Description
Passwords are the single biggest security risk for your WordPress site. They get leaked, reused, or broken by automated brute-force attacks. Standard Two-Factor Authentication (2FA) adds safety, but typing in temporary codes from SMS or authenticator apps introduces annoying friction to your daily workflow.
Advanced Passkeys for Secure Login brings the future of un-phishable, modern authentication directly to your WordPress site using the official FIDO2 / WebAuthn standard.
Users register a passkey just once using their device’s built-in biometric sensor (Face ID, Touch ID, Windows Hello) or a hardware security key (like a YubiKey). Future sign-ins take less than a second—completely bypassing the traditional password field.
Why Switch to Passkeys?
- Immune to Phishing: Passkeys are cryptographically bound to your specific domain. A fake login page cannot trick or steal a passkey.
- Goodbye Brute-Force: Because there is no static password on the server to guess, automated bot attacks are completely neutralized.
- Ultimate Ecosystem Sync: Works seamlessly with iCloud Keychain, Google Password Manager, and 1Password for painless cross-device access.
Ecosystem-Wide Integrations Included
Unlike basic alternatives, this plugin features intelligent, dependency-aware integration modules that automatically inject passkey entry points into your favorite plugins. It features out-of-the-box support for WooCommerce, Easy Digital Downloads, MemberPress, Ultimate Member, LearnDash, BuddyBoss, Gravity Forms, and PMPro.
Features
- One-Click Passwordless Auth: Adds a native “Sign in with Passkey” button directly to the WordPress login screen.
- Ecosystem Integrations: Built-in aware modules, blocks, and shortcodes for WooCommerce, MemberPress, LearnDash, BuddyBoss, and more.
- Gutenberg Blocks & Shortcodes: Automatically registers custom login cards and shortcodes based on active plugins.
- Admin Dashboard Overview: Keep track of credential performance with an Authenticator Overview card and Last Login activity logs.
- Granular Role Controls: Easily configure exactly which user roles are permitted to use passkey authentication (Default: Administrators).
- Brute-Force Rate Limiting: Hardened local security with built-in login rate-limiting and automated daily log cleanups.
- Multisite Compatible: Network-aware provisioning instantly configures security settings for newly created network sites.
- Clean Performance & Housekeeping: Lightweight footprint with a clean uninstall routine that leaves zero orphaned tables or options behind.
Developer Hooks: Last Used Pill
Developers can use these filters inside a theme or functionality plugin to globally customize or suppress the login form’s Last used passkey indicator pill.
Available filters
advapafo_last_used_pill_freshness_days— default 90 daysadvapafo_last_used_pill_visible— final on/off overrideadvapafo_last_used_pill_label— customize label text
Example implementation
<?php
/**
* Example customization for Last used login pill.
*/
// Show pill if passkey login is within 120 days.
add_filter( 'advapafo_last_used_pill_freshness_days', function ( $days, $user ) {
unset( $user );
return 120;
}, 10, 2 );
// Hide pill for administrator accounts.
add_filter( 'advapafo_last_used_pill_visible', function ( $visible, $timestamp, $freshness_days, $user ) {
unset( $timestamp, $freshness_days );
if ( $user instanceof WP_User && in_array( 'administrator', (array) $user->roles, true ) ) {
return false;
}
return $visible;
}, 10, 4 );
// Label override.
add_filter( 'advapafo_last_used_pill_label', function ( $label, $user ) {
unset( $user );
return 'Previously used';
}, 10, 2 );
Screenshots
Blocks
This plugin provides 4 blocks.
- Passkey Login Button
- Passkey Register Button
- Account Passkeys
- Passkey Setup Prompt
Installation
Automatic installation
- In your WordPress admin, go to Plugins > Add New
- Search for Advanced Passkeys for Secure Login
- Click Install Now then Activate
- Go to Settings > Advanced Passkeys for Secure Login and enable passkeys
Manual installation
- Download the plugin ZIP from ww.wp.xz.cn
- Go to Plugins > Add New > Upload Plugin and upload the ZIP
- Click Activate
- Go to Settings > Advanced Passkeys for Secure Login and enable passkeys
After activation
- Go to Settings > Advanced Passkeys for Secure Login — verify passkeys are enabled and select which roles may use them.
- Visit Users > Your Profile and register your first passkey.
- Sign out and confirm the Sign in with Passkey button appears on the login page.
- Register a backup passkey on a second device to avoid lockout.
Production & Local Environments
Passkeys require a secure (HTTPS) connection context. The plugin will actively block passkey flows over plain HTTP in production.
If you are testing locally without an SSL certificate, you can bypass this restriction by adding the following line to your wp-config.php file:
define( 'ADVAPAFO_ALLOW_HTTP', true ); (*Never use this in production!*)
FAQ
-
Does this replace passwords entirely?
-
No. Passkeys act as a seamless, high-security alternative sign-in method. Users retain their standard WordPress passwords as a reliable fallback.
-
Which browsers and devices are supported?
-
Any browser supporting the WebAuthn standard (all major platforms since 2022) including Chrome, Safari, Firefox, and Edge. Supported hardware includes iPhones, iPads, Macs, Android devices, Windows Hello machines, and physical FIDO2/U2F security keys like YubiKeys.
-
Is HTTPS required?
-
Yes, in production environments. The official WebAuthn specification mandates a secure context. See the local development instructions in the Installation tab to test locally via HTTP.
-
What PHP extensions do I need?
-
The plugin relies on
openssl,mbstring, andjson. These core extensions are compiled by default on almost every modern managed WordPress host. -
Can I control which user roles can use passkeys?
-
Yes. Navigate to Settings > Advanced Passkeys for Secure Login > Eligible Roles. While it defaults strictly to Administrators, you can provision passkeys for any core or custom role on your site.
-
Which shortcodes are available?
-
Core shortcodes:
*[advapafo_login_button]
*[advapafo_register_button]
*[advapafo_passkey_profile]
*[advapafo_passkey_prompt]Integration-specific shortcodes: (active when corresponding plugins are running)
*[advapafo_woocommerce_login]
*[advapafo_edd_login]
*[advapafo_memberpress_login]
*[advapafo_ultimate_member_login]
*[advapafo_learndash_login]
*[advapafo_buddyboss_login]
*[advapafo_gravityforms_login]
*[advapafo_pmp_login] -
Which integration Gutenberg blocks are available?
-
When an integration dependency is active, the plugin registers matching blocks:
*advanced-passkey-login/woocommerce-login-card
*advanced-passkey-login/edd-login-card
*advanced-passkey-login/memberpress-login-card
*advanced-passkey-login/ultimate-member-login-card
*advanced-passkey-login/learndash-login-card
*advanced-passkey-login/buddyboss-login-card
*advanced-passkey-login/gravityforms-login-card
*advanced-passkey-login/pmp-login-card -
What happens if I deactivate or delete the plugin?
-
Deactivating keeps your data safe. Deleting (uninstalling) triggers a strict housekeeping routine that cleanly drops the
wp_wpk_credentials,wp_wpk_rate_limits, andwp_wpk_logstables alongside alladvapafo_*options. -
Is the plugin multisite compatible?
-
Yes. Database tables partition dynamically per site via
$wpdb->prefix. Network activation auto-provisions existing sites and seamlessly configures any newly deployed network sites. -
Can I use a custom RP ID for subdomain setups?
-
Yes. Simply add
define( 'ADVAPAFO_RP_ID', 'example.com' );directly into your site’swp-config.phpfile.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Advanced Passkeys for Secure Login” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Advanced Passkeys for Secure Login” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.6
- Improved: include ww.wp.xz.cn assets directory in release source so banners, icon, and screenshots deploy via SVN automation.
1.1.5
- Improved: sanitize-early handling for transports and credential request inputs.
- Improved: stricter nonce-gated debug query handling in settings.
- Improved: output escaping hardening for integration-rendered markup and dynamic admin classes.
- Improved: release and quality workflow validation guardrails (actionlint gate).
1.1.4
- Added: Dashboard tab with an Authenticator Overview card.
- Added: Last Login activity card in the Dashboard tab.
- Improved: nonce and capability enforcement across sensitive request handlers.
- Improved: release packaging workflow with strict file allowlist validation.
- Fixed: release automation now publishes real GitHub releases with attached installable ZIP.
1.1.2
- Added: integration manager for popular ecosystem plugins with dependency-aware module loading.
- Added: integration-specific shortcodes and Gutenberg blocks.
- Added: integration controls in settings with installed/not installed indicators.
- Added: shortcode quick-start helper and improved shortcode documentation in admin UI.
- Changed: removed legacy shortcode alias registrations and related legacy copy.
- Changed: refreshed docs and translation template strings for current shortcode names.
1.1.1
- Updated: plugin name and user-facing references to “Advanced Passkeys for Secure Login”.
- Updated: settings/UI copy to use the full plugin name.
1.1.0
- Added: dismissible “set up your passkey” nudge notice for eligible users.
- Added: Passkeys column in the admin Users list showing count per user.
- Added: Scheduled daily cleanup of expired rate-limit rows and old log entries.
- Added: Challenge timeout setting in Settings > Advanced Passkeys for Secure Login > Advanced.
- Added: Login redirect URL field in settings (fallback after passkey login).
- Added:
[advapafo_login_button]and[advapafo_register_button]shortcodes. - Added: Log retention period setting (days).
- Improved:
get_challenge_ttl()now reads from the settings UI.
1.0.0
- Initial release.