Eliminate brute-force attacks on WordPress.
By replacing standard WordPress passwords with Authepy OTPs, you instantly neutralize brute-force attacks and credential stuffing bots using native `wp_remote_post` functions.
Native PHP Integration
| wp_ajax Built-in
wp-config.php
// 1. Add your Authepy Key securely
define('AUTHEPY_SECRET_KEY', 'ath_sec_live_...');
// 2. Use native wp_remote_post securely in backend
wp_remote_post('https://api.authepy.com/api/otp/request', array(
'headers' => array(
'Authorization' => 'Bearer ' . AUTHEPY_SECRET_KEY,
)
));
01
Backend Implementation
Because WordPress is a server-rendered application running PHP, you must use your Standard Secret Key. Store this key securely in `wp-config.php` and use WordPress's native AJAX hooks to build secure endpoints.
functions.php PHP 8+
<?php
$authepy_api_url = 'https://api.authepy.com/api';
// --- REQUEST OTP ---
add_action('wp_ajax_nopriv_authepy_request', 'authepy_request_otp');
add_action('wp_ajax_authepy_request', 'authepy_request_otp');
function authepy_request_otp() {
global $authepy_api_url;
$email = sanitize_email($_POST['email']);
$response = wp_remote_post($authepy_api_url . '/otp/request', array(
'headers' => array(
'Authorization' => 'Bearer ' . AUTHEPY_SECRET_KEY,
'Content-Type' => 'application/json',
),
'body' => wp_json_encode(array('email' => $email)),
));
$body = json_decode(wp_remote_retrieve_body($response), true);
if ( isset($body['success']) && $body['success'] === true ) {
wp_send_json_success(array('requestId' => $body['requestId']));
} else {
wp_send_json_error(array('message' => $body['error']));
}
}
// --- VERIFY OTP & LOGIN ---
add_action('wp_ajax_nopriv_authepy_verify', 'authepy_verify_otp');
add_action('wp_ajax_authepy_verify', 'authepy_verify_otp');
function authepy_verify_otp() {
global $authepy_api_url;
$request_id = sanitize_text_field($_POST['requestId']);
$user_guess = sanitize_text_field($_POST['code']);
$email = sanitize_email($_POST['email']);
$response = wp_remote_post($authepy_api_url . '/otp/verify', array(
'headers' => array(
'Authorization' => 'Bearer ' . AUTHEPY_SECRET_KEY,
'Content-Type' => 'application/json',
),
'body' => wp_json_encode(array('requestId' => $request_id, 'userGuess' => $user_guess)),
));
$body = json_decode(wp_remote_retrieve_body($response), true);
if ( isset($body['success']) && $body['success'] === true ) {
$user = get_user_by('email', $email);
if ( !$user ) {
// Auto-create user if they don't exist
$random_password = wp_generate_password(12, false);
$user_id = wp_create_user($email, $random_password, $email);
$user = get_user_by('id', $user_id);
}
// Native WordPress Login Handshake
wp_set_current_user($user->ID);
wp_set_auth_cookie($user->ID);
wp_send_json_success(array('message' => 'Logged in successfully!'));
} else {
wp_send_json_error(array('message' => $body['error']));
}
}
?> 02
The Shortcode UI
With the backend secure, generate a simple Shortcode [authepy_login]. You can paste this on any WordPress page to instantly replace the default `/wp-admin` login form with zero-trust email verification.
functions.php Shortcode Extension
<?php
add_shortcode('authepy_login', 'render_authepy_login_form');
function render_authepy_login_form() {
ob_start(); ?>
<div id="authepy-wp-container">
<input type="email" id="ath-email" placeholder="name@company.com" />
<button onclick="requestAuthepyOTP()">Send Login Code</button>
</div>
<script>
let globalRequestId = null;
let globalEmail = null;
const ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
function requestAuthepyOTP() {
const email = document.getElementById('ath-email').value;
const formData = new URLSearchParams();
formData.append('action', 'authepy_request');
formData.append('email', email);
fetch(ajaxurl, { method: 'POST', body: formData })
.then(res => res.json())
.then(data => {
if (data.success) {
globalRequestId = data.data.requestId;
globalEmail = email;
// Display the OTP input field here
}
});
}
function verifyAuthepyOTP() {
// Frontend Fetch mapped to 'authepy_verify'
// On success: window.location.reload();
}
</script>
<?php
return ob_get_clean();
}
?> Ready to secure your WordPress?
Say goodbye to database hacks and stolen passwords. Generate your API keys and lock down your PHP architecture in minutes.