WP-Safety

One Time Login Security & Risk Analysis

wordpress.org/plugins/one-time-login

Use WP-CLI to generate a one-time login URL for any user

40K active installs v0.4.0 PHP 7.1+ WP 4.4+ Updated Jan 10, 2026
login
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is One Time Login Safe to Use in 2026?

Generally Safe

Score 100/100

One Time Login has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "one-time-login" plugin v0.4.0 exhibits a mixed security posture. On the positive side, the code demonstrates good practices by exclusively using prepared statements for SQL queries, ensuring proper output escaping, and avoiding file operations and external HTTP requests. The vulnerability history being clean, with no recorded CVEs, also suggests a degree of past diligence. However, significant concerns arise from the static analysis results. The plugin has a total of one entry point, which is identified as unprotected. This unprotected REST API route represents a direct avenue for potential exploitation if not properly secured by the application itself or other plugins.

Key Concerns

  • Unprotected REST API route
Vulnerabilities
None known

One Time Login Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

One Time Login Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0
Attack Surface
1 unprotected

One Time Login Attack Surface

Entry Points1
Unprotected1

REST API Routes 1

GET/wp-json/one-time-login/v1/tokenone-time-login.php:125
WordPress Hooks 3
actionrest_api_initone-time-login.php:161
actionone_time_login_cleanup_expired_tokensone-time-login.php:181
actioninitone-time-login.php:251

Scheduled Events 1

one_time_login_cleanup_expired_tokens
Maintenance & Trust

One Time Login Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 10, 2026
PHP min version7.1
Downloads184K

Community Trust

Rating100/100
Number of ratings2
Active installs40K
Alternatives

One Time Login Alternatives

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
WPS Hide Login

WPS Hide Login

wps-hide-login

A
95

Change wp-login.php to anything you want.

2.0M 10 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Loginizer

Loginizer

loginizer

A
87

Loginizer is a WordPress security plugin which helps you fight against bruteforce attacks.

1.0M 8 CVEs
Security Optimizer – The All-In-One Protection Plugin

Security Optimizer – The All-In-One Protection Plugin

sg-security

A
86

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs
Developer Profile

One Time Login Developer Profile

Daniel Bachhuber

9 plugins · 51K total installs

86
trust score
Avg Security Score
88/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect One Time Login

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

REST Endpoints
/wp-json/one-time-login/v1/token
FAQ

Frequently Asked Questions about One Time Login