Description
oOMF! Access delivers a polished WordPress login experience with guided flows for login, registration, lost password, and password reset. Offer passwordless magic links, social sign-in, and smart redirect control while layering in hide-admin, CAPTCHA, honeypot, and soft throttling safeguards — all without writing custom code.
Key features
– Branded login page rendered via the [oomf_access_form] shortcode, with activation creating a dedicated page stored in oomf_access_page_id—and the /oomf-access/ route continues to load the bundled template even if that page is removed.
– Smart and safe post-login redirects with Redirects::validate_safe_redirect() and pluggable filters.
– Passwordless magic link login plus social providers (Google, Apple, GitHub, Microsoft, Facebook) with admin previews.
– Multiple CAPTCHA providers (reCAPTCHA v2 checkbox, v2 invisible, v3, and hCaptcha) and honeypot/throttle helpers to slow abuse.
– Hide Admin / secret login path support to obscure /wp-login.php and /wp-admin from anonymous users while keeping emergency bypasses available.
– Minimal asset footprint: frontend/admin JS & CSS load only where needed and are versioned with filemtime().
– Developer hooks and filters to customize redirects, captcha behavior, allowed hosts, provider scopes, and more.
Privacy
oOMF! Access does not send data to oOMF! services. If you enable CAPTCHA or Social Login, your site sends authentication and verification requests to those third-party providers as described in the External services section below. Removing the plugin deletes its settings (and the generated login page if you opt in via the oomf_access/delete_page_on_uninstall filter).
External services
oOMF! Access only connects to outside services when you enable the related feature and provide your own credentials. Each integration below explains what is sent and links to the provider policies:
Google reCAPTCHA (v2/v3)
- Purpose: spam/abuse protection for the login forms.
- Endpoints: loads scripts from https://www.google.com/recaptcha/api.js and validates tokens via https://www.google.com/recaptcha/api/siteverify.
- Data sent: your site key/secret, the visitor’s reCAPTCHA token, the page action name, and optionally the visitor IP if you enable the strict remote IP check.
- Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy
hCaptcha
- Purpose: CAPTCHA validation when you switch to the hCaptcha provider.
- Endpoints: loads scripts from https://js.hcaptcha.com and validates tokens via https://hcaptcha.com/siteverify.
- Data sent: your site key/secret, the response token, the page action, and optionally the visitor IP per hCaptcha requirements.
- Terms: https://www.hcaptcha.com/terms — Privacy: https://www.hcaptcha.com/privacy
Google OAuth (Social Login)
- Purpose: allow users to sign in with their Google account.
- Endpoints: Google Accounts OAuth screen at https://accounts.google.com/o/oauth2/v2/auth, token exchange at https://oauth2.googleapis.com/token, and profile data from https://openidconnect.googleapis.com/v1/userinfo.
- Data sent: OAuth authorization code, code verifier (for PKCE), redirect URI, and the scopes you configure. After exchanging the code we request the profile name, verified email, avatar, and locale.
- Terms: https://policies.google.com/terms — Privacy: https://policies.google.com/privacy
Apple Sign In
- Purpose: Sign in with Apple for Social Login.
- Endpoints: OAuth screen at https://appleid.apple.com/auth/authorize and token exchange at https://appleid.apple.com/auth/token.
- Data sent: OAuth authorization code, client ID, redirect URI, and signed JWT assertions generated from the private key you upload. Apple returns the user’s name and email (when available).
- Terms: https://www.apple.com/legal/internet-services/terms/site.html — Privacy: https://www.apple.com/legal/privacy/
GitHub OAuth
- Purpose: Social login via GitHub accounts.
- Endpoints: OAuth screen at https://github.com/login/oauth/authorize, token exchange at https://github.com/login/oauth/access_token, and profile APIs at https://api.github.com/user and https://api.github.com/user/emails.
- Data sent: OAuth authorization code, client ID/secret, redirect URI, and scope list. After exchanging the code GitHub returns the user’s numeric ID, primary email(s), display name, and avatar URL.
- Terms: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service — Privacy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
Microsoft (Azure AD / Entra ID)
- Purpose: allow sign-in with Microsoft accounts.
- Endpoints: OAuth screen at https://login.microsoftonline.com/common/oauth2/v2.0/authorize and token exchange at https://login.microsoftonline.com/common/oauth2/v2.0/token. Profile data is requested from https://graph.microsoft.com/v1.0/me.
- Data sent: client ID, redirect URI, and selected scopes when the visitor starts Microsoft sign-in; then (on callback) the returned OAuth authorization code plus the configured client secret for token exchange. Microsoft returns the profile ID, email, name, and locale when available.
- Terms: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftOnlineServices/MOSPT — Privacy: https://privacy.microsoft.com/privacystatement
Facebook Login
- Purpose: Social login via Facebook accounts.
- Endpoints: OAuth screen at https://www.facebook.com/v18.0/dialog/oauth and token/profile APIs at https://graph.facebook.com/v18.0/oauth/access_token and https://graph.facebook.com/v18.0/me.
- Data sent: OAuth authorization code, app ID/secret, redirect URI, and scopes. Facebook returns the user ID, email (if available), and profile name/avatar.
- Terms: https://www.facebook.com/legal/terms — Privacy: https://www.facebook.com/policy.php
Hooks & Extension Points
Notable filters/actions you can rely on when extending oOMF! Access:
– oomf_access_redirect_destination — override the final destination after login.
– oomf-access/allowed_redirect_hosts — allow specific external redirect hosts.
– oomf-access/captcha/allow_external — control whether provider network calls are allowed on privacy-restricted sites.
– oomf_access_captcha_is_required — decide if captcha is required for a particular request.
– oomf_access_captcha_validate_result — customize captcha validation results.
– oomf-access/inline_css — inject extra CSS into admin preview and frontend styles.
For developer notes on autoloading, templates, and class layout, see the repo README.md.
Screenshots
Login card with accent color, form labels, remember-me toggle, and links. 
Admin settings screen with live preview and content, behavior, and security controls.
Installation
- Upload the plugin folder to
/wp-content/plugins/or install via Plugins Add New by uploading the zip. - Activate the plugin. Activation creates the public “Login” page and stores its ID in
oomf_access_page_id. - Configure via Settings oOMF! Access (branding, redirects, magic links, social providers, CAPTCHA, hide-admin slug, etc.).
FAQ
-
Where is the login page?
-
On activation the plugin creates a page (option
oomf_access_page_id) that contains[oomf_access_form]. You can edit or move that page, and even if it is deleted the/oomf-access/route will still render the branded experience. -
Does it replace my theme template?
-
The shortcode inherits your active theme when embedded elsewhere. The dedicated login page generated by the plugin automatically uses the bundled minimal template at
templates/oomf-access-page-template.phpto keep the experience consistent. -
How do redirects work?
-
If
redirect_tois supplied and validates as safe, it is used. Otherwise we fall back to the configured post-login destination, then to the default WP admin. Use theoomf-access/allowed_redirect_hostsfilter to permit specific off-site domains andoomf_access_redirect_destinationto override the final destination. -
What captcha providers are supported?
-
reCAPTCHA v2 (checkbox & invisible), reCAPTCHA v3, and hCaptcha. Provider scripts are enqueued only on login pages; validation happens server-side via
includes/Security/Captcha/providers. Useoomf_access_captcha_is_requiredoroomf_access_captcha_validate_resultto customize behavior. -
How does Hide Admin work?
-
When enabled, the plugin rewrites or blocks direct access to
/wp-login.phpand/wp-adminfor unauthenticated users and exposes a secret login slug (configurable). Emergency bypasses are available for specific flows and query flags. -
Open Settings oOMF! Access Social. Each provider has setup instructions and a callback/redirect URL hint; create the corresponding OAuth app with that callback. Apple requires additional keys (Service ID, Team ID, Key ID, Private Key .p8) and server-side OpenSSL support.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“oOMF! Access” is open source software. The following people have contributed to this plugin.
Contributors
Translate “oOMF! Access” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Change log
1.0.0 – 2026-03-24
- Fixed: Magic link nonce verification now derives the nonce action from validated token data to prevent user-controlled input from influencing verification.
- Fixed: Documented emergency bypass parameters as intentionally nonce-free for break-glass use.
- Fixed: Settings AJAX handler now reads serialized form data with a sanitizing filter up front.
- Added: Captcha provider integrations (reCAPTCHA v2/v3 and hCaptcha) with admin preview and server-side validation.
- Added: Hide Admin feature with configurable secret login slug and graceful bypass flows.
- Improved: Social login — full Sign in with Apple implementation; admin preview for Microsoft/Facebook; ordering and provider preview improvements.
- Improved: Asset loading and versioning via
filemtime(), reduced unnecessary DOM injection for sticky nav fallbacks. - Developer: New filters and clearer extension points for redirects and captcha.