How does AAM Secure Login works

The free version of the Advanced Access Manager plugins comes with its own frontend authentication widget so you do not have to use any other plugins or default WordPress login page. The main reason we’ve introduces this feature in AAM 4.9.2 rather than relying on dozens of other login plugins, is that AAM secure login works very well with Login Redirect functionality.

Secure Login Widget

The secure login widget works the same way as any other WordPress widgets. Here you can define the title for the login widget and greeting message for the already authenticated user. Simply drag-n-drop it to your sidebar on the Appearance ≫ Widgets page and you are good to go. The content of the widget will be automatically adjusted if a user is logged in or not.

WordPress Secure Login

Note! When user is logged however does not have access to the Backend, the Dashboard link will not be displayed. You can learn more about restricting access to the backend from the How to lockdown WordPress backend article.

Enhanced Security Options

Additionally, there are a couple of options that you can toggle to enhance the security of your website. You can find them on the Settings Area under the Security Settings tab.

The Brute Force Lockout counts number of login attempts per IP address and if there are 20 failed attempts to login from one IP address, the AAM will automatically block any further attempts for next 20 minutes.

The One Session Per User ensures that the same user can be logged in at one location only. So for example, if John Dawn logged in the school library in the morning and forgot to logged out, he can simply login from his home computer or even mobile phone and this will destroy the active session that he opened in the school library. Very good feature when you have to be reassured that there is only one session per user.

Note! These settings are also automatically applied to the authentication with JWT token. For more information about this check Ultimate guide to WordPress JWT authentication article.

The Brute Force Lockout option is highly configurable with AAM internal configuration engine ConfigPress. Below is the list of all available settings.

; Set number of login attempts
service.secureLogin.settings.loginAttempts = 20
; Set login lockout time. Any valid Date Time Format.
service.secureLogin.settings.attemptWindow = "20 minutes"

For Developers

Secure login widget comes with very basic layout and styling, however you have the ability to override it with your custom form. There is the ConfigPress setting that can be used to replace default login form as following:

; Path to the custom template for the Widget. The {ABSPATH} marker will be replaced with 
; absolute path to the website root
service.secureLogin.settings.widget.template = "{ABSPATH}wp-content/themes/my-theme/login-widget.phtml"

The widget’s template is included in the AAM_Backend_Widget_Login scope so you can access all the public WP_Widget methods as well as widget arguments.

Get notified about important updates and new features (no more than one email per month).