WP-Safety

Magic Login – Passwordless Authentication for WordPress – Login Without Password Security & Risk Analysis

wordpress.org/plugins/magic-login

Passwordless login for WordPress. Streamline the login process by sending magic links to your users.

2K active installs v2.7.1 PHP 7.4+ WP 5.0+ Updated Mar 15, 2026
loginmagic-linkmagic-loginpasswordlesspasswordless-login
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Magic Login – Passwordless Authentication for WordPress – Login Without Password Safe to Use in 2026?

Generally Safe

Score 100/100

Magic Login – Passwordless Authentication for WordPress – Login Without Password has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 19d ago
Risk Assessment

The "magic-login" v2.7.1 plugin exhibits a generally strong security posture based on the provided static analysis. The plugin demonstrates excellent adherence to secure coding practices, with all identified entry points (AJAX handlers, shortcodes) appearing to have authentication checks in place. Furthermore, the complete absence of dangerous functions, 100% use of prepared statements for SQL queries, and a very high rate of proper output escaping (98%) are significant strengths. The plugin also incorporates nonce and capability checks, which are crucial for preventing common web attacks.

However, one specific concern arises from the taint analysis: there is one flow with an unsanitized path. While the severity is not explicitly stated as critical or high, any unsanitized path represents a potential vector for directory traversal or other file-system related attacks if not handled with extreme caution. The lack of historical vulnerabilities (CVEs) is a positive indicator, suggesting a history of responsible development, but it does not entirely negate the risks identified in the current code analysis. Overall, "magic-login" v2.7.1 is a well-secured plugin with a few areas that warrant attention, particularly the single unsanitized path identified in the taint analysis.

Key Concerns

  • Flow with unsanitized path
Vulnerabilities
None known

Magic Login – Passwordless Authentication for WordPress – Login Without Password Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Magic Login – Passwordless Authentication for WordPress – Login Without Password Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
210 escaped
Nonce Checks
3
Capability Checks
3
File Operations
1
External Requests
0
Bundled Libraries
0

Output Escaping

98% escaped214 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
print_login_button (includes\classes\LoginManager.php:615)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Magic Login – Passwordless Authentication for WordPress – Login Without Password Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 4

authwp_ajax_magic_login_code_loginincludes\classes\CodeLogin.php:42
noprivwp_ajax_magic_login_code_loginincludes\classes\CodeLogin.php:43
authwp_ajax_magic_login_ajax_requestincludes\classes\LoginManager.php:60
noprivwp_ajax_magic_login_ajax_requestincludes\classes\LoginManager.php:61

Shortcodes 1

[magic_login_form] includes\shortcode.php:27
WordPress Hooks 21
actionnetwork_admin_menuincludes\admin\dashboard.php:31
actionadmin_menuincludes\admin\dashboard.php:33
actionadmin_initincludes\admin\dashboard.php:36
filteradmin_body_classincludes\admin\dashboard.php:37
actioninitincludes\block.php:25
actioninitincludes\classes\CodeLogin.php:41
actionlogin_form_magic_loginincludes\classes\LoginManager.php:54
actionlogin_form_loginincludes\classes\LoginManager.php:55
actioninitincludes\classes\LoginManager.php:56
actionlogin_footerincludes\classes\LoginManager.php:58
actionlogin_headincludes\classes\LoginManager.php:59
filterwp_mailincludes\classes\LoginManager.php:62
filterwp_mailincludes\classes\LoginManager.php:63
actioninitincludes\core.php:22
actioninitincludes\core.php:23
actionadmin_enqueue_scriptsincludes\core.php:24
actionadmin_enqueue_scriptsincludes\core.php:25
filtermagic_login_pre_send_login_linkincludes\security.php:22
actionmagic_login_send_login_linkincludes\security.php:23
filtermagic_login_redirectincludes\shortcode.php:28
actionplugins_loadedplugin.php:116
Maintenance & Trust

Magic Login – Passwordless Authentication for WordPress – Login Without Password Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 15, 2026
PHP min version7.4
Downloads59K

Community Trust

Rating96/100
Number of ratings25
Active installs2K
Alternatives

Magic Login – Passwordless Authentication for WordPress – Login Without Password Alternatives

Magic Login Link

Magic Login Link

magic-link-login

A
85

Enables the user to login without entering a password. Instead a mail with a login is sent.

80 No CVEs
VentraConnect – Social Login, Magic Link & Email OTP (Passwordless)

VentraConnect – Social Login, Magic Link & Email OTP (Passwordless)

ventraconnect-social-login

A
100

Social login with 15+ providers plus passwordless login (Magic Link & Email OTP), with Guardrails to block spam registrations.

20 No CVEs
Magic Link – Secure one click passwordless login

Magic Link – Secure one click passwordless login

magic-link

A
100

Secure one click passwordless login

10 No CVEs
Temporary Login Without Password

Temporary Login Without Password

temporary-login-without-password

A
100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE
Temporary Login

Temporary Login

temporary-login

A
92

Create a secure, temporary URL for easy access to your WP admin.

40K No CVEs
Developer Profile

Magic Login – Passwordless Authentication for WordPress – Login Without Password Developer Profile

handyplugins

10 plugins · 8K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Magic Login – Passwordless Authentication for WordPress – Login Without Password

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/magic-login/dist/css/login-block-style.css/wp-content/plugins/magic-login/dist/js/frontend.js/wp-content/plugins/magic-login/assets/css/magic-login-admin.css/wp-content/plugins/magic-login/assets/js/magic-login-admin.js
Script Paths
/wp-content/plugins/magic-login/dist/js/frontend.js
Version Parameters
magic-login/dist/css/login-block-style.css?ver=magic-login/dist/js/frontend.js?ver=magic-login/assets/css/magic-login-admin.css?ver=magic-login/assets/js/magic-login-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
magic-login-login-blockmagic-login-block-titlemagic-login-form-headermagic_login_block_login_errormagic-login-block-description
Data Attributes
data-magic-login-username-onlydata-magic-login-redirect-todata-magic-login-hide-logged-indata-magic-login-hide-form-after-submitdata-magic-login-cancel-redirection
JS Globals
magicLoginFrontend
Shortcode Output
[magic_login]
FAQ

Frequently Asked Questions about Magic Login – Passwordless Authentication for WordPress – Login Without Password