How does AAM Secure Login works

The free version of the Advanced Access Manager plugins comes with its own frontend authentication widget and shortcode so you do not have to use any other plugins or default WordPress login page. The main reason I’ve introduces this feature in AAM v4.9.2 rather than relying on dozens of other login plugins, is that AAM Secure Login works very well with login redirect functionality.

By default this feature is disabled, however use the Secure Login option to enable it.

Secure Login feature includes Frontend widget that you can find on the Appearance ≫ Widgets page and [aam context=”login”] shortcode that can be dropped anywhere on your site and it’ll be replaced with the login form. Both features use asynchronous AJAX methods (page is not reloaded) to authenticate user. Below you can find more details about each option.

AAM Secure Login Widget

The widget works the same way as any other WordPress widgets. Here you can define the title for the login widget and greeting message for already authenticated user. Simply drag-n-drop it to your sidebar on the Appearance ≫ Widgets page and you are good to go. The content of the widget will be automatically adjusted if user is logged in or not.

WordPress Secure Login

Please Note! When user is logged however does not have access to the Backend, the Dashboard link will not be displayed. You can learn more about restricting access to the backend from the How to lockdown WordPress backend article.

AAM Secure Login Shortcode

Another way to add secure login form to your website is to use [aam context=”login”]. Simply drop it anywhere within a page or post content and it’ll be replaced with the login form. There are few attributes that can be used to enhance the shortcode behavior.

If you are copying and pasting shortcode from our website, make sure that correct quotes are preserved. Sometimes, depending on the operation system, quotes are not transferred correctly and you would have to manually change them.

“id” – assign unique ID to the login form. Very useful if you need to do additional javascript manipulations or styling. The default value is random string;
“user-span” – customize greeting message when user is authenticated. The default message is “Howdy, %username%”;
“redirect” – redirect URL. I suggest instead of this attribute use Login Redirect feature;
“callback” – define your own callback function that will render login form. Only valid PHP callback definition is acceptable.

Enhance Security

Additionally there are three options that you can toggle to enhance security of your website. You can find them on the Settings area under the Security Settings tab.

The Login Timeout is the easiest and the most efficient way to slow down any brute-force attacks on your website. Typically when you send a login request to the WordPress core, it takes about 50 to 100 milliseconds to get response. The Login Timeout option, slows down this response to 1 second. So technically this means that it will slow down any attack x10 to x20 times and significantly reduce change for criminals to get access to your website.

The second option is Brute Force Lockout. This will count number of login attempts per IP address and if there are 20 failed attempts to login from one IP address, the AAM will automatically block any further attempts for next 20 minutes.

Finally the third option is One Session Per User that will ensure that the same user can be logged in at one location only. So for example if John Dawn logged in the school library in the morning and forgot to logged out, he can simply login from his home computer or even mobile phone and this will destroy the active session that he opened in the school library. Very good feature if you wan to reassure that there is only on session per user active on your website.

These settings are also automatically applied to the authentication with JWT token. For more information about this please check How to authenticate WordPress user with JWT token article.

Both Login Timeout and Brute Force Lockout features are highly configurable with ConfigPress. Below is the list of all available settings.

; Set login timeout in seconds
security.login.timeout = 1
; Set number of login attempts
security.login.attempts = 20
; Set login lockout time. Any valid Date Time Format.
security.login.period = "20 minutes"

For Developers

Secure Login widget and shortcode come with very basic layout and styling, however you have the ability to override it with your custom form. There are two ConfigPress settings that can be used to replace default login forms as following:

; Path to the custom template for the Widget. The {ABSPATH} marker will be replaced with 
; absolute path to the website root
feature.secureLogin.widget.template = "{ABSPATH}wp-content/themes/my-theme/login-widget.phtml"
; Path to the custom template for the shortcode.
feature.secureLogin.shortcode.template = "/your-full-path/themes/my-theme/login-form.phtml"

The widget’s template is included in the AAM_Backend_Widget_Login scope so you can access all the public WP_Widget methods as well as widget arguments.

The shortcode’s template is included in the AAM_Shortcode_Strategy_Login scope and you can access shortcode attributes or content with getArgs() and getContent() methods respectively.

Get notified about important updates and new features (no more than one email per month).