Auth surface
The Engagement engine ships a complete auth surface that replaces the default WordPress login flow with a modern alternative. Source code lives under modules/engage/includes/Auth/ and is bootstrapped from OMembership engagement\Core\Plugin::boot().
Custom auth pages
Four pages are seeded on first install:
| Surface | Shortcode | Template |
|---|---|---|
| Sign in | [omembership_login] | templates/frontend/sign-in.php |
| Register | [omembership_register] | templates/frontend/create-account.php |
| Profile | [omembership_profile] | templates/frontend/my-profile.php |
| Dashboard | [omembership_dashboard] | templates/frontend/my-dashboard.php |
Page IDs are stored in the oe_settings option (login_page, dashboard_page).
Social login
Four providers are supported out of the box:
| Provider | Required credentials | OAuth endpoint |
|---|---|---|
google_client_id + secret | accounts.google.com/o/oauth2/v2/auth | |
| Apple | apple_client_id + Team ID + Key ID + .p8 | appleid.apple.com/auth/authorize |
| GitHub | github_client_id + secret | github.com/login/oauth/authorize |
linkedin_client_id + secret | linkedin.com/oauth/v2/authorization |
The shared callback URL is:
https://yoursite.com/?oe_oauth_callback={provider}State is generated as a one-time nonce, stored as a 10-minute transient, and validated on callback. Successful exchanges either log in an existing user (matched by email) or create a new account and store oe_social_{provider} user meta with the provider ID.
Magic links
Magic links are gated by oe_settings.enable_magic_link. The flow:
POST /wp-admin/admin-ajax.php?action=oe_send_magic_linkwithemailand theoe_frontendnonce.- The handler creates a 48-char token, stores
oe_magic_{token}as a transient (15-minute expiry), and asksEmailNotifier::send()to deliver the link. - The user clicks
https://yoursite.com/?oe_magic={token}, which sets the auth cookie and redirects to the configured dashboard page.
Tokens are single-use and rate-limited at the provider level. The response is identical whether or not the email exists (to avoid enumeration).
Two-factor authentication
Two methods ship:
- TOTP - 32-char base32 secret, six-digit code, one-step window tolerance. Compatible with Google Authenticator, Authy, 1Password.
- Email - six-digit code generated with
random_int(), stored as a 10-minute transient, delivered viaEmailNotifier::send( $user_id, '2fa_code', ... ).
Backup codes are generated on TOTP setup and stored as bcrypt hashes. Settings live under Engagement -> Auth -> 2FA.
Brute force protection
BruteForce::register() records every failed attempt in wp_or_login_attempts (indexed by ip_address, attempted_at). Default policy: 5 failures per IP in 10 minutes -> 30-minute lockout. IP whitelisting is available in settings.