Secure, accessible login, registration, and password recovery forms that live on your actual site — not wp-login.php.
Login, registration, lost password, and password reset — all handled on your frontend with proper nonce verification and WordPress hook compatibility.
Four native Widget_Base widgets with full Elementor style controls, V4 compatibility, dynamic content flagging, and Theme Builder integration via real WordPress pages.
Configurable per-IP lockout after failed attempts. Uses transients with anonymised IP hashing. Protects login, registration, lost-password, and reset-password forms.
Rotating hidden field (hourly key rotation via HMAC) catches bots. Trapped submissions get a fake success response — bots never know they failed.
Optional no-reload form submission. Inline error display, loading spinners, and automatic redirect on success — all configurable from the admin panel.
All wp-login.php links across your entire site — login_url, logout_url, lostpassword_url, site_url — are transparently rewritten to your frontend pages.
Network activation support. Per-site settings, signup/activation URL rewriting, and automatic option seeding for new sub-sites via wp_initialize_site.
Fires standard WordPress hooks (login_form, register_form, etc.) so 2FA, CAPTCHA, and social login plugins render their fields inside your forms automatically. MCP Bridge and OAuth flows are transparently exempted from URL rewriting.
ARIA roles, aria-required, aria-live regions for errors, focus-visible outlines, and translatable password-strength labels. Clean, semantic HTML throughout.
Automatically excludes auth pages from LiteSpeed Cache, Super Page Cache, WP Rocket, W3 Total Cache, and WP Super Cache. Purges stale 404s on plugin update. Sends no-store HTTP headers as a universal fallback.
Fully honours ?redirect_to= on both virtual and Elementor pages. Subscribers are blocked from wp-admin and sent to a configurable destination. Privileged users always land where they intended.