Title: oOMF! Access
Author: oOMF!
Published: <strong>May 13, 2026</strong>
Last modified: June 1, 2026

---

Search plugins

![](https://ps.w.org/oomf-access/assets/banner-772x250.png?rev=3556166)

![](https://ps.w.org/oomf-access/assets/icon-256x256.png?rev=3556176)

# oOMF! Access

 By [oOMF!](https://profiles.wordpress.org/oomf/)

[Download](https://downloads.wordpress.org/plugin/oomf-access.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/oomf-access/#description)
 * [Reviews](https://wordpress.org/plugins/oomf-access/#reviews)
 *  [Installation](https://wordpress.org/plugins/oomf-access/#installation)
 * [Development](https://wordpress.org/plugins/oomf-access/#developers)

 [Support](https://wordpress.org/support/plugin/oomf-access/)

## Description

oOMF! Access gives WordPress sites a better front door: a polished login page, guided
account flows, passwordless magic links, social sign-in, safe redirects, CAPTCHA,
hide-admin controls, honeypots, throttling, and lockout protection.

It is built for agencies, membership sites, product teams, and site owners who want
a professional sign-in experience without hand-rolling templates, OAuth plumbing,
redirect rules, and abuse controls for every project.

#### Why teams use it

 * **A login page worth sharing** – replace the default WordPress screen with a 
   branded page powered by `[oomf_access_form]`, theme-aware styling, logo controls,
   custom copy, gradients, and live admin previews.
 * **One flow for every access moment** – keep login, registration, lost password,
   password reset, logged-in states, and magic-link requests inside the same consistent
   interface.
 * **Passwordless and social sign-in** – offer email magic links plus Google, Apple,
   GitHub, Microsoft, and Facebook providers with provider-specific setup hints.
 * **Redirects you can trust** – send people to the right page after login/logout
   while validating `redirect_to` values and exposing filters for approved external
   hosts.
 * **Layered anti-abuse controls** – enable reCAPTCHA, hCaptcha, honeypots, soft
   throttling, lockouts, secret login paths, and emergency bypass flows from wp-
   admin.
 * **Developer-friendly internals** – focused hooks and filters let you customize
   destinations, CAPTCHA behavior, provider handling, inline CSS, and allowed redirect
   hosts.

#### Built for the real WordPress admin

The settings screen includes a live preview, grouped controls for content/appearance/
behavior/security, provider previews, and setup copy for external services. Frontend
and admin assets load only where needed and are versioned with `filemtime()`.

### Privacy

oOMF! Access does not send data to oOMF! services. CAPTCHA and social login features
connect only when you enable them and provide your own third-party credentials. 
Removing the plugin deletes its settings, and the generated login page can also 
be removed via the `oomf_access/delete_page_on_uninstall` filter.

### External services

oOMF! Access connects to outside services only when the related feature is enabled.

#### Google reCAPTCHA (v2/v3)

 * Purpose: spam and abuse protection for access forms.
 * Endpoints: `https://www.google.com/recaptcha/api.js` and `https://www.google.
   com/recaptcha/api/siteverify`.
 * Data sent: site key/secret, visitor response token, action name, and optionally
   visitor IP.
 * Terms: https://policies.google.com/terms
 * Privacy: https://policies.google.com/privacy

#### hCaptcha

 * Purpose: CAPTCHA validation.
 * Endpoints: `https://js.hcaptcha.com` and `https://hcaptcha.com/siteverify`.
 * Data sent: site key/secret, response token, action name, and optionally visitor
   IP.
 * Terms: https://www.hcaptcha.com/terms
 * Privacy: https://www.hcaptcha.com/privacy

#### Google OAuth

 * Purpose: sign in with Google.
 * Endpoints: `accounts.google.com/o/oauth2/v2/auth`, `oauth2.googleapis.com/token`,
   and `openidconnect.googleapis.com/v1/userinfo`.
 * Data sent: authorization code, code verifier, redirect URI, client credentials,
   and selected scopes. Returned data can include name, verified email, avatar, 
   and locale.
 * Terms: https://policies.google.com/terms
 * Privacy: https://policies.google.com/privacy

#### Apple Sign In

 * Purpose: sign in with Apple.
 * Endpoints: `appleid.apple.com/auth/authorize` and `appleid.apple.com/auth/token`.
 * Data sent: authorization code, client ID, redirect URI, and signed JWT assertions
   generated from your Apple key. Returned data can include name and email.
 * Terms: https://www.apple.com/legal/internet-services/terms/site.html
 * Privacy: https://www.apple.com/legal/privacy/

#### GitHub OAuth

 * Purpose: sign in with GitHub.
 * Endpoints: `github.com/login/oauth/authorize`, `github.com/login/oauth/access_token`,`
   api.github.com/user`, and `api.github.com/user/emails`.
 * Data sent: authorization code, client credentials, redirect URI, and scopes. 
   Returned data can include ID, email, name, and avatar.
 * Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
 * Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-
   statement

#### Microsoft OAuth

 * Purpose: sign in with Microsoft.
 * Endpoints: `login.microsoftonline.com/common/oauth2/v2.0/authorize`, `login.microsoftonline.
   com/common/oauth2/v2.0/token`, and `graph.microsoft.com/v1.0/me`.
 * Data sent: authorization code, client credentials, redirect URI, and scopes. 
   Returned data can include ID, email, name, and locale.
 * Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/
   MOSPT
 * Privacy: https://privacy.microsoft.com/privacystatement

#### Facebook Login

 * Purpose: sign in with Facebook.
 * Endpoints: `facebook.com/v18.0/dialog/oauth`, `graph.facebook.com/v18.0/oauth/
   access_token`, and `graph.facebook.com/v18.0/me`.
 * Data sent: authorization code, app credentials, redirect URI, and scopes. Returned
   data can include ID, email, name, and avatar.
 * Terms: https://www.facebook.com/legal/terms
 * Privacy: https://www.facebook.com/policy.php

### Hooks & Extension Points

 * `oomf_access_redirect_destination` – override the final destination after login.
 * `oomf-access/allowed_redirect_hosts` – allow approved external redirect hosts.
 * `oomf-access/captcha/allow_external` – control whether CAPTCHA network calls 
   are allowed.
 * `oomf_access_captcha_is_required` – decide whether CAPTCHA is required for a 
   request.
 * `oomf_access_captcha_validate_result` – customize CAPTCHA validation results.
 * `oomf-access/inline_css` – inject extra CSS into the admin preview and frontend.

## Screenshots

 * [[
 * Branded login page with live accent styling, strong form hierarchy, and recovery
   links.
 * [[
 * Admin settings with tabbed controls, action shortcuts, and a real-time login 
   preview.

## Installation

 1. Upload the plugin folder to `/wp-content/plugins/` or install the ZIP from Plugins
    → Add New.
 2. Activate oOMF! Access. Activation creates a public “Login” page and stores its 
    ID in `oomf_access_page_id`.
 3. Open Settings → oOMF! Access to configure branding, text, redirects, magic links,
    social providers, CAPTCHA, and hide-admin options.
 4. Share the generated login URL, usually `/oomf-access/`.

## FAQ

### Where is the login page?

Activation creates a WordPress page containing `[oomf_access_form]`. You can edit
or move that page. If it is deleted, `/oomf-access/` still renders the bundled login
template so people are not stranded.

### Does it replace my theme template?

The shortcode inherits your theme when embedded anywhere. The generated login page
uses the bundled minimal template at `templates/oomf-access-page-template.php` so
the dedicated access page stays consistent.

### What can I customize?

You can adjust logos, appearance mode, accent color, spacing, headings, helper text,
form labels, button text, magic-link copy, redirect destinations, social providers,
CAPTCHA settings, hide-admin behavior, honeypot and throttle settings, and lockout
thresholds.

### How do redirects work?

If a safe `redirect_to` value is supplied, it wins. Otherwise oOMF! Access uses 
the configured post-login destination, then falls back to the WordPress admin. Developers
can use `oomf-access/allowed_redirect_hosts` and `oomf_access_redirect_destination`
for custom routing.

### What CAPTCHA providers are supported?

oOMF! Access supports reCAPTCHA v2 checkbox, reCAPTCHA v2 invisible, reCAPTCHA v3,
and hCaptcha. Scripts load only on access pages and verification happens server-
side.

### How does Hide Admin work?

When enabled, direct access to `/wp-login.php` and `/wp-admin` can be obscured for
anonymous visitors while a secret login slug remains available. Emergency bypasses
are retained for break-glass access.

### Which social providers are supported?

Google, Apple, GitHub, Microsoft, and Facebook can be configured from Settings →
oOMF! Access → Social. Each provider shows the callback URL and setup notes you 
need for its OAuth app.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“oOMF! Access” is open source software. The following people have contributed to
this plugin.

Contributors

 *   [ oOMF! ](https://profiles.wordpress.org/oomf/)

[Translate “oOMF! Access” into your language.](https://translate.wordpress.org/projects/wp-plugins/oomf-access)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/oomf-access/), check
out the [SVN repository](https://plugins.svn.wordpress.org/oomf-access/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/oomf-access/) by
[RSS](https://plugins.trac.wordpress.org/log/oomf-access/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0 – 2026-03-24

 * Fixed: Magic link nonce verification now derives the nonce action from validated
   token data.
 * Fixed: Settings AJAX handler now reads serialized form data with a sanitizing
   filter up front.
 * Added: CAPTCHA provider integrations for reCAPTCHA v2/v3 and hCaptcha.
 * Added: Hide Admin with configurable secret login slug and emergency bypass flows.
 * Improved: Social login setup, including Sign in with Apple and provider previews.
 * Improved: Asset loading and versioning via `filemtime()`.
 * Developer: New filters and clearer extension points for redirects and CAPTCHA.

## Meta

 *  Version **1.0.0**
 *  Last updated **4 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.2 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 8.1 or higher **
 * Tags
 * [authentication](https://wordpress.org/plugins/tags/authentication/)[branding](https://wordpress.org/plugins/tags/branding/)
   [login](https://wordpress.org/plugins/tags/login/)[redirects](https://wordpress.org/plugins/tags/redirects/)
   [security](https://wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://wordpress.org/plugins/oomf-access/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/oomf-access/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/oomf-access/reviews/)

## Contributors

 *   [ oOMF! ](https://profiles.wordpress.org/oomf/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/oomf-access/)