Magic Link Login – Passwordless WordPress Login

Let users log in to WordPress by clicking a link sent to their email – no password needed. Magic Link Login adds a passwordless authentication option to your WordPress and WooCommerce login pages. Users enter their email address, receive a unique one-time link, click it, and they’re logged in. The link expires after a configurable time period and is destroyed after use. No passwords to remember, no passwords to steal, no password reset requests to manage.

What Is Magic Link Login?

Magic Link Login is a passwordless authentication method. Instead of entering a username and password, users provide their registered email address. WP Ghost generates a unique, time-limited URL and sends it to that email. Clicking the link authenticates the user and grants dashboard access. The link is single-use – once clicked or expired, it can’t be used again.

Users can still log in with their traditional password if they prefer. Magic Link Login adds a button to the login form as an alternative authentication option – it doesn’t replace the password form.

Why Use Magic Link Login

Passwords are the weakest link in most authentication systems. Here’s why Magic Link Login strengthens your hack prevention strategy:

It eliminates password-based attacks. Brute force attacks, credential stuffing, and password reuse – the most common login attack vectors – all require a password to target. Magic Link Login removes the password from the equation entirely. There’s nothing to guess, nothing to stuff, nothing to reuse. LLAR’s 2025 report found that brute force attacks surged 130% in 2024 – Magic Link Login makes those attacks irrelevant for users who opt in.

No passwords to manage or forget. Users don’t need to remember complex passwords, comply with strength requirements, or go through reset flows. This reduces support requests and improves the login experience – especially for WooCommerce customers who may only log in occasionally.

Each link is unique, single-use, and time-limited. A magic link can’t be intercepted and reused – it’s destroyed after the first click and expires after the configured time (default: 1 hour). Even if an attacker somehow obtains the link after use, it’s already invalid.

It works alongside other security layers. Magic Link Login complements brute force protection and Two-Factor Authentication (2FA). Users who prefer passwords can still use them with full brute force and 2FA protection.

How to Enable Magic Link Login

Activate and Configure

1. Activate the feature from WP Ghost > Overview > Features.
2. Go to WP Ghost > Change Paths > Login Security.
3. Scroll to the Magic Login section.
4. Set the Magic Login button text (what users see on the login form).
5. Choose the Link Expiration period (how long the link remains valid).
6. Optional: enable WooCommerce support to add magic link to WooCommerce login.
7. Click Save.

Email delivery required: Magic Link Login depends on your site’s ability to send emails. You need a working SMTP configuration. Use an SMTP plugin (like WP Mail SMTP, FluentSMTP, or Post SMTP) to ensure emails are delivered reliably. Without SMTP, magic link emails may not reach users.

How the Login Flow Works

Once enabled, here’s what users see and do:

1. User clicks “Login using a magic link” on the WordPress login page.

2. User enters their registered email address.

3. WP Ghost sends a unique, time-limited link to their email.

4. User clicks the link in their email and is logged in automatically. The link is destroyed after use.

Send Magic Links from the Users List

Administrators can send magic login links to any user directly from Users > All Users. Click “Send magic login link” in the user’s row actions to send a one-time login link to their email. The link is valid for 1 hour.

Enable WooCommerce Magic Link

Magic Link Login integrates with the WooCommerce login page. Activate the WooCommerce Magic Link from WP Ghost > Overview > Features, and the magic link button appears on the WooCommerce login form.

Customization

Customize the magic link email subject and message using WordPress filters in your theme’s functions.php:

add_filter('hmwp_unique_login_subject', function($subject){
  return "Your Magic Login URL";
}, 1);

add_filter('hmwp_unique_login_message', function($message, $url){
  return sprintf( "Click on this magic link %s to log in to your account.", PHP_EOL . PHP_EOL . $url . PHP_EOL . PHP_EOL) ;
}, 2);

Translation tip: If you use WPML or Polylang, the Magic Login button text and email messages can be translated from WPML > String Translation or Polylang > Languages > String Translations. Changes apply automatically based on the active language.

Troubleshooting

“The server was unable to send the email”

This error appears when your site can’t send emails. WordPress relies on the server’s mail function by default, which fails on many hosting environments. Install and configure an SMTP plugin (WP Mail SMTP, FluentSMTP, or Post SMTP) to route emails through a reliable mail service. Test that your site can send emails before relying on Magic Link Login.

Magic link email goes to spam

If users report that magic link emails arrive in spam, the issue is email deliverability. An SMTP plugin with proper SPF, DKIM, and DMARC records on your domain will resolve this. Services like SendGrid, Mailgun, or Amazon SES provide reliable delivery with proper authentication.

If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.

Frequently Asked Questions

Can users still log in with a password?

Yes. Magic Link Login adds an alternative login method – it doesn’t remove the password form. Users can choose either method. The standard password form remains visible alongside the magic link button.

How secure is a magic link?

Magic links are single-use tokens with a configurable expiration (default: 1 hour). They’re destroyed after the first click and expire if unused. Security depends on the user’s email account – anyone with access to that email can use the link. This is the same trust model as password reset emails. For highest security, combine Magic Link Login with 2FA.

Does this work with WooCommerce?

Yes. Enable the WooCommerce Magic Link toggle in Features to add the magic link button to the WooCommerce login page. WooCommerce customers can log in without passwords – reducing support requests and cart abandonment from forgotten passwords. WP Ghost is fully compatible with WooCommerce.

What’s the difference between Magic Link Login and Temporary Logins?

Temporary Logins are admin-generated URLs for specific people (developers, clients) with custom roles and expiration. Magic Link Login is a self-service feature – any registered user can request their own login link from the login page. Temporary Logins are for controlled, admin-initiated access; Magic Link Login is for everyday user authentication.

Does WP Ghost modify WordPress core files?

No. Magic Link Login adds a button to the login form through WordPress hooks and handles authentication through WP Ghost’s processing. No core files are modified. Disabling the feature removes the button and link generation instantly.

Related Tutorials

Build your complete login security system:

• Temporary Logins – Create admin-generated passwordless URLs with custom roles and expiration.
• Two-Factor Authentication – Add a second verification step to the login process.
• Brute Force Protection – Block login attacks with attempt limits and reCAPTCHA.
• Change and Hide the Login Path – Move your login page to a custom URL.
• Login Page Design – Customize the appearance of your login page.