Features

OAuth for WordPress, without the rough edges.

Standards-compliant OAuth 2.0 and OpenID Connect, built from scratch for WordPress with the operational features you actually need in production.

01 Providers

Any OAuth 2.0 provider. Really.

If it speaks standards-compliant OAuth 2.0 or OpenID Connect, it works. No vendor-specific SDKs, no lock-in, no "enterprise" tenant provisioning.

Google, Microsoft, Azure AD, Okta, Auth0, GitHub, GitLab
Self-hosted: Keycloak, Authentik, Ory Hydra, Casdoor
Custom providers via manual endpoint configuration
PKCE supported where the provider requires it

Provider configuration

✓Authorization URL
✓Token URL
✓User Info URL
✓Client ID & Secret
✓Scopes (space-separated)

02 User provisioning

Automatic users from any claim shape.

SSOPress maps OpenID Connect claims and OAuth userinfo responses into WordPress user fields. Standard claims work out of the box; custom claims need nothing more than a dot path.

Email, name, username, display name mapped automatically
Custom attribute mapping with dot notation for nested fields
First-login user creation, subsequent-login profile sync
Fallback username generation from email when no preferred_username exists

{
  "sub": "42",
  "email": "sarah@example.com",
  "given_name": "Sarah",
  "family_name": "Chen",
  "profile": {
    "department": "engineering"
  }
}

# Maps to WP fields:
# email         → user_email
# given_name    → first_name
# family_name   → last_name
# profile.department → attribute for role mapping

03 Role mapping

Group-based roles, without the middleware.

Map OAuth claim values straight to WordPress roles. No sync jobs, no webhooks, no third-party identity bridges. The role is set on every login, so revocations happen naturally.

Map any claim value (groups, department, custom field) to a WP role
Case-insensitive and partial matching rules
Default fallback role for unmatched users
Re-evaluated on every login, so revocations take effect immediately

Example role mappings

✓engineering → editor
✓marketing → author
✓support → contributor
✓contractor-* → subscriber

04 Audit logs

Every auth event, searchable forever.

Login attempts, token exchanges, userinfo fetches, user provisioning events and errors land in a queryable table with IP, user agent, and error codes. Retention is configurable and pruning runs daily.

Seven event types: attempt, success, failure, token exchange, userinfo, user created, user updated
Per-event IP address, user agent, error code, error message, and metadata
Admin UI with filtering, search, and date-range queries
Configurable retention policy, pruned automatically via WP-Cron

247

239

Successful

Failed

Users created

05 Security

Built with defense in depth.

SSOPress takes credential storage, CSRF, replay attacks, and rate limiting seriously. It's the auth plugin we wanted to exist when we needed one for real production sites.

Client secrets encrypted at rest via libsodium (AES-256-CBC fallback)
64-char hex state tokens validated on callback
Per-IP rate limiting on OAuth init and callback endpoints
Safe redirect validation (no open redirect vulnerabilities)
Nonce protection on all admin forms

// Client secret as stored:
sodium:rUixTVfn+zYe22fahdUS2mOMev...

// State token format:
60b15c5cdd6ed499fc999204868375d7
385bf90f44bf2f9222811adcc628e5a0

// Rate limit (default, filterable):
20 requests / 60 seconds / IP

06 WordPress integration

A first-class WordPress citizen.

SSOPress doesn't replace wp-login.php, it augments it. The plugin adds an OAuth button to the standard login form, optionally hides the password form, and preserves redirect_to behaviour for seamless UX.

Works alongside the native WordPress login, no URL replacements
Admin backdoor via ?oauthlogin=false so you can always recover your site
Preserves and validates redirect_to parameter across OAuth round-trip
Uses WordPress nonces, capabilities, and settings API throughout

Things we don't do

✓Replace wp-login.php
✓Require a custom proxy or middleware
✓Phone home with site data
✓Store passwords on external servers

Ready to ship this?

Install the free version from WordPress.org to try the core OAuth flow, or jump straight to Pro for role mapping, audit logs, and email support.

Install free version View pricing