securityninja_temporary_login_params

Allows plugins to add custom query parameter names that should be recognized as temporary login links and bypassed from suspicious query detection. The plugin file is verified to be active before bypassing checks.

Parameters

• $params (array) – Array of arrays, each containing:
  • param (string) – Query parameter name to check for
  • plugin_file (string) – Plugin file path (e.g., ‘plugin-folder/plugin-file.php’)
  • requires (array, optional) – Additional required parameters (for plugins like Magic Login that need multiple params)
  • prefix (bool, optional) – If true, checks for parameters starting with the param value (for dynamic prefixes like Login Links)

Default Supported Plugins

• wtlwp_token → Temporary Login Without Password
• one_time_login_token → One Time Login
• magic-login + user_id + token → Magic Login
• Parameters starting with ll → Login Links

Example Usage

add_filter('securityninja_temporary_login_params', function($params) {
    // Add your plugin's temporary login parameter with plugin file
    $params[] = array(
        'param' => 'my_plugin_login_token',
        'plugin_file' => 'my-plugin/my-plugin.php'
    );
    return $params;
});

Advanced Example: Multiple Required Parameters

add_filter('securityninja_temporary_login_params', function($params) {
    // For plugins that require multiple parameters
    $params[] = array(
        'param' => 'my_login',
        'plugin_file' => 'my-plugin/my-plugin.php',
        'requires' => array('user_id', 'token')
    );
    return $params;
});

Advanced Example: Dynamic Prefix Pattern

add_filter('securityninja_temporary_login_params', function($params) {
    // For plugins that use dynamic prefixes (e.g., 'prefix' + token)
    $params[] = array(
        'param' => 'my_prefix',
        'plugin_file' => 'my-plugin/my-plugin.php',
        'prefix' => true  // Checks for any param starting with 'my_prefix'
    );
    return $params;
});

Security Note

The plugin file path is verified using is_plugin_active() before bypassing checks. This prevents abuse where someone could use a parameter name without the actual plugin being installed.

Written by Lars Koudal