Autologin Links

WARNING: THIS PLUGIN CAN BE INSECURE IF NOT USED CAUTIOUSLY. Allows selected
users to autologin to your WordPress website via autologin links.

Author:Paul Konstantin Gerke (profile at wordpress.org)
WordPress version required:4.9.8
WordPress version tested:5.6.4
Plugin version:1.12.0
Added to WordPress repository:25-01-2012
Last updated:24-02-2021
Rating, %:94
Rated by:15
Plugin URI:https://www.craftware.info/projects-lists/wor...
Total downloads:35 925
Active installs:8 000+
plugin download
Click to start download

This plugin allows admininstators to generate autologin links for their
WordPress website, logging in visitors under a certain user name. Administrators
can edit (generate and delete) autologin links for users, users can only view
their autologin links. Note that This plugin bypasses the standard
authentication method of wordpress via login and password and should only be
used if you understand the security issues mentioned below and on the
plugin website.

Usage

Once this plugin is activated, administrators can generate autologin links on
the edit profile administration pages for different users. Users can view their
autlogin links on their profile pages. Autologin links are of the form:

http://yourwebsite/[subdirectory/]?autologin_code=ABC123

For more convenience it is possible since version 1.05 to generate login links
directly using the wordpress, site-preview functionality. When viewing the page
while being logged in as an administrator, the top-bar will show an extra item
“Auto-login link”. When pointing at the menu item, a dropdown list will list
all users for whom autologin links were generated on their profile pages. When
clicking on one of the users, a popup will open showing the link that will
automatically login a visitor as the selected user and bring him to the
current page.

Security issues

Since autologin links are meant to be an OPEN way to login to
your website and can be viewed by users on their profile, it might be considered
an INSECURE plugin for WordPress. I did my best to make it as secure as possible
to fit my own needs, but this lead to some design choices which might not sit
well with all administrators:

Autologin codes are saved as plain text. This means that anyone who can
execute queries on the WordPress database (plugins, administrators, system
administrators) can obtain the autologin code for a certain user. I planned an
extension of this plugin where login codes are hashed. However, this again has
the disadvantage that noone can redisplay a once generated login link.

This is the most severe problem. For a full self-assesment of possible security
issues regarding this problem, please visit the
plugin website.


Screenshots
FAQ
ChangeLog