Easy Secure Login – Google One Tap & Sign-In

Easy Secure Login enhances your site’s security by integrating two powerful Google authentication methods: Google Sign-In and Google One Tap. It can optionally replace the standard WordPress password system entirely, offering a modern, passwordless login experience.

Born out of necessity after a real-world brute-force attack, this plugin was designed with the option to enforce a Google-only login policy, ensuring that only verified Google accounts can access your site. It combines robust, Google-powered security with a beautiful user interface, automatic user management, and a step-by-step setup wizard.

Key Features

• Optional Passwordless Security: Ability to completely disable standard password logins, forcing all users to authenticate via Google’s secure OAuth 2.0.
• Google Sign-In Button: A clean, modern “Continue with Google” button on your login page.
• Google One Tap: Allows logged-in Google users to sign in instantly with a single click via a non-intrusive pop-up.
• Complete User Management: Whitelist specific Google accounts and assign roles, or allow open registration for any Google user.
• Google Profile Picture Sync: Automatically syncs and displays Google profile pictures as user avatars in WordPress.
• Built-in Security Hardening:
  • Disable XML-RPC to prevent common attacks.
  • Disable the plugin and theme file editor.
  • Hide your WordPress version number.
  • Restrict REST API access to logged-in users.
  • Block direct access to sensitive core files.
• User-Friendly Setup Wizard: A clean, multi-step guide to get your Google Cloud credentials configured in minutes.
• Actively Maintained for the latest WordPress versions.

This plugin provides maximum login security while dramatically improving the user experience.

External services

This plugin uses Google’s Identity Services to provide a secure authentication method (Google Sign-In and Google One Tap). To function, it connects to several Google APIs.

• Service: Google Identity Services (accounts.google.com)
• Purpose: This service is used to display the “Sign in with Google” button and the Google One Tap prompt. It handles the user authentication process directly in the user’s browser.
• Data Sent: This plugin initiates the authentication flow, but user data (like email and password) is entered directly on Google’s domain, not through this plugin. The plugin only receives a secure authentication token from Google after a successful login.

• Terms and Policies:

  • Google Terms of Service: https://policies.google.com/terms
  • Google Privacy Policy: https://policies.google.com/privacy

• Service: Google OAuth & People APIs (oauth2.googleapis.com, www.googleapis.com)

• Purpose: After a user authenticates, the plugin’s server sends the received authentication token/code to these Google APIs to verify its authenticity and retrieve basic user profile information (email, name, profile picture).
• Data Sent: An authentication token/code provided by Google is sent from your server to Google’s servers for validation.
• Terms and Policies:
  • Google APIs Terms of Service: https://developers.google.com/terms

1. Upload the plugin folder to /wp-content/plugins/ or install via Plugins → Add New in WordPress.
2. Activate the plugin through the Plugins menu.
3. Go to Easy Secure Login in the WordPress admin sidebar to launch the setup wizard.
4. Follow the setup wizard:
   • Create a Google Cloud project and configure OAuth credentials.
   • Add the “Authorized redirect URIs” and “Authorized JavaScript origins” provided by the wizard to your Google project.
   • Enter your Google Client ID and Client Secret into the plugin settings.
   • Configure authorized users or enable public sign-ups with a default role.
   • Enable optional Google One Tap on your homepage.
   • Review and enable additional security enhancements.
5. Test the login flow on your WordPress login page.

That’s it! Your site is now enhanced with Google’s secure authentication.

2.1.4

• Fatal Error Fix: Resolved a fatal error (Call to undefined function is_user_logged_in()) caused by the plugin loading before the WordPress core was fully initialized.
• “Headers Already Sent” Fix: Eliminated PHP warnings by moving all cookie-setting operations to appropriate early-loading hooks (template_redirect and login_init), preventing conflicts with themes and other plugins.
• Code Refactoring: Improved the reliability of the authentication flow by refactoring how the CSRF and OAuth state tokens are generated and handled.

2.1.3

• Feature: Added an option to disable standard WordPress password-based authentication, allowing administrators to enforce a Google-only login policy for enhanced security.
• Enhancement: The login page UI now adapts based on whether password login is disabled, ensuring a seamless user experience.
• Enhancement: Updated plugin description and FAQ to reflect the new optional passwordless functionality.

2.1.2

• Security: Hardened security by adding nonce verification to the login error display and One Tap callback handlers to prevent Cross-Site Request Forgery (CSRF) vulnerabilities.
• Security: Implemented the recommended OAuth 2.0 state parameter validation during the standard Google Sign-In flow to protect against CSRF attacks.
• Security: Improved data sanitization on the admin settings page to ensure redirect URLs are handled securely.
• Fix: Corrected a bug where the “Please configure your Google OAuth credentials” admin notice would persist even after the plugin was fully configured.
• Enhancement: Updated the readme.txt to include a comprehensive “External Services” section, clearly documenting the use of Google APIs as required by WordPress plugin guidelines.

2.1.1

Initial Release