August 4, 2017 by Paul G. | Blog

Update: WordPress Email Two-Factor Authentication – No Auto-Login Links

Shield Image

This is a quick explanatory update on our Shield Security plugin for WordPress.

We’ve been providing email-based two-factor authentication (2FA) for a looong time. And recently we’ve received some feedback about the placing of a direct-login link within the email that is sent out.

How Shield’s Two-Factor Authentication Portal Works

With the portal you’re prompted to enter any or all of your 2FA codes to confirm your login. If you have turned on email-based 2FA, then you’ll get an email with both the code you need, and also a link.

This link will do 1 of 2 things:

  • if you have 2 or more factors that are required, then it’ll pre-populate the portal with your code #neat
  • if email is your only 2nd factor, it’ll log you straight into the site automagically #super-neat

The problem arises with the 2nd option. If a 2-factor email is sent out and intercepted, then the unwelcome visitor wins with a direct link right into your WordPress admin.

The chances of this are slim for 2 reasons:

  • the two-factor portal has a 5 minute window. If you miss it, you have to start your login from scratch.
  • the link can only ever be used once.

But the chance, however slim, remains. So what is the next step?

Decision: Remove The Automatic Login Link

The link is really convenient, but we feel that there is little/no inconvenience in copy-pasting the code into your login portal.

So from Shield v5.12.2 we’ve removed the link from the outgoing two-factor email. You will now have to copy-paste the code into the portal directly.

We apologise if this is a problem for you, but we hope you’ll understand the reason behind it.


ShieldPRO Testimonials
@fitwarrior's Gravatar @fitwarrior

Good options, great support

I esp like the ability to hide/rename the wp-admin login page. Couldn’t even guess the # of millions of fake requests stopped just by this feature.

@grandt's Gravatar @grandt

Simple Firewall Plugin

This plugin makes the best protection overall I’ve tried a lot of security plugins, but this one does not force you to upgrade to a pro version. And why should it? I’ts already a Pro version! For Free! I can’t think of any other plugin where you get so much…

@annajutta's Gravatar @annajutta


This plugin really helps me a lot, before I installed I got hacked a couple of time and it was a nightmare, now I seem to have control over the sight, thank you sooo much

@csburdick's Gravatar @csburdick

Really happy with this plugin for ages

I’ve been using Shield almost since they came out, and it blows away all the other plugins I’ve used. I’ve been using the Pro version on all my sites, but the free version is great as well. I’ve had a few issues here and there, but support is always on…

Hey there gorgeous! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

I Was Born To Go Pro →

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese