WordPress Security

Solid Security Pro Feature Spotlight: Magic Links

Our Feature Spotlight posts highlight a single feature in Solid Security Pro. They explain why we developed the feature, who it's for, and how to use it. In this spotlight, we cover Magic Links. Magic Links deliver a useful website security feature in the Solid Security Pro plugin. Originally, they were designed to improve the user experience for Solid Security's brute force protection.

Dan Knauss

Our Feature Spotlight posts highlight a single feature in Solid Security Pro. They explain why we developed the feature, who it’s for, and how to use it. In this spotlight, we cover Magic Links. Magic Links deliver a useful website security feature in the Solid Security Pro plugin. Originally, they were designed to improve the user experience for Solid Security’s brute force protection. Then we realized they make all user logins safer and simpler.

Solid Security Pro is great at locking out the bad guys. Unfortunately, the bad guys sometimes target legitimate user accounts. They might test a lot of common or stolen passwords against a legitimate account’s username. Solid Security will temporarily block the attackers — and anyone logging in with this username. That might be the account’s real owner.

Some legitimate users may get their login credentials wrong enough times to lock themselves out. People with disabilities and age working against them may be more likely than others to struggle with a login form. Traditional two-factor authentication (2FA) and CAPTCHAs can frustrate anyone.

You can reduce the risk of bad lockouts by adding users’ device IPs to Solid Security’s allowlist. You can have them use Solid Security’s Trusted Devices feature, too. It’s also possible to manually clear lockouts using Solid Central or the Solid Security dashboard.

These are all good strategies for a group security policy for site editors and administrators. However, none of these options is practical for a busy e-commerce, community, or network site with many users.

Even though it feels great to stop bad guys from breaking into WordPress sites, we don’t like the false positives. We hate it when a good security measure frustrates legitimate users. So, the Solid Security team created a way to allow site users to log in even when they’re locked out. We never want a site manager to have to spend their valuable time clearing locked-out users.

How They Work

Magic Links allow you to log in to your WordPress site even while the Solid Security Local Brute Force Protection feature is locking out your username.

When your username is locked out, you can request an email with a unique login link. Using the emailed link will bypass the username lockout. A brute force attacker can’t do this, so they will remain locked out.

The convenience of Magic Links led us to make it a standard Passwordless Login feature. With Solid Security Pro, you can allow users to log into WordPress just by requesting a Magic Link by email. They won’t have to enter their password.

Here are three great reasons you need Magic Links for your WordPress site:

  1. Legitimate users can get locked out of your website if a brute force attack occurs with their username. Actual usernames can potentially get locked out because of the way that Solid Security brute force protection works. If this happens, they’ll have to wait either for the lockout to expire or contact a website admin to release the lockout for them manually.
  2. Legitimate users can bypass lockouts of their usernames. While their username is blocked as a valid login credential, Solid Security Pro will email them an authorized login link. This secure login link allows a user to log in successfully.
  3. No admin action is needed to release a user’s lockout before they can log in. Free your team from mundane tasks like clearing a lockout manually.

Yes. Solid Security delivers the Magic Link email to the email address associated with the username, so an attacker would also need access to the user’s email account. Once the Magic Link is clicked, a username and password must still be entered successfully to log in to your WordPress website. Plus, if you have Two-Factor Authentication enabled (which we highly recommend), Magic Links require this secondary code to log in successfully.

To get started with Magic Links, navigate to the security settings’ Features menu and enable Magic Links.

If you encounter a lockout after enabling Magic Links, you will be presented with an option to send a Magic Link to your email address.

Click the “Send authorized login link” link to receive your Magic Links email.

Once you receive the email, use the link, enter your credentials, and you will be back in your site!

Wrapping Up: Get Solid Security Pro Today!

As you can see, both Magic Links can add a strong layer of security to your site without any added inconvenience. Magic Links help make sure bad actors and bots are locked out, but real users can log in.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: