[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fScPo4vx4AYTTB2LVajLViGo8_mxzO8izoQOUXJ1zRUg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":14,"tags":17,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":26,"crawl_stats":23,"alternatives":33,"analysis":140,"fingerprints":170},"login-token","Login Token","1.0","leo108","https:\u002F\u002Fprofiles.wordpress.org\u002Fleo108\u002F","\u003Cp>Add a hidden filed values token in login form to avoid brute force attack\u003C\u002Fp>\n\u003Cp>在后台登录页面添加了一个隐藏的令牌，用来防止暴力破解。\u003C\u002Fp>\n","Add a hidden filed values token in login form to avoid brute force attack 在后台登录页面添加了一个隐藏的令牌，用来防止暴力破解。",10,1765,0,"","3.4.2","2.0",[18,4,19],"login","token","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Flogin-token\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-token.1.0.zip",100,null,"2026-03-15T10:48:56.248Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":29,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},4,120,89,30,86,"2026-04-05T18:59:21.830Z",[34,61,78,100,118],{"slug":35,"name":36,"version":37,"author":38,"author_profile":39,"description":40,"short_description":41,"active_installs":42,"downloaded":43,"rating":22,"num_ratings":44,"last_updated":45,"tested_up_to":46,"requires_at_least":47,"requires_php":48,"tags":49,"homepage":55,"download_link":56,"security_score":57,"vuln_count":58,"unpatched_count":13,"last_vuln_date":59,"fetched_at":60},"simple-jwt-login","Simple JWT Login – Allows you to use JWT on REST endpoints.","3.6.5","Nicu Micle","https:\u002F\u002Fprofiles.wordpress.org\u002Fnicu_m\u002F","\u003Cp>Simple JWT Login is a \u003Cstrong>FREE\u003C\u002Fstrong> WordPress plugin that enables secure authentication for your WordPress REST API using \u003Cstrong>JSON Web Tokens\u003C\u002Fstrong> (JWT).\u003C\u002Fp>\n\u003Cp>With this powerful plugin, you can:\u003Cbr \u002F>\n– Log in, register, and authenticate users effortlessly\u003Cbr \u002F>\n– Connect mobile apps, external websites, or third-party services to WordPress with ease\u003Cbr \u002F>\n– Change or delete user passwords securely\u003C\u002Fp>\n\u003Cp>Whether you’re building a headless WordPress setup or integrating with external platforms, Simple JWT Login provides a fast, secure, and reliable authentication solution.\u003C\u002Fp>\n\u003Cp>You can read more on our plugin documentation website \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Some awesome features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Auto-login using JWT and AUTH_KEY\u003C\u002Fli>\n\u003Cli>Register new users via API\u003C\u002Fli>\n\u003Cli>Delete WordPress users based on a JWT\u003C\u002Fli>\n\u003Cli>Reset user password\u003C\u002Fli>\n\u003Cli>Allow auto-login \u002F register \u002F delete users only from specific IP addresses\u003C\u002Fli>\n\u003Cli>Allow register users only from a specific domain name\u003C\u002Fli>\n\u003Cli>API Route for generating new JWT\u003C\u002Fli>\n\u003Cli>Get JWT from URL, SESSION, COOKIE or HEADER\u003C\u002Fli>\n\u003Cli>Pass request parameters to login URL\u003C\u002Fli>\n\u003Cli>CORS settings for plugin Routes\u003C\u002Fli>\n\u003Cli>Hooks\u003C\u002Fli>\n\u003Cli>JWT Authentication\u003C\u002Fli>\n\u003Cli>Allow access private endpoints with JWT\u003C\u002Fli>\n\u003Cli>Protect endpoints with JWT\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google OAuth Integration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> Google JWT on all endpoints\u003C\u002Fli>\n\u003Cli>\u003Cstrong>beta\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-graphql\u002F\" rel=\"ugc\">WPGraphQL\u003C\u002Fa> integration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Check the plugin \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\" rel=\"nofollow ugc\">website\u003C\u002Fa> for more features.\u003C\u002Fp>\n\u003Ch3>Login User\u003C\u002Fh3>\n\u003Cp>This plugin is customizable and offers you multiple methods to log in to you website, based on multiple scenarios.\u003C\u002Fp>\n\u003Cp>In order to login, users have to send JWT. The plugin, validates the JWT, and if everything is OK, it can extract the WordPress email address or user ID.\u003Cbr \u002F>\nUsers can specify the exact key of the JWT payload where this information can be found.\u003C\u002Fp>\n\u003Cp>Here are the methods how you can send the JWT in order to auto-login:\u003C\u002Fp>\n\u003Col>\n\u003Cli>URL\u003C\u002Fli>\n\u003Cli>Header\u003C\u002Fli>\n\u003Cli>Cookie\u003C\u002Fli>\n\u003Cli>Session\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If the JWT is present in multiple places ( like URL and Header), the JWT will be overwritten.\u003C\u002Fp>\n\u003Cp>This plugin supports multiple JWT Decryption algorithms, like: HS256, HS512, HS384, RS256,RS384 and RS512.\u003C\u002Fp>\n\u003Cp>After the user is logged in you can automatically redirect the user to a page like:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Dashboard\u003C\u002Fli>\n\u003Cli>Homepage\u003C\u002Fli>\n\u003Cli>or any other custom Page ( this is mainly used for redirecting users to a landing page)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can attach to your redirect a URL parameter \u003Ccode>redirectUrl\u003C\u002Fcode> that will be used for redirect instead of the defined ones.\u003Cbr \u002F>\nIn order to use this, you have to enable it by checking the option \u003Ccode>Allow redirect to a specific URL\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>Also, redirect after login offers some variables that you can use in the customURL and redirectUrl.\u003Cbr \u002F>\nHere are the variables which you can use in your URL:\u003Cbr \u002F>\n– \u003Ccode>{{site_url}}\u003C\u002Fcode> : Site URL\u003Cbr \u002F>\n– \u003Ccode>{{user_id}}\u003C\u002Fcode> : Logged in user ID\u003Cbr \u002F>\n– \u003Ccode>{{user_email}}\u003C\u002Fcode> : Logged in user email\u003Cbr \u002F>\n– \u003Ccode>{{user_login}}\u003C\u002Fcode> : Logged in username\u003Cbr \u002F>\n– \u003Ccode>{{user_first_name}}\u003C\u002Fcode> : User first name\u003Cbr \u002F>\n– \u003Ccode>{{user_last_name}}\u003C\u002Fcode> : User last name\u003Cbr \u002F>\n– \u003Ccode>{{user_nicename}}\u003C\u002Fcode> : User nice name\u003C\u002Fp>\n\u003Cp>You can generate dynamic URLs with these variables, and, before the redirect, the specific value will be replaced.\u003C\u002Fp>\n\u003Cp>Here is an example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>http:\u002F\u002Fyourdomain.com?param1={{user_id}}&param2={{user_login}}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Also, this plugin allows you to limit the auto-login based on the client IP address.\u003Cbr \u002F>\nIf you are concerned about security, you can limit the auto-login only from some IP addresses.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fautologin\u002F\" rel=\"nofollow ugc\">Read more\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Register Users\u003C\u002Fh3>\n\u003Cp>This plugin also allows you to create WordPress users.\u003C\u002Fp>\n\u003Cp>This option is disabled by default, but you can enable it at any time.\u003C\u002Fp>\n\u003Cp>In order to create users, you just have to make a POST request to the route URL, and send an \u003Cem>email\u003C\u002Fem> and a \u003Cem>password\u003C\u002Fem> as parameter and the new user will be created.\u003C\u002Fp>\n\u003Cp>You can select the type for the new users: editor, author, contributor, subscriber, etc.\u003C\u002Fp>\n\u003Cp>Also, you can limit the user creating only for specific IP addresses, or  specific email domains.\u003C\u002Fp>\n\u003Cp>Another cool option is “Generate a random password when a new user is created”.\u003Cbr \u002F>\nIf this option is selected, the password is no more required when a new user is created a random password will be generated.\u003C\u002Fp>\n\u003Cp>Another option that you have for register user is “Initialize force login after register”.\u003Cbr \u002F>\nWhen the user registration is completed, the user will continue on the flow configured on login config.\u003C\u002Fp>\n\u003Cp>If auto-login is disabled, this feature will not work and the register user will go on a normal flow and return a json response.\u003C\u002Fp>\n\u003Cp>If you want to add custom user_meta on user creation, just add the parameter \u003Ccode>user_meta\u003C\u002Fcode> with a json. This will create user_meta for the new user.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n    \"meta_key\":\"meta_value\",\n    \"meta_key2\":\"meta_value\"\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>These properties can be passed in the request when the new user is created.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>email\u003C\u002Fstrong> : (required) (string)  The user email address.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>password\u003C\u002Fstrong> :  (required) (string) The plain-text user password.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_login\u003C\u002Fstrong> : (string) The user’s login username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_nicename\u003C\u002Fstrong> : (string) The URL-friendly username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_url\u003C\u002Fstrong> : (string) The user URL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>display_name\u003C\u002Fstrong> : (string) The user’s display name. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>nickname\u003C\u002Fstrong> : (string) The user’s nickname. Default is the user’s username.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>first_name\u003C\u002Fstrong> : (string) The user’s first name. For new users, will be used to build the first part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>last_name\u003C\u002Fstrong> : (string) The user’s last name. For new users, will be used to build the second part of the user’s display name if $display_name is not specified.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>description\u003C\u002Fstrong> : (string) The user’s biographical description.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>rich_editing\u003C\u002Fstrong> : (string) Whether to enable the rich-editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>syntax_highlighting\u003C\u002Fstrong> : (string) Whether to enable the rich code editor for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>comment_shortcuts\u003C\u002Fstrong> : (string) Whether to enable comment moderation keyboard shortcuts for the user. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘false’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>admin_color\u003C\u002Fstrong> : (string) Admin color scheme for the user. Default ‘fresh’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>use_ssl\u003C\u002Fstrong> : (bool) Whether the user should always access the admin over https. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_registered\u003C\u002Fstrong> : (string) Date the user registered. Format is \u003Ccode>Y-m-d H:m:s\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>user_activation_key\u003C\u002Fstrong> : (string) Password reset key. Default empty.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>spam\u003C\u002Fstrong> : (bool) Multisite only. Whether the user is marked as spam. Default false.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>show_admin_bar_front\u003C\u002Fstrong> : (string) Whether to display the Admin Bar for the user on the site’s front end. Accepts ‘true’ or ‘false’ as a string literal, not boolean. Default ‘true’.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>locale\u003C\u002Fstrong> : (string) User’s locale. Default empty.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fregister-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Delete User\u003C\u002Fh3>\n\u003Cp>Delete user it is disabled by default.\u003C\u002Fp>\n\u003Cp>In order to delete a user, you have to configure where to search the details in the JWT.\u003Cbr \u002F>\nYou can delete users by WordPress User ID or by Email address.\u003C\u002Fp>\n\u003Cp>Also, you have to choose the JWT parameter key where email or user ID it is stored in the JWT.\u003C\u002Fp>\n\u003Cp>Also, you can limit the deletion of users to specific IP addresses for security reasons.\u003C\u002Fp>\n\u003Ch3>Reset Password\u003C\u002Fh3>\n\u003Cp>Reset password and change password endpoints are disabled by default.\u003C\u002Fp>\n\u003Cp>This plugin allows you to send the reset password endpoint, just by calling an endpoint. An email with the code will be sent to a specific email address.\u003C\u002Fp>\n\u003Cp>Also, you are able to customize this email, or even not send at email at all.\u003C\u002Fp>\n\u003Cp>The change password endpoint, changes the user password, based on the reset password code.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fdelete-user\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Authentication\u003C\u002Fh3>\n\u003Cp>This plugin allows users to generate JWT tokens based from WordPress user email and password.\u003C\u002Fp>\n\u003Cp>In order to Get a new JWT, just make a POST request to \u003Cem>\u002Fauth\u003C\u002Fem> route with your WordPress email(or username) and password ( or password_hash) and the response will look something like this:\u003C\u002Fp>\n\u003Cpre>\u003Ccode> {\n     \"success\": true,\n     \"data\": {\n         \"jwt\": \"NEW_GENERATED_JWT_HERE\"\n     }\n }\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If you want to add extra parameters in the JWT payload, just send the parameter \u003Ccode>payload\u003C\u002Fcode> on \u003Ccode>\u002Fauth\u003C\u002Fcode> endpoint, and add a json with the values you want to be added in the payload.\u003C\u002Fp>\n\u003Cp>At some point, the JWT will expire.\u003Cbr \u002F>\nSo, if you want to renew it without having to ask again for user and password, you will have to make a POST request to the \u003Cem>auth\u002Frefresh\u003C\u002Fem> route.\u003C\u002Fp>\n\u003Cp>This will generate a response with a new JWT, similar to the one that \u003Ccode>\u002Fauth\u003C\u002Fcode> generates.\u003C\u002Fp>\n\u003Cp>If you want to get some details about a JWT, and validate that JWT, you can call \u003Ccode>\u002Fauth\u002Fvalidate\u003C\u002Fcode>. If you have a valid JWT, details about the available WordPress user will be returned, and some JWT details.\u003C\u002Fp>\n\u003Cp>If you want to revoke a JWT, access \u003Ccode>\u002Fauth\u002Frevoke\u003C\u002Fcode> and send the \u003Ccode>jwt\u003C\u002Fcode> as a parameter.\u003C\u002Fp>\n\u003Cp>The plugin auto-generates the example URL you might need to test these scenarios.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauthentication\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Auth codes\u003C\u002Fh3>\n\u003Cp>Auth codes are optional, but you can enable them for Auto-login, Register User and Delete user.\u003C\u002Fp>\n\u003Cp>This feature allows you to add a layer of protection to your API routes.\u003C\u002Fp>\n\u003Cp>The Auth codes contains 3 parts:\u003Cbr \u002F>\n1. Authentication Key: This is the actual code that you have to add in the request.\u003Cbr \u002F>\n2. WordPress new User Role: can be used when you want to create multiple user types with the create user endpoint. If you leave it blank, the value configured in the ‘Register Settings’ will be used.\u003Cbr \u002F>\n3. Expiration Date: This allows you to set an expiration date for you auth codes. The format is `Y-M-D H:m:s’. Example : 2020-12-24 23:00:00. If you leave it blank, it will never expire.\u003C\u002Fp>\n\u003Cp>Expiration date format: year-month-day hours:minutes:seconds\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fauth-codes\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>This plugin allows advanced users to link some hooks with the plugin and perform some custom scripts.\u003Cbr \u002F>\nSome available hooks:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_login_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called after the user has been logged in. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_redirect_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: string $url, array $request\u003C\u002Fli>\n\u003Cli>description: This hook it is called before the user it will be redirected to the page he specified in the login section. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_register_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user, string $plain_text_password\u003C\u002Fli>\n\u003Cli>description: This hook it is called after a new user has been created.  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_delete_user_hook\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: action\u003C\u002Fli>\n\u003Cli>parameters: Wp_User $user\u003C\u002Fli>\n\u003Cli>description: This hook it is called right after the user has been deleted.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_jwt_payload_auth\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fauth endpoint. Here you can modify payload parameters. \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_no_redirect_message\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: array $payload, array $request\u003C\u002Fli>\n\u003Cli>return: array $payload\u003C\u002Fli>\n\u003Cli>description: This hook is called on \u002Fautologin endpoint when the option \u003Ccode>No Redirect\u003C\u002Fcode> is selected. You can customize the message and add parameters.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>simple_jwt_login_reset_password_custom_email_template\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>type: filter\u003C\u002Fli>\n\u003Cli>parameters: string $template, array $request\u003C\u002Fli>\n\u003Cli>return: string $template\u003C\u002Fli>\n\u003Cli>description: This is executed when POST \u002Fuser\u002Freset_password is called. It will replace the email template that has been added in Reset Password settings  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>View full list of hooks on \u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\" rel=\"nofollow ugc\">https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fhooks\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>CORS\u003C\u002Fh3>\n\u003Cp>The CORS standard it is needed because it allows servers to specify who can access its assets and how the assets can be accessed.\u003Cbr \u002F>\nCross-origin requests are made using the standard HTTP request methods like GET, POST, PUT, DELETE, etc.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fcors\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Protect endpoints\u003C\u002Fh3>\n\u003Cp>This option is disabled by default. In order to enable it, you need to set “Protect endpoints enabled” to true.\u003C\u002Fp>\n\u003Cp>This feature comes with 2 actions:\u003Cbr \u002F>\n– Apply on All REST Endpoints\u003Cbr \u002F>\n– Apply only on specific REST endpoints\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply on All REST Endpoints\u003C\u002Fcode>, you will be able to whitelist some endpoints from your WordPress REST by adding them to the whitelist section.\u003Cbr \u002F>\nFor example, If you only want to allow users to access the \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode> endpoint without having to provide the JWT, you save in the whitelist section \u003Ccode>wp\u002Fv2\u002Fposts\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>When you choose \u003Ccode>Apply only on specific endpoints\u003C\u002Fcode>, you will have to add all the endpoints you want to be protected by JWT.\u003C\u002Fp>\n\u003Cp>When an endpoint is protected, and you don’t provide a JWT, you will get the following response:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>{\n   \"success\":false,\n   \"data\":{\n      \"message\":\"Your are not authorized to access this endpoint.\",\n      \"errorCode\":403,\n      \"type\":\"simple-jwt-login-route-protect\"\n   }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsimplejwtlogin.com\u002Fdocs\u002Fprotect-endpoints\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa> on our website.\u003C\u002Fp>\n\u003Ch3>Integration\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>PHP\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In order to easily integrate your app\u002Fsite with simple-jwt-login, we have developed a composer package.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>composer require nicumicle\u002Fsimple-jwt-login-client-php\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can check the \u003Ca href=\"https:\u002F\u002Fpackagist.org\u002Fpackages\u002Fnicumicle\u002Fsimple-jwt-login-client-php\" rel=\"nofollow ugc\">package page\u003C\u002Fa> for more details and code examples.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Javascript\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Also, there is a \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fsimple-jwt-login\u002Fjs-sdk\" rel=\"nofollow ugc\">Javascript SDK\u003C\u002Fa> that you can install with \u003Ccode>npm\u003C\u002Fcode> or \u003Ccode>yarn\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>npm install \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>or\u003C\u002Fp>\n\u003Cpre>\u003Ccode>yarn add \"simple-jwt-login\"\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Enhance the WordPress REST API with JWT authentication for secure access by mobile apps, external sites, and third-party services.",5000,80865,46,"2026-03-14T06:23:00.000Z","6.9.4","4.4.0","5.5",[50,51,52,53,54],"api","auto-login","jwt","register","tokens","https:\u002F\u002Fsimplejwtlogin.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-jwt-login.3.6.5.zip",94,3,"2025-09-22 00:00:00","2026-03-15T15:16:48.613Z",{"slug":62,"name":63,"version":64,"author":65,"author_profile":66,"description":67,"short_description":68,"active_installs":69,"downloaded":70,"rating":13,"num_ratings":13,"last_updated":71,"tested_up_to":72,"requires_at_least":73,"requires_php":74,"tags":75,"homepage":14,"download_link":77,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":60},"auto-login-for-sakura-rental-server","Auto Login for Sakura Rental Server","1.0.1","sakurainternet","https:\u002F\u002Fprofiles.wordpress.org\u002Fsakurainternet\u002F","\u003Cp>\u003Cstrong>Auto Login for Sakura Rental Server\u003C\u002Fstrong> allows administrators to issue one-time, time-limited auto-login URLs using HMAC signatures.\u003Cbr \u002F>\nThis is useful for secure temporary access or system integration.\u003C\u002Fp>\n\u003Cp>Features:\u003Cbr \u002F>\n– Secure auto-login with one-time tokens\u003Cbr \u002F>\n– Tokens are HMAC-signed and invalidated after use\u003Cbr \u002F>\n– Token issuance and usage history (up to 100 entries per user)\u003Cbr \u002F>\n– Records IP address and username of the issuer\u003Cbr \u002F>\n– Rate limiting: 1 request per second per IP\u003Cbr \u002F>\n– WP-CLI commands for token generation and history inspection\u003C\u002Fp>\n\u003Cp>Example use cases:\u003Cbr \u002F>\n– Temporarily granting admin access\u003Cbr \u002F>\n– Safe automatic login from external systems\u003Cbr \u002F>\n– Keeping an audit log of who issued a token and from where\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Ch3>Generate a token via CLI\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>wp auto-login-for-sakura-rental-server generate \u003Cuser_id> [–expires=] [–remote_addr=] [–username=]\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Default expiration time: 300 seconds  \u003C\u002Fli>\n\u003Cli>\u003Ccode>--expires\u003C\u002Fcode> and \u003Ccode>--username\u003C\u002Fcode> are optional\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Check issue history\u003C\u002Fh3>\n\u003Cp>Token history is stored in the user meta key \u003Ccode>sakura_auto_login_history\u003C\u002Fcode>.\u003Cbr \u002F>\nYou can check it via WP-CLI:\u003C\u002Fp>\n\u003Cp>wp user meta get  sakura_auto_login_history\u003C\u002Fp>\n\u003Ch3>Auto-login URL format\u003C\u002Fh3>\n\u003Cpre>\u003Ccode>https:\u002F\u002Fexample.com\u002F?rs_auto_login_token=\u003C64-character HMAC token>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Visiting the URL will log in as the corresponding user and redirect to the admin dashboard.\u003C\u002Fp>\n\u003Ch3>Security Notes\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Tokens are invalidated immediately after use (one-time only)\u003C\u002Fli>\n\u003Cli>Issue and usage history includes IP address, issuer username, and timestamps\u003C\u002Fli>\n\u003Cli>Stored using \u003Ccode>set_transient()\u003C\u002Fcode> for caching compatibility\u003C\u002Fli>\n\u003Cli>HTTPS is strongly recommended\u003C\u002Fli>\n\u003C\u002Ful>\n","Provides one-time auto-login URLs with HMAC signatures and time limits.",2000,3578,"2025-12-03T04:08:00.000Z","6.8.5","5.0","7.4",[51,76,18,19],"cli","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauto-login-for-sakura-rental-server.1.0.1.zip",{"slug":79,"name":80,"version":81,"author":82,"author_profile":83,"description":84,"short_description":85,"active_installs":86,"downloaded":87,"rating":22,"num_ratings":88,"last_updated":89,"tested_up_to":46,"requires_at_least":90,"requires_php":91,"tags":92,"homepage":95,"download_link":96,"security_score":97,"vuln_count":98,"unpatched_count":13,"last_vuln_date":99,"fetched_at":60},"login-register-using-jwt","WP Login and Register using JWT","3.2.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>The \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-login-using-jwt-single-sign-on-sso\" rel=\"nofollow ugc\">WordPress Login and Register using JWT plugin\u003C\u002Fa>\u003C\u002Fstrong> allows you to \u003Cstrong>log in (Single Sign-On)\u003C\u002Fstrong> into your WordPress application using the \u003Cstrong>JWT token(JSON Web token)\u003C\u002Fstrong> obtained from any other WordPress site or other applications\u002Fplatforms including mobile applications. This helps users perform \u003Cstrong>autologin to WordPress\u003C\u002Fstrong> and \u003Cstrong>synchronize user sessions\u003C\u002Fstrong> without the need to log in again.\u003C\u002Fp>\n\u003Cp>|\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-login-using-jwt-single-sign-on-sso\" rel=\"nofollow ugc\"> Features \u003C\u002Fa>| \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-single-sign-on-using-jwt-token\" rel=\"nofollow ugc\"> WordPress JWT Login Setup Guide \u003C\u002Fa>|\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\u002Fplaylist?list=PL2vweZ-PcNpevdcrVhs_dQ3qOxc0102wI\" rel=\"nofollow ugc\"> Videos \u003C\u002Fa>|\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WORDPRESS SINGLE SIGN-ON \u002F SSO ( LOGIN INTO WORDPRESS )\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>WordPress Single Sign-On SSO\u003C\u002Fstrong> also simply called \u003Cstrong>WordPress SSO\u003C\u002Fstrong> allows you to login into WordPress using the credentials of other platforms. So, the user will just use a single set of credentials to log in to multiple applications.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress Single Sign-On \u002F SSO using JWT(JSON Web Token)\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cstrong>WordPress Single Sign-On (SSO) with JWT\u003C\u002Fstrong> allows you to log into the WordPress site using the user-based JWT token obtained externally when the user authenticates for the first time in any connected external application.\u003Cbr \u002F>\nThe JWT token authentication is the most popular way of authentication nowadays as it is a secure and lightweight protocol. The JWT token can be obtained either when a user logs into other platforms via \u003Cstrong>\u003Ca href=\"https:\u002F\u002Foauth.net\u002F\" rel=\"nofollow ugc\">OAuth\u003C\u002Fa>\u002F\u003Ca href=\"https:\u002F\u002Fopenid.net\u002Fconnect\u002F\" rel=\"nofollow ugc\">OpenID Connect\u003C\u002Fa>\u003C\u002Fstrong> protocol or can be created explicitly using the user information and secure algorithms.\u003Cbr \u002F>\nWith this plugin, you can easily use the user-based JWT token to log a user in rather than asking them to authenticate again.\u003C\u002Fp>\n\u003Cp>\u003Cem>Let’s take an example\u003C\u002Fem> – If you have a WordPress site and mobile app, now if you are logged into the mobile app, now if you try to access the WordPress site, then to access the particular content, the WordPress site will ask for login again and which is not feasible, so with the JWT SSO (JWT Single Sign-On), you can create the JWT token for the user who is already logged into the mobile app and then on accessing the WordPress site, you can pass that JWT token in the request, using which the same user can authenticate and autologin to the WordPress site and hence won’t need to enter the credentials again.\u003C\u002Fp>\n\u003Cp>It supports possibly all kinds of \u003Cstrong>JWT tokens (access-token\u002Fid-token)\u003C\u002Fstrong> obtained from \u003Cstrong>OAuth\u002FOpenID Connect\u003C\u002Fstrong> providers like \u003Cstrong>AWS Cognito\u003C\u002Fstrong>, \u003Cstrong>Microsoft Azure AD\u003C\u002Fstrong>, \u003Cstrong>Azure B2C\u003C\u002Fstrong>, \u003Cstrong>Okta\u003C\u002Fstrong>, \u003Cstrong>Keycloak\u003C\u002Fstrong>, \u003Cstrong>ADFS\u003C\u002Fstrong>, \u003Cstrong>Google\u003C\u002Fstrong>, \u003Cstrong>Facebook\u003C\u002Fstrong>, \u003Cstrong>Apple\u003C\u002Fstrong>, \u003Cstrong>Discord\u003C\u002Fstrong> and popular applications like \u003Cstrong>Firebase\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>WordPress login using the JWT also called \u003Cstrong>JWT SSO (Single Sign-On)\u003C\u002Fstrong> can be done from other platforms and applications including mobile apps (android or IOS), an app built with other programming languages like \u003Cstrong>.NET\u003C\u002Fstrong>, \u003Cstrong>JAVA\u003C\u002Fstrong>, \u003Cstrong>PHP\u003C\u002Fstrong>, \u003Cstrong>JS\u003C\u002Fstrong> etc.\u003C\u002Fp>\n\u003Ch3>Major functionalities\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>WordPress Login Endpoint to create user-based JWT token\u003C\u002Fstrong>\u003Cbr \u002F>\nPlugin provides the following API endpoint, which can be used to authenticate WordPress users and returns a user-based JWT which can be used to create login sessions in WordPress and other external applications.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002Fwp-json\u002Fapi\u002Fv1\u002Fmo-jwt\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>WordPress Login using JWT\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides a way to auto-login users in WordPress using JWT obtained in a very secure way either via passing JWT token in the URL as a parameter, in the request header or shared via secured cookies.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WordPress user register API endpoint to create users in WordPress using API\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides the following API endpoint to create users in WordPress in an easy way and on successful user registration, you will receive a JWT token in the response which can be used further for user login and WordPress REST API authorization.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>wp-json\u002Fapi\u002Fv1\u002Fmo-jwt-register\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Delete\u002FRemove users from WordPress using the user-based JWT token (JSON Web Token)\u003C\u002Fstrong>\u003Cbr \u002F>\nThis feature provides an API endpoint using which you can pass the JWT token and can easily delete the user and revoke access.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>wp-json\u002Fapi\u002Fv1\u002Fmo-jwt-delete\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>More details for the plugin setup can be checked from \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwordpress-single-sign-on-using-jwt-token\" rel=\"nofollow ugc\">here\u003C\u002Fa>\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>USE CASES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Login to External applications using WordPress credentials\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you are looking to authenticate your WordPress users to log in to external applications, then our plugin provides a login API endpoint using which you can easily authenticate WordPress users and can log in the users to those applications.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Single Sign-On Users using the JWT token provided by OAuth\u002FOpenID providers\u003C\u002Fstrong>\u003Cbr \u002F>\nThis WordPress login and register using the JWT plugin supports the WordPress Single Sign On (WordPress SSO) or WordPress login using the user-based JWT token (id-token\u002Faccess-token) provided by the external OAuth\u002FOpenID Connect providers (like Microsoft Azure AD, Azure B2C, AWS Cognito, Keycloak, Okta, ADFS, Google, Facebook, Apple, Discord and many more..) on login in some other sites\u002Fapplications using their credentials.\u003Cbr \u002F>\nSo, the user just needs to log in once on any other sites\u002Fplatforms and a JWT token will be provided by these providers for those users will then be used further with security to autologin in other platforms.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FRR0o80hGvfU?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic WordPress login and site access from mobile app web view | Synchronize WordPress session in the mobile app web view\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a mobile application and want to allow users to access their WordPress site content in the mobile app web view which requires a login so asking the users to enter the credentials again won’t be a good user experience. So, our JWT login plugin provides a solution to you in which the user session from the mobile app can be synchronized with the WordPress site and the user can seamlessly access the WordPress site using the user-based JWT token without the need for a WordPress login again.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F0QPIjelCWvk?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Automatic session synchronization between WordPress and other applications built on React, Node, Next JS, Flutter, Angular, Java, PHP, and C# ….\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a WordPress site connected to any external application built on any framework, then if you want a feature that if a user is logged in to any one application, should be automatically logged in to another as well. This can be easily achieved using the secure JWT.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FOMH_FY-xh8Q?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Session sharing between WordPress and other applications sharing the same subdomain (hosted on the same domain)\u003C\u002Fstrong>\u003Cbr \u002F>\nSuppose you have a WordPress site and other applications hosted on the same subdomain, such that if the user logs in to any one application, then can be auto-logged into other connected applications on that domain using secure cookie-based JWT token sharing.\u003Cbr \u002F>\nan pass the new user details like username, email, name and password(optional), role etc. in the request body and on successful response, your user will get created and the corresponding user-based JWT will be received and the appropriate error response will be returned on the failure.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FLr9spH2PPeY?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent&listType=playlist&list=PL2vweZ-PcNpevdcrVhs_dQ3qOxc0102wI\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cul>\n\u003Cli>\u003Cstrong>Sync user login sessions between multiple platforms (Session sharing)\u003C\u002Fstrong>\u003Cbr \u002F>\nIf you have a WordPress site and other applications sharing the same subdomain and you want the feature in which if a user logged into one site (WordPress or another) and on accessing the other site in the same browser, then that user should get logged in automatically (user session to be synchronized). So, this feature is possible to have with our plugin’s JWT cookie-based session-sharing feature.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cp>FREE PLAN\u003C\u002Fp>\n\u003Cp>\u003Cem>Create JWT feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Login API endpoint\u003C\u002Fstrong> to authenticate WordPress users based on username\u002Femail and password\u003C\u002Fli>\n\u003Cli>Supports the JWT token generation using the \u003Cstrong>HS256 signing algorithm\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>JWT token signing with randomly generated secret signing key.\u003C\u002Fli>\n\u003Cli>Default JWT \u003Cstrong>token expiration\u003C\u002Fstrong> is 60 minutes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Registration feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user registration with the default subscriber role.\u003C\u002Fli>\n\u003Cli>Provide a user-based JWT token in the success response.\u003C\u002Fli>\n\u003Cli>No Extra Security key for user registration API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Deletion feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user deletion with JWT token validation using the HS256 signing algorithm.\u003C\u002Fli>\n\u003Cli>No Extra Security key for user deletion API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User login feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows WordPress login (SSO) using a user-based JWT token with HS256 signing created using the plugin’s Create JWT feature.\u003C\u002Fli>\n\u003Cli>Retrieve the JWT token from the URL parameter to allow auto-login.\u003C\u002Fli>\n\u003Cli>Auto redirection on login to the homepage or on the same page\u002FURL from where the autologin is initiated.\u003C\u002Fli>\n\u003Cli>Default Subscriber role is assigned on login using JWT.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>PREMIUM PLAN\u003C\u002Fp>\n\u003Cp>\u003Cem>Create JWT feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supports JWT token generation using \u003Cstrong>HS256\u003C\u002Fstrong> and a securer \u003Cstrong>RS256 signing algorithm\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>JWT token signing with a \u003Cstrong>custom secret signing key or certificate\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Custom token expiration to expire the token as per your requirement to improvise security.\u003C\u002Fli>\n\u003Cli>Custom JWT token decryption key.\u003C\u002Fli>\n\u003Cli>Revoke and invalidate existing user JWT token whenever a new JWT token is generated for a user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Registration feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user registration with a custom role.\u003C\u002Fli>\n\u003Cli>Provide a user-based JWT token in the success response.\u003C\u002Fli>\n\u003Cli>Extra Security key for user registration API endpoint.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User Deletion feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Provide an API endpoint for user deletion with JWT token validation using the HS256 signing algorithm.\u003C\u002Fli>\n\u003Cli>Extra Security key for user deletion API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>User login feature\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allows WordPress login (SSO) using a user-based JWT with HS256 signing created either using plugins create JWT feature or a JWT token obtained from an external source.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT with RS256 signing validation.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT with \u003Cstrong>JWKS token validation\u003C\u002Fstrong> support.\u003C\u002Fli>\n\u003Cli>Allows WordPress login using a user-based JWT obtained from an external \u003Cstrong>OAuth\u002FOpenID Connect\u003C\u002Fstrong> provider.\u003C\u002Fli>\n\u003Cli>Retrieve the JWT token from the \u003Cstrong>URL parameter\u003C\u002Fstrong>, \u003Cstrong>request header\u003C\u002Fstrong> and \u003Cstrong>cookie\u003C\u002Fstrong> to allow auto-login between platforms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto redirection\u003C\u002Fstrong> on login to the homepage or on the same page\u002FURL from where the autologin is initiated.\u003C\u002Fli>\n\u003Cli>Auto redirection on login to any custom URL.\u003C\u002Fli>\n\u003Cli>User \u003Cstrong>Attribute\u002FProfile\u003C\u002Fstrong> mapping on SSO login.\u003C\u002Fli>\n\u003Cli>Option to assign any WordPress role rather than default subscriber on SSO login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic role and group Mapping\u003C\u002Fstrong> to the user who performs SSO using a JWT token.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SSO Login Audit feature\u003C\u002Fstrong> to track the users who perform login using the JWT token.\u003C\u002Fli>\n\u003Cli>Add-On to \u003Cstrong>share the user session to other applications\u003C\u002Fstrong> using the JWT token stored in the cookie\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Other Related Integrations\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fminiorange-login-with-eve-online-google-facebook\u002F\" rel=\"ugc\">OAuth Single Sign On – SSO (OAuth Client)\u003C\u002Fa>\u003C\u002Fstrong> – This plugin allows Single Sign On – SSO login in your WordPress site using external OAuth 2.0, OpenID Connect Providers\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fminiorange-api-20-single-sign-on\u002F\" rel=\"ugc\">api Single Sign On – SSO Login\u003C\u002Fa>\u003C\u002Fstrong> – This plugin allows Single Sign On – SSO login in your WordPress site using external api, WS-FED Providers\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-rest-api-authentication\u002F\" rel=\"ugc\">WordPress REST API Authentication\u003C\u002Fa>\u003C\u002Fstrong> – This plugin protects your WordPress REST API endpoints from unauthorized access using secure \u003Cstrong>OAuth 2.0\u003C\u002Fstrong>, \u003Cstrong>JWT authentication\u003C\u002Fstrong>, \u003Cstrong>Basic authentication\u003C\u002Fstrong>, \u003Cstrong>Bearer API Key token\u003C\u002Fstrong> and even more.\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin does not store any user data. This plugin uses login.xecurify.com for registration as miniOrange uses login.xecurify.com if the user chooses to register and upgrade to premium. If the user does not want to register then he can continue using the free plugin. (Link to the privacy policy –  https:\u002F\u002Fwww.miniorange.com\u002Fprivacy-policy.pdf )\u003C\u002Fp>\n","WordPress login (WordPress Single Sign-On) using JWT token obtained from other WordPress sites or any other application. Synchronize user sessions bet &hellip;",200,8236,5,"2025-12-11T10:14:00.000Z","3.0.1","5.6",[50,93,52,18,94],"json-web-token","single-sign-on","http:\u002F\u002Fminiorange.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-register-using-jwt.3.2.0.zip",99,1,"2025-11-18 17:17:49",{"slug":101,"name":102,"version":103,"author":104,"author_profile":105,"description":106,"short_description":107,"active_installs":11,"downloaded":108,"rating":13,"num_ratings":13,"last_updated":109,"tested_up_to":110,"requires_at_least":111,"requires_php":14,"tags":112,"homepage":115,"download_link":116,"security_score":117,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":60},"jwt-authenticator","JWT Authenticator","1.1","Shawn","https:\u002F\u002Fprofiles.wordpress.org\u002Fshawnxlw\u002F","\u003Cp>This plugin integrates JWT authentication and automates user creation. The plugin is written for AAF Rapid Connect, but can be used for other providers too.\u003C\u002Fp>\n\u003Cp>Here is how this plugin works:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Generate a secrete key with command: tr -dc ‘[[:alnum:][:punct:]]’ \u003C \u002Fdev\u002Furandom | head -c32 ;echo\u003C\u002Fli>\n\u003Cli>Register the key and call back URL http:\u002F\u002Fyoursite.com\u002Fwp-json\u002Fjwt-auth\u002Fv1\u002Fcallback with your authentication provider.\u003C\u002Fli>\n\u003Cli>Specify authentication and user creation parameters. Those marked with * are required.\u003C\u002Fli>\n\u003C\u002Fol>\n","This plugin integrates JWT authentication and automates user creation.",1672,"2016-12-01T17:58:00.000Z","4.6.30","3.2",[113,52,18,114,19],"authentication","sso","https:\u002F\u002Fshawnwang.net","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjwt-authenticator.zip",85,{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":128,"num_ratings":129,"last_updated":130,"tested_up_to":46,"requires_at_least":131,"requires_php":14,"tags":132,"homepage":14,"download_link":138,"security_score":128,"vuln_count":27,"unpatched_count":13,"last_vuln_date":139,"fetched_at":60},"limit-login-attempts-reloaded","Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall","2.26.28","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded\u003C\u002Fa> functions as a robust deterrent against \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fcracking-the-code-unveiling-the-mechanics-behind-brute-force-attacks\u002F\" rel=\"nofollow ugc\">brute force attacks\u003C\u002Fa>, bolstering your website’s security measures and optimizing its performance. It achieves this by \u003Cstrong>restricting the number of login attempts allowed\u003C\u002Fstrong>. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.\u003C\u002Fp>\n\u003Cp>The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and\u002For username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.\u003C\u002Fp>\n\u003Cp>By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Limit Login Attempts Reloaded Premium (Try Free with \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fpremium-security-zero-cost-discover-the-benefits-of-micro-cloud\u002F\" rel=\"nofollow ugc\">Micro Cloud\u003C\u002Fa>)\u003C\u002Fstrong>\u003Cbr \u002F>\nUpgrade to \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fplans\u002F\" rel=\"nofollow ugc\">Limit Login Attempts Reloaded Premium\u003C\u002Fa> to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffeatures\u002Fip-intelligence\u002F\" rel=\"nofollow ugc\">IP intelligence\u003C\u002Fa> to \u003Cstrong>detect, counter and deny malicious login attempts\u003C\u002Fstrong>. Your \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Ffailed-login-attempts-in-wordpress\u002F\" rel=\"nofollow ugc\">failed login attempts\u003C\u002Fa> will be safely neutralized in the cloud so your website can function at its optimal performance during an attack.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FJfkvIiQft14?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>Features (Free Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>2FA\u003C\u002Fstrong> – Coming soon.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit Logins\u003C\u002Fstrong> – Limit the number of retry attempts when logging in (per each IP).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable Lockout Timings\u003C\u002Fstrong> – Modify the amount of time a user or IP must wait after a lockout.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remaining Tries\u003C\u002Fstrong> – Informs the user about the remaining retries or lockout time on the login page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lockout Email Notifications\u003C\u002Fstrong> – Informs the admin via email of lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Denied Attempt Logs\u003C\u002Fstrong> – View a log of all denied attempts and lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP & Username Safelist\u002FDenylist\u003C\u002Fstrong> – Control access to usernames and IPs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection (Micro Cloud Accounts)\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sucuri\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wordfence\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ultimate Member\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WPS Hide Login\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MemberPress\u003C\u002Fstrong> compatibility.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XMLRPC\u003C\u002Fstrong> gateway protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Woocommerce\u003C\u002Fstrong> login page protection.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-site compatibility\u003C\u002Fstrong> with extra MU settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>GDPR\u003C\u002Fstrong> compliant.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom IP origins support\u003C\u002Fstrong> (Cloudflare, Sucuri, etc.).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>llar_admin\u003C\u002Fstrong> own capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Features (Premium Version):\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Performance Optimizer\u003C\u002Fstrong> – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced IP Intelligence\u003C\u002Fstrong> – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced Throttling\u003C\u002Fstrong> – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deny By Country\u003C\u002Fstrong> – \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fblock-logins-by-country-in-wordpress\u002F\" rel=\"nofollow ugc\">Block logins by country\u003C\u002Fa> by simply selecting the countries you want to deny.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto IP Denylist\u003C\u002Fstrong> – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>New User Registration Protection\u003C\u002Fstrong> – Protects default WP registration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Denylist Protection\u003C\u002Fstrong> – Utilize our active cloud IP data from thousands of websites in the LLAR network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Lockouts\u003C\u002Fstrong> –  Lockout IP data can be shared between multiple domains for enhanced protection in your network.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Synchronized Safelist\u002FDenylist\u003C\u002Fstrong> – Safelist\u002FDenylist IP and username data can be shared between multiple domains.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Premium Support\u003C\u002Fstrong> – Email support with a security tech.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Auto Backups of All IP Data\u003C\u002Fstrong> – Store your active IP data in the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Successful Logins Log\u003C\u002Fstrong> – Store successful logins in the cloud including IP info, city, state and lat\u002Flong.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enhanced lockout logs\u003C\u002Fstrong> – Gain valuable insights into the origins of IPs that are attempting logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>CSV Download of IP Data\u003C\u002Fstrong> – Download IP data direclty from the cloud.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supports IPV6 Ranges For Safelist\u002FDenylist\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlock The Locked Admin\u003C\u002Fstrong> – Easily \u003Ca href=\"https:\u002F\u002Fwww.limitloginattempts.com\u002Fhow-to-unlock-your-site-if-you-are-locked-out-by-limit-login-attempts-reloaded\u002F\" rel=\"nofollow ugc\">unlock the locked admin\u003C\u002Fa> through the cloud.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>*Some features require higher level plans.\u003C\u002Fp>\n\u003Ch4>Upgrading from the old Limit Login Attempts plugin?\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Go to the Plugins section in your site’s backend.\u003C\u002Fli>\n\u003Cli>Remove the Limit Login Attempts plugin.\u003C\u002Fli>\n\u003Cli>Install the Limit Login Attempts Reloaded plugin.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All your settings will be kept intact!\u003C\u002Fp>\n\u003Cp>Many languages are currently supported in the Limit Login Attempts Reloaded plugin but we welcome any additional ones.\u003C\u002Fp>\n\u003Cp>Help us bring Limit Login Attempts Reloaded to even more countries.\u003C\u002Fp>\n\u003Cp>Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish\u003C\u002Fp>\n\u003Cp>Plugin uses standard actions and filters only.\u003C\u002Fp>\n\u003Cp>Based on the original code from Limit Login Attempts plugin by Johan Eenfeldt.\u003C\u002Fp>\n\u003Ch4>Branding Guidelines\u003C\u002Fh4>\n\u003Cp>Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Limit Login Attempts Reloaded (correct)\u003C\u002Fli>\n\u003Cli>Limit Login Attempts (incorrect)\u003C\u002Fli>\n\u003C\u002Ful>\n","Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.",2000000,79399145,98,1441,"2026-01-12T16:01:00.000Z","3.0",[133,134,135,136,137],"2fa","brute-force","firewall","login-security","security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flimit-login-attempts-reloaded.2.26.28.zip","2023-12-20 00:00:00",{"attackSurface":141,"codeSignals":153,"taintFlows":163,"riskAssessment":164,"analyzedAt":169},{"hooks":142,"ajaxHandlers":149,"restRoutes":150,"shortcodes":151,"cronEvents":152,"entryPointCount":13,"unprotectedCount":13},[143],{"type":144,"name":145,"callback":146,"file":147,"line":148},"action","login_form","login_token","index.php",19,[],[],[],[],{"dangerousFunctions":154,"sqlUsage":155,"outputEscaping":157,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":162},[],{"prepared":13,"raw":13,"locations":156},[],{"escaped":13,"rawEcho":98,"locations":158},[159],{"file":147,"line":160,"context":161},17,"raw output",[],[],{"summary":165,"deductions":166},"The \"login-token\" v1.0 plugin exhibits a generally good security posture based on the provided static analysis. The absence of any detected dangerous functions, raw SQL queries, file operations, external HTTP requests, and the fact that all SQL queries utilize prepared statements are strong indicators of responsible development practices. Furthermore, the plugin has no known vulnerability history, including no recorded CVEs, which suggests a mature and secure codebase.  The attack surface is also reported as zero, with no AJAX handlers, REST API routes, shortcodes, or cron events, implying that there are no readily exposed entry points for external interaction.  However, a significant concern arises from the fact that 100% of the single total output detected is not properly escaped. This could potentially lead to cross-site scripting (XSS) vulnerabilities if the output is rendered directly in a user's browser without proper sanitization.  While the lack of identified taint flows and critical issues is positive, this unescaped output represents a concrete, albeit potentially low-impact depending on the nature of the output, security risk that needs to be addressed.",[167],{"reason":168,"points":88},"Output not properly escaped","2026-03-16T23:31:50.267Z",{"wat":171,"direct":176},{"assetPaths":172,"generatorPatterns":173,"scriptPaths":174,"versionParams":175},[],[],[],[],{"cssClasses":177,"htmlComments":178,"htmlAttributes":179,"restEndpoints":181,"jsGlobals":182,"shortcodeOutput":183},[],[],[180],"name='login_token'",[],[],[184],"\u003Cinput type='hidden' name='login_token' value='"]