authepy.
Dev Hub / WordPress Core (PHP)

Eliminate brute-force attacks on WordPress.

By replacing standard WordPress passwords with Authepy OTPs, you instantly neutralize brute-force attacks and credential stuffing bots using native `wp_remote_post` functions.

Native PHP Integration
|
wp_ajax Built-in
wp-config.php
// 1. Add your Authepy Key securely
define('AUTHEPY_SECRET_KEY', 'ath_sec_live_...');
// 2. Use native wp_remote_post securely in backend
wp_remote_post('https://api.authepy.com/api/otp/request', array(
'headers' => array(
'Authorization' => 'Bearer ' . AUTHEPY_SECRET_KEY,
)
));
01

Backend Implementation

Because WordPress is a server-rendered application running PHP, you must use your Standard Secret Key. Store this key securely in `wp-config.php` and use WordPress's native AJAX hooks to build secure endpoints.

functions.php PHP 8+
<?php
$authepy_api_url = 'https://api.authepy.com/api';

// --- REQUEST OTP ---
add_action('wp_ajax_nopriv_authepy_request', 'authepy_request_otp');
add_action('wp_ajax_authepy_request', 'authepy_request_otp');

function authepy_request_otp() {
    global $authepy_api_url;
    $email = sanitize_email($_POST['email']);
    
    $response = wp_remote_post($authepy_api_url . '/otp/request', array(
        'headers' => array(
            'Authorization' => 'Bearer ' . AUTHEPY_SECRET_KEY,
            'Content-Type'  => 'application/json',
        ),
        'body' => wp_json_encode(array('email' => $email)),
    ));
    
    $body = json_decode(wp_remote_retrieve_body($response), true);
    if ( isset($body['success']) && $body['success'] === true ) {
        wp_send_json_success(array('requestId' => $body['requestId']));
    } else {
        wp_send_json_error(array('message' => $body['error']));
    }
}

// --- VERIFY OTP & LOGIN ---
add_action('wp_ajax_nopriv_authepy_verify', 'authepy_verify_otp');
add_action('wp_ajax_authepy_verify', 'authepy_verify_otp');

function authepy_verify_otp() {
    global $authepy_api_url;
    $request_id = sanitize_text_field($_POST['requestId']);
    $user_guess = sanitize_text_field($_POST['code']);
    $email = sanitize_email($_POST['email']); 

    $response = wp_remote_post($authepy_api_url . '/otp/verify', array(
        'headers' => array(
            'Authorization' => 'Bearer ' . AUTHEPY_SECRET_KEY,
            'Content-Type'  => 'application/json',
        ),
        'body' => wp_json_encode(array('requestId' => $request_id, 'userGuess' => $user_guess)),
    ));
    
    $body = json_decode(wp_remote_retrieve_body($response), true);
    if ( isset($body['success']) && $body['success'] === true ) {
        $user = get_user_by('email', $email);
        if ( !$user ) {
            // Auto-create user if they don't exist
            $random_password = wp_generate_password(12, false);
            $user_id = wp_create_user($email, $random_password, $email);
            $user = get_user_by('id', $user_id);
        }
        
        // Native WordPress Login Handshake
        wp_set_current_user($user->ID);
        wp_set_auth_cookie($user->ID);
        wp_send_json_success(array('message' => 'Logged in successfully!'));
    } else {
        wp_send_json_error(array('message' => $body['error']));
    }
}
?>
02

The Shortcode UI

With the backend secure, generate a simple Shortcode [authepy_login]. You can paste this on any WordPress page to instantly replace the default `/wp-admin` login form with zero-trust email verification.

functions.php Shortcode Extension
<?php
add_shortcode('authepy_login', 'render_authepy_login_form');

function render_authepy_login_form() {
    ob_start(); ?>
    <div id="authepy-wp-container">
        <input type="email" id="ath-email" placeholder="name@company.com" />
        <button onclick="requestAuthepyOTP()">Send Login Code</button>
    </div>
    
    <script>
        let globalRequestId = null;
        let globalEmail = null;
        const ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';

        function requestAuthepyOTP() {
            const email = document.getElementById('ath-email').value;
            const formData = new URLSearchParams();
            formData.append('action', 'authepy_request');
            formData.append('email', email);

            fetch(ajaxurl, { method: 'POST', body: formData })
                .then(res => res.json())
                .then(data => {
                    if (data.success) {
                        globalRequestId = data.data.requestId;
                        globalEmail = email;
                        // Display the OTP input field here
                    }
                });
        }
        
        function verifyAuthepyOTP() {
            // Frontend Fetch mapped to 'authepy_verify'
            // On success: window.location.reload(); 
        }
    </script>
    <?php
    return ob_get_clean();
}
?>

Ready to secure your WordPress?

Say goodbye to database hacks and stolen passwords. Generate your API keys and lock down your PHP architecture in minutes.