Description
WP One Tap Google Sign In adds Google One Tap authentication to WordPress. It helps site owners offer a faster, passwordless login experience while keeping authentication tied to existing WordPress user accounts.
When a visitor signs in with Google, the plugin verifies the Google ID token server-side, checks the configured OAuth client ID, confirms the Google email is verified, and then signs in the matching WordPress user. The plugin also supports site-wide display for logged-out visitors, a customizable companion message block, and direct Google account linking from WordPress user profiles.
Key Features
- Google One Tap prompt on the WordPress login screen.
- Optional site-wide One Tap prompt for logged-out visitors.
- Server-side Google ID token verification with WordPress HTTP APIs.
- Existing-user login only by default.
- Google account linking and disconnect controls on WordPress user profiles.
- Automatic account-link migration after a successful verified email login.
- Admin activity log for successful logins, failed attempts, account linking, and unlinking events.
- Salted hashes for IP addresses and Google account identifiers in the activity log.
- Optional custom message block with image, title, and formatted content.
- WordPress 7.0-ready metadata with PHP 8.1, 8.2, and 8.3 compatibility.
Security Approach
The plugin uses WordPress nonces for AJAX requests, sanitizes all incoming data, escapes admin output, and validates the Google token audience against the configured OAuth client ID. It does not create new users automatically. A Google login succeeds only when the verified Google account maps to an existing WordPress user.
Privacy
The activity log stores the Google email address used during an event, the WordPress user ID when available, event status, event reason, user agent, and salted hashes of the request IP address and Google account identifier. Activity records older than 90 days are pruned automatically when new events are logged.
Configuration
Create a Google OAuth Client ID
- Open the Google Cloud Console credentials page:
https://console.developers.google.com/apis/credentials - Create an OAuth 2.0 Client ID.
- Choose Web application as the application type.
- Add your WordPress site’s authorized JavaScript origin.
- Copy the client ID into Settings > One Tap GSI.
Link a WordPress User to Google
- Open Users > Profile for your own account, or edit another user if your role allows it.
- Find the Google One Tap Sign-In section.
- Use the Google button to link a verified Google account.
- To disconnect, check Disconnect this Google account and save the profile.
Customize the Message Block
- Go to Settings > One Tap GSI.
- Enable the custom message block.
- Choose an image from the Media Library or enter an image URL.
- Add a short title and supporting formatted content.
- Save the settings.
Screenshots
Installation
- Upload the
wp-one-tap-google-sign-infolder to the/wp-content/plugins/directory. - Activate the plugin through the Plugins screen in WordPress.
- Go to Settings > One Tap GSI.
- Enter your Google OAuth 2.0 Web application client ID.
- Confirm that your site’s login URL is allowed in your Google OAuth application configuration.
- Choose whether One Tap should appear only on the login page or site-wide for logged-out visitors.
- Add optional custom message content if you want supporting copy beside the One Tap prompt.
FAQ
-
Does this plugin create new WordPress users?
-
No. WP One Tap Google Sign In signs in existing WordPress users only. It does not automatically register new users.
-
Can users disconnect their Google account?
-
Yes. Users can disconnect the linked Google account from their WordPress profile. Administrators with permission to edit users can also manage the link for other accounts.
-
What happens if a user changes their Google email address?
-
After account linking, the plugin uses Google’s stable account identifier for future logins. This is more reliable than email-only matching.
-
Where can I view login attempts?
-
Go to Settings > One Tap GSI Activity to review recent sign-in, linking, and unlinking events.
-
Does the plugin store raw IP addresses?
-
No. The plugin stores a salted hash of the request IP address for correlation in security reviews.
-
Is this compatible with WordPress 7.0 and modern PHP?
-
The plugin metadata targets WordPress 7.0 and PHP 8.1 or higher. The code avoids dynamic properties, deprecated Google client dependencies, and older PHP patterns that commonly cause warnings on PHP 8.2 and PHP 8.3.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“WP One Tap Google Sign In” is open source software. The following people have contributed to this plugin.
Contributors
Translate “WP One Tap Google Sign In” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.2.1
- [Changed] Raised the minimum PHP requirement to 8.1 for production readiness on PHP 8.1, 8.2, and 8.3.
- [Changed] Updated Composer and WordPress.org metadata to match the PHP 8.1+ support policy.
- [Fixed] Updated package metadata for PHP 8.1+ and Google API client compatibility.
1.2.0
- [Added] Google account linking and disconnect controls on WordPress user profiles.
- [Added] Admin activity log for login, failed login, link, and unlink events.
- [Added] Automatic account-link migration after successful verified email login.
- [Changed] Reworked runtime token verification to use WordPress HTTP APIs.
- [Changed] Updated plugin ownership metadata to Sunil Kumar Sharma,
sunilkumarthz, and wpsimplified.in. - [Changed] Expanded WordPress.org readme documentation with setup, security, privacy, and FAQ details.
- [Security] Uses Google’s stable account identifier after linking and stores IP/Google identifiers as salted hashes in the audit log.
1.1.0
- [Added] Declared WordPress 7.0, PHP 7.4, and modern Composer package requirements.
- [Changed] Reworked script loading to use
wp_enqueue_script()for the Google Identity Services client and stable plugin asset versions. - [Changed] Updated admin settings text, escaping, sanitization, and localization for WordPress Coding Standards.
- [Fixed] Corrected login AJAX responses to use structured JSON instead of raw strings.
- [Security] Added AJAX nonce verification, stricter Google ID token validation, audience checks, and verified-email enforcement before setting WordPress auth cookies.
1.0.1
- Initial public release.