OnzAuth Security & Risk Analysis
wordpress.org/plugins/onzauthOnzAuth plugin replaces the standard WordPress login form with one that enables passwordless email magic link and biometric login.
Is OnzAuth Safe to Use in 2026?
Generally Safe
Score 100/100OnzAuth has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "onzauth" v1.0.7 plugin presents a generally positive security posture based on the provided static analysis. There are no identified vulnerabilities in its history, suggesting a history of secure development or effective patching. The code analysis indicates a responsible approach to handling data, with all SQL queries using prepared statements and a high percentage of output properly escaped. The limited attack surface, consisting of one REST API route and one shortcode, and the absence of unprotected entry points are strong indicators of good security practices.
However, there are areas for concern. The complete absence of nonce checks and capability checks across all entry points is a significant weakness. While the current attack surface is small and appears to be protected by default WordPress mechanisms, any future expansion or introduction of new AJAX handlers could expose the plugin to cross-site request forgery (CSRF) or privilege escalation if these checks remain absent. The bundled Guzzle library, if not actively maintained and updated by the plugin developer, could also represent a potential vector for vulnerabilities if known exploits exist for specific versions of Guzzle.
In conclusion, "onzauth" v1.0.7 has a strong foundation with its secure handling of SQL and output, and a clear history of no known vulnerabilities. The primary weakness lies in the missing nonce and capability checks, which, while not actively exploited in this version, represent a latent risk that should be addressed for long-term security.
Key Concerns
- Missing nonce checks on entry points
- Missing capability checks on entry points
- Bundled library (Guzzle) potential risk
OnzAuth Security Vulnerabilities
OnzAuth Release Timeline
OnzAuth Code Analysis
Bundled Libraries
Output Escaping
OnzAuth Attack Surface
REST API Routes 1
Shortcodes 1
WordPress Hooks 9
Maintenance & Trust
OnzAuth Maintenance & Trust
Maintenance Signals
Community Trust
OnzAuth Alternatives
Biometric Authentication
biometric-authentication
Passkeys are a safer and easier alternative to passwords. Simply use your fingerprint or face ID to log in with ease.
Bye Bye Passwords
bye-bye-passwords
Enable passwordless authentication for WordPress using WebAuthn/Passkeys. More secure, more convenient.
Login by Magic
magiclabs
Login by Magic plugin replaces the standard WordPress login form with one powered by Magic that enables passwordless email magic link login.
Auth Armor – Passwordless Login
auth-armor-passwordless-login
Login using your phone without passwords! More secure, faster and best of all, nothing to remember or type in!
Multidots Passkey Login – Passwordless Login for WordPress
multidots-passkey-login
Passwordless login for WordPress with Passkeys. Enable Touch ID, Face ID, and security keys for seamless, phishing-resistant authentication.
OnzAuth Developer Profile
1 plugin · 10 total installs
How We Detect OnzAuth
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/onzauth/assets/css/onzauth.css/wp-content/plugins/onzauth/assets/js/onzauth.js/wp-content/plugins/onzauth/assets/js/jwt-decode.js/wp-content/plugins/onzauth/assets/js/onzauth.js/wp-content/plugins/onzauth/assets/js/jwt-decode.jsonzauth/assets/css/onzauth.css?ver=onzauth/assets/js/onzauth.js?ver=onzauth/assets/js/jwt-decode.js?ver=HTML / DOM Fingerprints
onzauth-login-formonzauth-submit-button<!-- OnzAuth login form --><!-- Generated by OnzAuth -->data-onzauth-client-iddata-onzauth-redirect-uriwindow.OnzAuthLogin/wp-json/onzauth/v1/auth[onzauth_login]