to view your order: {{MAGIC_LINK}}

Shortcode

Add a magic login form anywhere with:

[magic_login]

Optional attributes:

  • redirect — URL to redirect after login
  • label — Custom button label

Example:

[magic_login redirect="/my-account" label="Sign In"]

Security Features

FeatureDescription
One-Time UseEach link/code works only once
Time-LimitedLinks expire after configured time
Encrypted StorageTokens encrypted with AES-256-GCM
Rate LimitingPrevents abuse of login requests
IP BindingOptional — bind links to requesting IP

CAPTCHA Integration

Magic Login integrates with Switchboard CAPTCHA modules:

  • Cloudflare Turnstile
  • Google reCAPTCHA
  • Simple CAPTCHA

Enable CAPTCHA protection in those modules and turn on “Protect Magic Login” to prevent abuse of the magic login form.

FAQ

Is magic login secure?Yes. Links use cryptographically random tokens, expire quickly, and work only once. They’re as secure as password reset links — which every site already uses.
What if someone intercepts the email?The same risk exists for password reset emails. Magic links are one-time use and expire quickly, limiting the attack window. Use HTTPS and consider IP binding for additional security.
Can users still use passwords?Yes. Magic login is an alternative, not a replacement. The normal WordPress login form still works for password-based login.
Does this work with two-factor authentication?Magic login bypasses password entry, so traditional 2FA that triggers after password entry won’t apply. The magic link itself serves as the authentication factor.
Can I disable password login entirely?This module doesn’t remove password login. It adds an alternative. For password-less only, you’d need additional customization.

Magic login works great for membership sites where you want to reduce login friction. Include {{MAGIC_LINK}} in welcome emails so new members can access their account instantly.

PRO

Get access to all 166 modules with a single license

Upgrade to Pro
Prev
Disable XML-RPC
Next
Change Post Type