I needed a way for my customers to directly access their WordPress admin panels by clicking a link inside the WPJack UI without the need to authenticate.
Brief of the idea
- User visits certain site inside WPJack
- He has details of the site and a link to the Access Site
- When he clicks on the link, he’s taken to the WP Admin dashboard
- The solution must be secure and work on a temporary token level
Link authentication solutions on the market
I initially tried to find existing solutions in this area, but all the available plugins were focused on the Magic link feature where the user inputs an email address, and the website sends them a login link.
However, I only required the login link. Ideally, I needed a plugin that would create a new WP API endpoint for link creation and return the link in JSON format.
After searching the plugin directory, I turned to WP CLI to look for similar plugins.
That is when I came across the WP-CLI Login Command plugin.
Upon installation, this plugin provided me with a wp login command that returns a login link. It worked perfectly.
However, this WP CLI plugin required the installation of a complementary plugin inside every WP site and server. Upon reviewing the code, I discovered that it had many features that I didn’t need, and this posed a potential risk as the plugin needed to be installed on every WP server and site.
I asked ChatGPT 4 to write a plugin for me
To get a great reply from ChatGPT it’s required to pass great prompt into it. From my experience when it’s coding involved it’s always better to split one task into multiple steps.
This was my prompt:
Create a WordPress plugin “WPJack Login Request” and follow these steps:
- The plugin should create a new WordPress URL with the slug “wpjack-login-request”
- This URL receives GET requests with parameters ‘token’ and ‘username’.
- The token is a string with 64 characters in length, and the username is one of the existing WordPress usernames. The plugin should first validate these properties and after that check is the token valid.
- In order to check the validity of the token plugin sends a POST request to the remote endpoint https://backend.wpjack.com/api/login-request-checker with body { token: ‘the-token’, domain: ‘domain-of-the-wordpress-site’}. Remote endpoint responds with JSON { valid: true } or { valid: false }.
- If token is valid plugin should login user based on the username provided and redirect to WP admin page. If not valid just display text: “Token is not valid”.
This plugin should be hidden from the plugins page inside WP Admin.
Please provide code for this plugin.
It replied with:
Creating a WordPress plugin as described requires a combination of PHP, WordPress functions, and HTTP requests. Below is a basic version of the “WPJack Login Request” plugin:
- Create a new folder in your WordPress plugins directory named
wpjack-login-request. - Inside this folder, create a file named
wpjack-login-request.php. - Add the following code to
wpjack-login-request.php:
<?php
/**
* Plugin Name: WPJack Login Request
* Description: A custom login request handler for WPJack.
* Version: 1.0
* Author: ChatGPT
*/
// Prevent direct access
if (!defined('ABSPATH')) {
exit;
}
// Register the custom URL
function wpjack_register_custom_url() {
add_rewrite_rule('^wpjack-login-request/?', 'index.php?wpjack_login_request=1', 'top');
}
add_action('init', 'wpjack_register_custom_url');
// Add custom query var
function wpjack_query_vars($vars) {
$vars[] = 'wpjack_login_request';
return $vars;
}
add_filter('query_vars', 'wpjack_query_vars');
// Handle the custom URL request
function wpjack_handle_request() {
global $wp;
if (isset($wp->query_vars['wpjack_login_request'])) {
$token = isset($_GET['token']) ? sanitize_text_field($_GET['token']) : '';
$username = isset($_GET['username']) ? sanitize_text_field($_GET['username']) : '';
// Validate token and username
if (strlen($token) === 64 && username_exists($username)) {
$response = wp_remote_post('https://backend.wpjack.com/api/login-request-checker', [
'body' => [
'token' => $token,
'domain' => $_SERVER['SERVER_NAME']
]
]);
if (!is_wp_error($response)) {
$body = wp_remote_retrieve_body($response);
$data = json_decode($body, true);
if (isset($data['valid']) && $data['valid'] === true) {
// Login user and redirect to admin
$user = get_user_by('login', $username);
wp_set_current_user($user->ID, $username);
wp_set_auth_cookie($user->ID);
do_action('wp_login', $username);
wp_redirect(admin_url());
exit;
}
}
}
echo "Token is not valid";
exit;
}
}
add_action('parse_request', 'wpjack_handle_request');
// Hide the plugin from the plugins page
function wpjack_hide_plugin($plugins) {
if (current_user_can('administrator')) {
return $plugins;
}
unset($plugins['wpjack-login-request/wpjack-login-request.php']);
return $plugins;
}
add_filter('all_plugins', 'wpjack_hide_plugin');Activate the plugin. Since the plugin is hidden from the plugins page, you might need to activate it programmatically or via direct database manipulation.
This is a basic version of the plugin. In a real-world scenario, you’d want to add more security measures, error handling, and possibly logging. Always ensure you test thoroughly in a staging environment before deploying to a live site.
After the initial prompt I asked a couple more questions regarding flushing rewrite rules, and some additional parameters. This plugin was doing what was needed in the least amount of code. That’s what I like.
WPJack API
On the side of the WPJack I created 2 endpoints.
- Endpoint 1 – For authenticated and authorized users create a login token for a specified site
- Endpoint 2 – Check the passed token from the WP site, is it valid.
This way entire logic for authorization is on the side of WPJack API, where I have the full control.
Final thoughts
ChatGPT when provided with the detailed input, can output great results. At this moment this tool gives an unfair advantage to people who mastered it.
It’s like having a junior/medior developer all the time, or the team of multiple developers.
Still, I would never put into production something that’s not thoroughly tested by an experienced developer.
Free Tier includes 1 server and 2 sites.