WPHammer
Log in

Magic Login

Magic Login lets you access the WordPress admin panel of any managed site with a single click — no username or password required. WPHammer generates a one-time login URL that authenticates you directly as a WordPress administrator.

How it works

When you trigger a Magic Login from the site detail page:

  1. WPHammer connects to the server over SSH.
  2. A WP-CLI command generates a one-time login URL for the specified WordPress user (typically the site administrator).
  3. The URL is returned to your browser.
  4. Clicking the URL logs you into the WordPress admin as that user.

The login URL is single-use — once clicked, it expires and cannot be reused. This prevents the link from being intercepted and used by someone else.

When to use Magic Login

Magic Login is designed for quick administrative access:

  • Checking a site — verify a setting, review a page, or inspect a plugin configuration without hunting for credentials
  • Client support — jump into a client's WordPress admin to troubleshoot an issue they reported
  • Post-deployment verification — confirm that a deployment or update applied correctly
  • Emergency access — get into a site when the normal login is broken (locked out, changed password, failed 2FA)

Login plugin

Magic Login works through a lightweight WordPress plugin that WPHammer installs on managed sites. The plugin handles the token validation and authentication on the WordPress side. If the plugin is missing or broken, WPHammer can reinstall it automatically.

The plugin does not add any visible UI to the WordPress admin. It only exposes a token-based authentication endpoint used exclusively by WPHammer-generated URLs.

Security

Magic Login URLs are:

  • One-time use — each URL works exactly once
  • Time-limited — URLs expire after a short window
  • Authenticated via SSH — the URL is generated server-side through WP-CLI, so it requires SSH access to the server

Access to Magic Login is governed by your WPHammer team permissions. Only team members with the appropriate role can generate login URLs. All Magic Login actions are recorded in the activity log for audit purposes.

Related