Description
Passwords are the single biggest security risk for your WordPress site. They get leaked, reused, or broken by automated brute-force attacks. Standard Two-Factor Authentication (2FA) adds safety, but typing in temporary codes from SMS or authenticator apps introduces annoying friction to your daily workflow.
Advanced Passkeys for Secure Login brings the future of un-phishable, modern authentication directly to your WordPress site using the official FIDO2 / WebAuthn standard.
Users register a passkey just once using their device’s built-in biometric sensor (Face ID, Touch ID, Windows Hello) or a hardware security key (like a YubiKey). Future sign-ins take less than a second—completely bypassing the traditional password field.
Why Switch to Passkeys?
- Immune to Phishing: Passkeys are cryptographically bound to your specific domain. A fake login page cannot trick or steal a passkey.
- Goodbye Brute-Force: Because there is no static password on the server to guess, automated bot attacks are completely neutralized.
- Ultimate Ecosystem Sync: Works seamlessly with iCloud Keychain, Google Password Manager, and 1Password for painless cross-device access.
Ecosystem-Wide Integrations Included
Unlike basic alternatives, this plugin features intelligent, dependency-aware integration modules that automatically inject passkey entry points into your favorite plugins. It features out-of-the-box support for WooCommerce, Easy Digital Downloads, MemberPress, Ultimate Member, LearnDash, BuddyBoss, Gravity Forms, and PMPro.
Features
- One-Click Passwordless Auth: Adds a native “Sign in with Passkey” button directly to the WordPress login screen.
- Conditional UI Autofill: Optional browser-native passkey autofill prompts on
wp-login.phpwhen username is focused. - Ecosystem Integrations: Built-in aware modules, blocks, and shortcodes for WooCommerce, MemberPress, LearnDash, BuddyBoss, and more.
- Gutenberg Blocks & Shortcodes: Automatically registers custom login cards and shortcodes based on active plugins.
- Theme Template Overrides: Override the login button template via
/advanced-passkeys/login/button.phpin your active theme. - Admin Dashboard Overview: Keep track of credential performance with an Authenticator Overview card and Last Login activity logs.
- Granular Role Controls: Easily configure exactly which user roles are permitted to use passkey authentication (Default: Administrators).
- Code-Managed Configuration: Developers can hardcode passkey settings via PHP for high-velocity agency, multisite, and version-controlled deployments.
- Brute-Force Rate Limiting: Hardened local security with built-in login rate-limiting and automated daily log cleanups.
- Multisite Compatible: Network-aware provisioning instantly configures security settings for newly created network sites.
- Clean Performance & Housekeeping: Lightweight footprint with a clean uninstall routine that leaves zero orphaned tables or options behind.
Developer Configuration
Advanced Passkeys supports code-managed configuration for developers, agencies, and teams that deploy WordPress settings through version control. This is useful when you need the same passkey policy across many sites without relying on manual database option changes.
Evaluation order
When the plugin resolves a setting, it uses this order:
advapafo_local_configurationfilterADVAPAFO_SETTINGSconstantadvapafo_settingsoption array- Existing individual
advapafo_*database option - Plugin default
Code-managed values are resolved per setting key. If you override only challenge_ttl, the remaining settings continue to fall back to the database or plugin defaults.
Managed admin fields
When a setting is provided by advapafo_local_configuration or ADVAPAFO_SETTINGS, the matching admin control is locked and marked Managed via code. This prevents accidental dashboard edits from implying that a database value controls a setting that is actually dictated by PHP.
Example: force HTTPS and administrator-only passkeys
Add this to a small functionality plugin or your theme’s functions.php:
<?php
add_filter(
'advapafo_local_configuration',
static function ( array $configuration ): array {
return array_replace(
$configuration,
array(
'enforce_https' => true,
'eligible_roles' => array( 'administrator' ),
)
);
}
);
Example: wp-config.php constant
For deployments that prefer constants, define an array in wp-config.php:
define(
'ADVAPAFO_SETTINGS',
array(
'conditional_ui_enabled' => true,
'login_challenge_ttl' => 300,
'registration_challenge_ttl' => 300,
'max_passkeys_per_user' => 0,
)
);
Common configuration keys
enabled— enable or disable passkey features.eligible_roles— array of role slugs allowed to use passkeys.max_passkeys_per_user— maximum passkeys per user;0means unlimited.conditional_ui_enabled— enable browser-native passkey autofill onwp-login.php.show_separator— show or hide the login OR separator.challenge_ttl— shared challenge timeout fallback in seconds.login_challenge_ttl— login challenge timeout in seconds.registration_challenge_ttl— registration challenge timeout in seconds.user_verification— one ofrequired,preferred, ordiscouraged.rp_name— custom relying party name.rp_id— custom relying party ID for domain/subdomain setups.rate_limit_window— failed-attempt tracking window in seconds.rate_limit_max_failures— failures allowed before lockout.rate_limit_lockout— lockout duration in seconds.login_redirect— fallback redirect URL after passkey login.last_used_pill_label— label for the login form’s Last used passkey indicator.last_used_pill_freshness_days— how long the Last used indicator remains fresh.
Last used pill example
<?php
add_filter(
'advapafo_local_configuration',
static function ( array $configuration ): array {
$configuration['last_used_pill_label'] = 'Previously used';
$configuration['last_used_pill_freshness_days'] = 120;
return $configuration;
}
);
Legacy filters
Legacy developer filters such as advapafo_max_passkeys_per_user, advapafo_enable_conditional_ui, and the Last used pill filters remain supported for backward compatibility. New code should prefer advapafo_local_configuration so configuration is centralized and easier to audit.
Screenshots







Blocks
This plugin provides 4 blocks.
- Passkey Login Button
- Passkey Register Button
- Account Passkeys
- Passkey Setup Prompt
Installation
Automatic installation
- In your WordPress admin, go to Plugins > Add New
- Search for Advanced Passkeys for Secure Login
- Click Install Now then Activate
- Go to Settings > Advanced Passkeys for Secure Login and enable passkeys
Manual installation
- Download the plugin ZIP from WordPress.org
- Go to Plugins > Add New > Upload Plugin and upload the ZIP
- Click Activate
- Go to Settings > Advanced Passkeys for Secure Login and enable passkeys
After activation
- Go to Settings > Advanced Passkeys for Secure Login — verify passkeys are enabled and select which roles may use them.
- Visit Users > Your Profile and register your first passkey.
- Sign out and confirm the Sign in with Passkey button appears on the login page.
- Register a backup passkey on a second device to avoid lockout.
Production & Local Environments
Passkeys require a secure (HTTPS) connection context. The plugin will actively block passkey flows over plain HTTP in production.
If you are testing locally without an SSL certificate, you can bypass this restriction by adding the following line to your wp-config.php file:
define( 'ADVAPAFO_ALLOW_HTTP', true ); (*Never use this in production!*)
FAQ
-
Does this replace passwords entirely?
-
No. Passkeys act as a seamless, high-security alternative sign-in method. Users retain their standard WordPress passwords as a reliable fallback.
-
Which browsers and devices are supported?
-
Any browser supporting the WebAuthn standard (all major platforms since 2022) including Chrome, Safari, Firefox, and Edge. Supported hardware includes iPhones, iPads, Macs, Android devices, Windows Hello machines, and physical FIDO2/U2F security keys like YubiKeys.
-
Is HTTPS required?
-
Yes, in production environments. The official WebAuthn specification mandates a secure context. See the local development instructions in the Installation tab to test locally via HTTP.
-
What PHP extensions do I need?
-
The plugin relies on
openssl,mbstring, andjson. These core extensions are compiled by default on almost every modern managed WordPress host. -
Can I control which user roles can use passkeys?
-
Yes. Navigate to Settings > Advanced Passkeys for Secure Login > Eligible Roles. While it defaults strictly to Administrators, you can provision passkeys for any core or custom role on your site.
-
Can developers manage plugin settings in code?
-
Yes. Developers can use the centralized
advapafo_local_configurationfilter or theADVAPAFO_SETTINGSconstant to manage settings from PHP. Code-managed settings take priority over database options. When a setting is managed in code, the matching admin field displays Managed via code and becomes read-only or disabled. -
Which shortcodes are available?
-
Core shortcodes:
*[advapafo_login_button]
*[advapafo_register_button]
*[advapafo_passkey_profile]
*[advapafo_passkey_prompt]Integration-specific shortcodes: (active when corresponding plugins are running)
*[advapafo_woocommerce_login]
*[advapafo_edd_login]
*[advapafo_memberpress_login]
*[advapafo_ultimate_member_login]
*[advapafo_learndash_login]
*[advapafo_buddyboss_login]
*[advapafo_gravityforms_login]
*[advapafo_pmp_login] -
Which integration Gutenberg blocks are available?
-
When an integration dependency is active, the plugin registers matching blocks:
*advanced-passkey-login/woocommerce-login-card
*advanced-passkey-login/edd-login-card
*advanced-passkey-login/memberpress-login-card
*advanced-passkey-login/ultimate-member-login-card
*advanced-passkey-login/learndash-login-card
*advanced-passkey-login/buddyboss-login-card
*advanced-passkey-login/gravityforms-login-card
*advanced-passkey-login/pmp-login-card -
What happens if I deactivate or delete the plugin?
-
Deactivating keeps your data safe. Deleting (uninstalling) triggers a strict housekeeping routine that cleanly drops the
wp_wpk_credentials,wp_wpk_rate_limits, andwp_wpk_logstables alongside alladvapafo_*options. -
Is the plugin multisite compatible?
-
Yes. Database tables partition dynamically per site via
$wpdb->prefix. Network activation auto-provisions existing sites and seamlessly configures any newly deployed network sites. -
Can I use a custom RP ID for subdomain setups?
-
Yes. Simply add
define( 'ADVAPAFO_RP_ID', 'example.com' );directly into your site’swp-config.phpfile. -
Yes. Copy the plugin template file to your active theme override directory:
/wp-content/themes/your-child-theme/advanced-passkeys/login/button.phpor in a parent theme:
/wp-content/themes/your-parent-theme/advanced-passkeys/login/button.phpMinimal override header example:
<?php /** * Advanced Passkeys template override: login button. * /wp-content/themes/your-child-theme/advanced-passkeys/login/button.php */ if ( ! defined( 'ABSPATH' ) ) { exit; } -
What happens when Conditional UI is enabled?
-
When enabled in Settings > Advanced:
- Browser-supported passkey autofill can appear on the username field.
- The manual “Sign in with Passkey” button is hidden on
wp-login.php. - The login OR separator is automatically disabled.
- Password fallback remains available.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Advanced Passkeys for Secure Login” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Advanced Passkeys for Secure Login” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.11
- Improved: username-free passkey sign-in now shows clearer fallback guidance when a browser or authenticator does not support discoverable credentials.
- Improved: passkey sign-in button now uses a refreshed user/key icon.
- Fixed: admin switch checkbox rendering avoids native checkbox bleed-through in custom toggle controls.
1.1.10
- Added: code-managed local configuration via
advapafo_local_configurationandADVAPAFO_SETTINGS. - Added: admin UI indicators and locked controls for settings managed by code.
- Improved: developer configuration filters now resolve through the centralized settings getter for cleaner policy management.
- Fixed: conditional UI login elements now remain hidden consistently when conditional UI is enabled.
- Improved: authenticator provider reporting resolves legacy credential/log payload variants more reliably.
- Improved: registration errors now show friendlier passkey guidance for browser invalid-state failures.
1.1.9
- Improved: admin footer link styling and rating stars visibility for the settings screen.
1.1.8
- Fixed: passkey revoke reliability across compatibility credential tables.
- Improved: authenticator provider normalization and typo tolerance for brand labeling.
- Improved: reporting metadata normalization for authenticator detection.
1.1.7
- Improved: aligned plugin header author metadata with readme contributors.
1.1.6
- Improved: include WordPress.org assets directory in release source so banners, icon, and screenshots deploy via SVN automation.
1.1.5
- Improved: sanitize-early handling for transports and credential request inputs.
- Improved: stricter nonce-gated debug query handling in settings.
- Improved: output escaping hardening for integration-rendered markup and dynamic admin classes.
- Improved: release and quality workflow validation guardrails (actionlint gate).
1.1.4
- Added: Dashboard tab with an Authenticator Overview card.
- Added: Last Login activity card in the Dashboard tab.
- Improved: nonce and capability enforcement across sensitive request handlers.
- Improved: release packaging workflow with strict file allowlist validation.
- Fixed: release automation now publishes real GitHub releases with attached installable ZIP.
1.1.2
- Added: integration manager for popular ecosystem plugins with dependency-aware module loading.
- Added: integration-specific shortcodes and Gutenberg blocks.
- Added: integration controls in settings with installed/not installed indicators.
- Added: shortcode quick-start helper and improved shortcode documentation in admin UI.
- Changed: removed legacy shortcode alias registrations and related legacy copy.
- Changed: refreshed docs and translation template strings for current shortcode names.
1.1.1
- Updated: plugin name and user-facing references to “Advanced Passkeys for Secure Login”.
- Updated: settings/UI copy to use the full plugin name.
1.1.0
- Added: dismissible “set up your passkey” nudge notice for eligible users.
- Added: Passkeys column in the admin Users list showing count per user.
- Added: Scheduled daily cleanup of expired rate-limit rows and old log entries.
- Added: Challenge timeout setting in Settings > Advanced Passkeys for Secure Login > Advanced.
- Added: Login redirect URL field in settings (fallback after passkey login).
- Added:
[advapafo_login_button]and[advapafo_register_button]shortcodes. - Added: Log retention period setting (days).
- Improved:
get_challenge_ttl()now reads from the settings UI.
1.0.0
- Initial release.
