Confirmed compatible with WordPress 7.0. Documentation-only release \u2014 no source-code changes.<\/p>","0.1.22":"
Version bump only \u2014 no source-code changes vs 0.1.21. Re-submission for WordPress.org plugin directory review.<\/p>","0.1.21":"
Better compatibility with security plugins that move the login URL: the plugin now uses wp_login_url() instead of hardcoded \/wp-login.php references.<\/p>","0.1.20":"
WordPress.org plugin review compliance: unminified TypeScript source for the bundled web-components library is now vendored alongside the compiled bundle. No runtime behaviour change.<\/p>","0.1.19":"
Recommended. Removes the Recommended. The Mobile sign-in robustness: the "Continue with QRAuth" flow now reliably returns users to your site after approval, including on sites that send a strict Referrer-Policy header. No configuration change required.<\/p>","0.1.16":" WordPress.org review fixes. Vendored web component bumped to 0.4.1 (no more api.qrserver.com fetch). External services section added to readme. Auto-provision role UI is now Subscriber-only \u2014 sites that need Contributor\/Author must use the new Cosmetic readme fix \u2014 Security hardening \u2014 Tenant URL sanitiser now rejects plain-http localhost values unless CI \/ release-infrastructure bump only \u2014 runners now use Node.js 24. Zero runtime behaviour changes.<\/p>","0.1.11":" Plugin-check hygiene before WordPress.org submission: composer.json now shipped alongside vendor\/, discouraged Translation scaffolding only \u2014 no behaviour changes. New UI strings from 0.1.1 \u2192 0.1.9 are now picked up by the POT + el_GR.po so translators have a current baseline to work from.<\/p>","0.1.9":" Customers signing in through a WooCommerce form now land on My Account (or the checkout step they started on) instead of wp-admin. No configuration change required.<\/p>","0.1.8":" Mobile \/ multilingual fixes: a phone scanning a QR from another device no longer signs itself in; the redirect URL is language-neutral so WPML \/ Polylang \/ Weglot sites need only one allowlist entry.<\/p>","0.1.7":" Adds WooCommerce support \u2014 the widget can now appear on the My Account login\/register forms and on the checkout sign-in step. Opt in per-surface under Settings \u2192 QRAuth.<\/p>","0.1.6":" Adds a Adds mobile same-device sign-in. One-time setup: register your Required hotfix. 0.1.3 accepted QRAuth signatures but rejected every login with Required hotfix. 0.1.2 still failed to accept real QRAuth signatures because the envelope separator Recommended hotfix. Unblocks end-to-end QRAuth sign-in on sites running 0.1.1 \u2014 the Adds a same-origin REST proxy that eliminates browser CORS errors. Upgrading requires adding a Client Secret in Settings \u2192 QRAuth; the existing Client ID and the renamed Tenant URL (previously "Base URL") are migrated automatically.<\/p>","0.1.0":" Initial public release.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3559096,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3559096,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256},"icon.svg":{"filename":"icon.svg","revision":3559096,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3559096,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3559096,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.21","0.1.23"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3559096,"resolution":"1","location":"assets","locale":"","width":1280,"height":800},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3559096,"resolution":"2","location":"assets","locale":"","width":1280,"height":800},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3559096,"resolution":"3","location":"assets","locale":"","width":1280,"height":800},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3559096,"resolution":"4","location":"assets","locale":"","width":1280,"height":800}},"screenshots":{"1":"wp-login.php with the \"Sign in with QRAuth\" button under the password field.","2":"Widget active \u2014 animated QR, session countdown, and \"Continue on this device\" CTA for mobile users.","3":"Settings \u2192 QRAuth \u2014 Client ID, Client Secret, Tenant URL, auto-provision toggle, default role, allowed scopes, and per-surface enable switches.","4":"WooCommerce registration form \u2014 inline widget alongside WC's account-creation fields."}},"plugin_section":[],"plugin_tags":[710,602,9223,1373,2056],"plugin_category":[38],"plugin_contributors":[265379],"plugin_business_model":[],"class_list":["post-304732","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-login","plugin_tags-passwordless","plugin_tags-qr-code","plugin_tags-social-login","plugin_category-authentication","plugin_contributors-aristech","plugin_committers-aristech"],"banners":{"banner":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/banner-772x250.png?rev=3559096","banner_2x":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/banner-1544x500.png?rev=3559096","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/icon.svg?rev=3559096","icon":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/icon.svg?rev=3559096","icon_2x":false,"generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/screenshot-1.png?rev=3559096","caption":"wp-login.php with the \"Sign in with QRAuth\" button under the password field."},{"src":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/screenshot-2.png?rev=3559096","caption":"Widget active \u2014 animated QR, session countdown, and \"Continue on this device\" CTA for mobile users."},{"src":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/screenshot-3.png?rev=3559096","caption":"Settings \u2192 QRAuth \u2014 Client ID, Client Secret, Tenant URL, auto-provision toggle, default role, allowed scopes, and per-surface enable switches."},{"src":"https:\/\/ps.w.org\/qrauth-passwordless-social-login\/assets\/screenshot-4.png?rev=3559096","caption":"WooCommerce registration form \u2014 inline widget alongside WC's account-creation fields."}],"raw_content":"\n QRAuth replaces the password field on your WordPress login page with a drop-in QR widget. Users sign in by scanning with the QRAuth mobile app; a cryptographic signature is verified server-to-server before WordPress sets the auth cookie. Social login (Google, GitHub, Microsoft, Apple) is brokered by QRAuth's hosted approval page, so you never have to register an OAuth app or hold a client secret.<\/p>\n\n One Client ID is the only configuration.<\/strong> Paste it into Settings \u2192 QRAuth and the widget appears on wp-login.php. Everything else \u2014 the approval flow, the signing, the token refresh \u2014 lives in the QRAuth platform.<\/p>\n\n Account safety is the default.<\/strong> Auto-provisioning is off out of the box: only WordPress users who already exist (matched on email) can sign in via QRAuth. Flip on auto-provisioning and new users are created as Subscriber \u2014 that's the only role available, intentionally and at every layer (settings UI, sanitiser, runtime). Operators who need a different role for an individual user can change it manually via Users \u2192 All Users after their first sign-in. The plugin never stores the signing material, never issues a redirect outside your site, and never touches your user table on uninstall.<\/p>\n\n Self-hosted, no third-party scripts on wp-login.php.<\/strong> The QRAuth web component ships vendored inside the plugin \u2014 the only outbound call is from your server to QRAuth's verification endpoint during a sign-in attempt.<\/p>\n\n Open source build.<\/strong> The compressed JavaScript at This plugin connects to QRAuth (https:\/\/qrauth.io) \u2014 the identity verification service that performs the actual passwordless \/ social sign-in. QRAuth is operated by ProgressNet, the publisher of this plugin. Without QRAuth there is no widget and no sign-in.<\/p>\n\n What the service is and what it is used for<\/strong><\/p>\n\n QRAuth verifies that the user who scanned the QR code (or completed a social-provider flow on the hosted approval page) is the same person who initiated the sign-in on your WordPress site, then returns a signed assertion that the plugin uses to set the WordPress auth cookie.<\/p>\n\n What data is sent and when<\/strong><\/p>\n\n The vendored web component ( Service terms and policies<\/strong><\/p>\n\n The compiled bundle at \/*!\n * @qrauth\/web-components v0.4.1\n * Vendored by qrauth-passwordless-social-login. Do not edit by hand.\n *\n * Source: https:\/\/github.com\/qrauth-io\/qrauth\/tree\/main\/packages\/web-components\n * License: MIT\n * npm: https:\/\/www.npmjs.com\/package\/@qrauth\/web-components\n * Build: The unminified TypeScript source files are also vendored alongside the compiled bundle inside this plugin ( The plugin's own source \u2014 PHP, the small browser adapter ( The PHP and The vendored file To regenerate the vendored bundle from the pinned npm release, clone the plugin source repository linked above and run from its root:<\/p>\n\n The build script Only if they sign in via QR. They install the free QRAuth mobile app once, scan the code on your login page, and approve on their phone. For social login (Google, GitHub, Microsoft, Apple) the user simply taps the provider on QRAuth's hosted approval page \u2014 they don't need a QRAuth account at all.<\/p><\/dd>\n They aren't. Auto-provisioned accounts get a 32-character random password that nobody (including you) holds or needs. WordPress users who already had a password keep it \u2014 QRAuth just becomes an additional sign-in method alongside the usual form.<\/p><\/dd>\n Yes. If a scanned account's email matches an existing WordPress user, they log into that account \u2014 no duplicate is created. The match is remembered via user meta, so subsequent sign-ins skip the email lookup.<\/p><\/dd>\n Subscriber, hardcoded. The settings UI only offers Subscriber, the sanitiser clamps any other value to Subscriber, and the provisioner ignores the stored option entirely and uses Subscriber unconditionally \u2014 this aligns with WordPress.org plugin directory guidelines for sign-in plugins that create users post-external-verification. There is no plugin-provided code path (filter, action, option, or constant) to elevate the auto-provisioning role. If a particular user needs a higher role, change it manually via Users \u2192 All Users after their first sign-in.<\/p><\/dd>\n Yes \u2014 from Users \u2192 Your Profile there's a QRAuth section with an \"Unlink QRAuth\" button. Admins can unlink other users from their profiles too. The WordPress account (role, posts, comments, history) is preserved; only the link metadata is removed.<\/p><\/dd>\n Yes. Deactivate and all your users stay. Uninstall removes the plugin's settings row and its rate-limit transients \u2014 it never deletes WordPress user accounts or their content. If you reinstall later, existing users re-link automatically on their next QRAuth sign-in.<\/p><\/dd>\n No. There's no telemetry, no analytics, no third-party scripts. The only outbound request is from your server to The REST verify route caps requests at 10 per 5 minutes per hashed IP. The hash uses Per-site activation works today. Network-activated multisite is tracked for a future release.<\/p><\/dd>\n\n<\/dl>\n\n\nqrauth_psl_provisioning_role<\/code> filter \u2014 auto-provisioned users are now hardcoded to Subscriber with no code path to elevate. Operators needing a different role for a user must change it manually via Users \u2192 All Users after first sign-in. WordPress.org review fix.<\/p>","0.1.18":"\/verify<\/code> route now fires wp_login<\/code> on success and wp_login_failed<\/code> on signature mismatch so security plugins (Limit Login Attempts, Wordfence), audit logs, MFA gates, and last-login trackers see QRAuth sign-ins as if they came through wp-login.php. Also adds an == External resources ==<\/code> readme section, switches Plugin URI:<\/code> to the plugin's GitHub repo, and adds a top-level GPL-2.0 LICENSE file. No configuration changes required.<\/p>","0.1.17":"qrauth_psl_provisioning_role<\/code> filter.<\/p>","0.1.14":"Contributors:<\/code> now points at the actual wordpress.org profile. No runtime changes.<\/p>","0.1.13":"WP_DEBUG<\/code> is on or the qrauth_psl_allow_localhost_tenant_url<\/code> filter opts in. Blocks an admin-gated SSRF probe path. No action required for sites using https:\/\/<\/code> tenants.<\/p>","0.1.12":"load_plugin_textdomain()<\/code> call removed, 0.1.8 upgrade notice trimmed under the 300-char cap. No runtime behaviour changes.<\/p>","0.1.10":"[qrauth_login]<\/code> shortcode so the widget can live on any page, not just wp-login.php. Opt in from Settings \u2192 QRAuth. No existing configuration changes on upgrade.<\/p>","0.1.5":"\/wp-login.php<\/code> URL in your QRAuth app's redirect-URL allowlist (Settings \u2192 QRAuth shows the exact URL). Desktop sign-in is unaffected either way.<\/p>","0.1.4":"provision_disabled<\/code> because the widget was requesting only the identity<\/code> scope (the scope attribute name was wrong). Upgrade to restore end-to-end sign-in.<\/p>","0.1.3":":<\/code> wasn't in the allowed alphabet. Upgrade to restore end-to-end sign-in.<\/p>","0.1.2":"\/verify<\/code> route's input validators were too strict and rejected every real login. No configuration change required.<\/p>","0.1.1":"assets\/js\/qrauth-components.js<\/code> is built from publicly available TypeScript source at https:\/\/github.com\/qrauth-io\/qrauth\/tree\/main\/packages\/web-components. The unminified source files are also vendored alongside the minified bundle inside this plugin (assets\/js\/source\/<\/code>) for offline review. See the Source<\/strong> section below for build instructions.<\/p>\n\nExternal services<\/h3>\n\n
\n
https:\/\/qrauth.io\/api\/v1\/auth-sessions<\/code>. No visitor data is included in this request.<\/li>\nhttps:\/\/qrauth.io\/api\/v1\/auth-sessions\/verify-result<\/code>. The response carries the QRAuth user identifier and, when the email<\/code> scope is allowed in Settings \u2192 QRAuth, the user's email address. The plugin uses this only to locate or create the matching WordPress user; nothing beyond a hashed link reference is retained.<\/li>\nhttps:\/\/qrauth.io\/a\/<token><\/code> to complete the social-provider flow. This is a standard cross-domain navigation initiated by the visitor.<\/li>\n<\/ul>\n\nassets\/js\/qrauth-components.js<\/code>) is served from your own WordPress site \u2014 there is no third-party JavaScript on wp-login.php, and the component does not contact qrauth.io directly from the browser; all server-to-server calls are proxied via your site's REST API.<\/p>\n\n\n
Source<\/h3>\n\n\n\n
assets\/js\/qrauth-components.js<\/code> carries the following banner header at the top of the file:<\/p>\n\n`\n<\/code><\/pre>\n\nnpm install && npm run build:assets<\/code> (see bin\/fetch-web-components.mjs)\n *\n * The unminified TypeScript source for this bundle is also vendored at\n * assets\/js\/source\/ \u2014 see assets\/js\/source\/README.md for provenance.\n *\/\n `<\/p>\n\nassets\/js\/source\/<\/code>) for offline review.<\/p>\n\nassets\/js\/qrauth-adapter.js<\/code>), build scripts, tests, and CI \u2014 is publicly maintained under GPL-2.0-or-later at:<\/p>\n\n\n
assets\/js\/qrauth-adapter.js<\/code> shipped in the plugin ZIP are non-minified \u2014 read them directly without checking out the repo.<\/p>\n\nassets\/js\/qrauth-components.js<\/code> is a pinned production build of the public @qrauth\/web-components<\/code> library. The non-compiled source for that library is openly available:<\/p>\n\n\n
package.json<\/code> under the qrauth.webComponentsIntegrity<\/code> key<\/li>\nnpm install\nnpm run build:assets\n<\/code><\/pre>\n\nbin\/fetch-web-components.mjs<\/code> (kept in the plugin source repository, not in the WordPress.org plugin ZIP) downloads the npm tarball, verifies its sha512 SRI hash against package.json#qrauth.webComponentsIntegrity<\/code>, extracts the IIFE build, and writes it to assets\/js\/qrauth-components.js<\/code>. CI runs the same script before the WordPress.org plugin-check job, so the bundle distributed on the directory always matches the published npm release. To rebuild from upstream source instead of the pinned tarball, follow BUILDING.md<\/code> in the upstream library repository above.<\/p>\n\n\n\n
https:\/\/<your-site>\/wp-login.php<\/code>. Without this registration, sign-in on phones (same-device approval) cannot complete; desktop sign-in works without it. The exact URL to register is shown on the Settings \u2192 QRAuth page. One registration is enough even on multilingual sites (WPML, Polylang, Weglot): the plugin uses the language-neutral admin URL, not the translated home URL, so \/en\/wp-login.php<\/code> \/ \/fr\/wp-login.php<\/code> \/ etc. don't need separate entries.<\/li>\n\n
Do my users need a QRAuth account?<\/h3><\/dt>\n
Where are passwords stored?<\/h3><\/dt>\n
Does it work with existing WordPress users?<\/h3><\/dt>\n
What role do new users get?<\/h3><\/dt>\n
Can I unlink a WordPress account from QRAuth?<\/h3><\/dt>\n
Can I remove the plugin later?<\/h3><\/dt>\n
Does the plugin phone home with analytics?<\/h3><\/dt>\n
https:\/\/qrauth.io\/api\/v1\/auth-sessions\/verify-result<\/code> during a login attempt, carrying only the session ID and the signature the user's phone produced.<\/p><\/dd>\nHow is rate limiting handled?<\/h3><\/dt>\n
wp_salt()<\/code>, so a database dump can't recover caller IPs. Each verify attempt costs one outbound call to QRAuth's servers, so tight limits protect both your site and ours.<\/p><\/dd>\nDoes it work on multisite?<\/h3><\/dt>\n
0.1.23<\/h4>\n\n
\n
0.1.22<\/h4>\n\n
\n
wp_login_url()<\/code> migration, so this bump exists only to ensure the reviewer's tooling re-scans the post-fix tree.<\/li>\n<\/ul>\n\n0.1.21<\/h4>\n\n
\n
wp_login_url()<\/code> instead of hardcoded site_url('\/wp-login.php')<\/code> for the two locations that reference the W login URL. This respects security plugins that move wp-login.php to a custom URL and is the recommended pattern per the WordPress developer handbook.<\/li>\n<\/ul>\n\n0.1.20<\/h4>\n\n
\n
@qrauth\/web-components<\/code> library at assets\/js\/source\/<\/code> alongside the minified bundle, so reviewers and integrators can read the unminified source without leaving the plugin. The readme's == Source ==<\/code> section (renamed from == External resources ==<\/code> for clarity) and the Description's \"Open source build\" paragraph also link to the canonical upstream repository and build instructions. WordPress.org plugin guideline 4 (human-readable code).<\/li>\n<\/ul>\n\n0.1.19<\/h4>\n\n
\n
qrauth_psl_provisioning_role<\/code> filter introduced in 0.1.16 has been removed. Auto-provisioned users are now hardcoded to the subscriber<\/code> role at every layer \u2014 settings UI, sanitiser, and runtime provisioner \u2014 with no programmatic path (filter, action, option, or constant) to elevate. Operators who need a different role for an individual user must update it manually via Users \u2192 All Users after first sign-in. Identified during WordPress.org plugin directory review (creating users post-external-verification must be capped at the lowest privilege role).<\/li>\n<\/ul>\n\n0.1.18<\/h4>\n\n
\n
\/verify<\/code> route now fires the canonical wp_login<\/code> action on every successful sign-in (mirroring what core's wp_signon()<\/code> does after wp_set_auth_cookie()<\/code>) and wp_login_failed<\/code> on signature_invalid<\/code> rejections. Security plugins (Limit Login Attempts Reloaded, Wordfence, Solid Security), audit-log plugins (WP Activity Log, Simple History), MFA gates, and \"last login\" \/ session-tracking plugins now see QRAuth sign-ins exactly as if the user had authenticated through wp-login.php<\/code>. Identified during WordPress.org plugin directory review \u2014 closes the \"creating your own login method can bypass security plugins\" concern raised in the review. No configuration changes required.<\/li>\n== External resources ==<\/code> section to the readme that publishes the plugin's own GitHub repository (https:\/\/github.com\/qrauth-io\/qrauth-passwordless-social-login, GPL-2.0-or-later) and points at the public source for the vendored @qrauth\/web-components<\/code> library (https:\/\/github.com\/qrauth-io\/qrauth\/tree\/main\/packages\/web-components, MIT) along with the npm release the bundle is pinned to and the npm run build:assets<\/code> step that reproduces it. The vendored file's banner now names its source repository, license, npm release, and build entry-point inline. The plugin header's Plugin URI:<\/code> now points at the GitHub repository instead of the QRAuth platform homepage, and a top-level LICENSE<\/code> file (GPL-2.0) has been added to the repository so forkers and reviewers see the licence at a glance. Addresses WordPress.org plugin directory feedback that compiled JS must link to a publicly maintained, human-readable source.<\/li>\n<\/ul>\n\n0.1.17<\/h4>\n\n
\n
Referrer-Policy<\/code> could end up landing the user on a \"you can close this page\" terminal state instead of returning them to wp-login.php. The \/a\/<token><\/code> proxy now forwards the query string verbatim, matching the existing behaviour documented for the \/api\/v1\/auth-sessions\/<id><\/code> proxy.<\/li>\n<\/ul>\n\n0.1.16<\/h4>\n\n
\n
== External services ==<\/code> section documenting every outbound call the plugin makes, with links to the QRAuth Terms, Privacy Policy, DPA, and Sub-processors list.<\/li>\nqrauth_psl_provisioning_role<\/code> filter, accessible only via code. Editor and Administrator remain hard-blocked at every layer, as before. Existing sites configured with Contributor or Author will fall back to Subscriber on the next save; until then their stored value is unchanged.<\/li>\n<\/ul>\n\n0.1.15<\/h4>\n\n
\n
0.1.14<\/h4>\n\n
\n
Contributors:<\/code> field set to aristech<\/code> \u2014 the verified wordpress.org account that owns the submission. The prior value (qrauth<\/code>) wasn't a registered wordpress.org profile and would have rendered as a broken contributor badge on the plugin directory page.<\/li>\n<\/ul>\n\n0.1.13<\/h4>\n\n
\n
http:\/\/localhost<\/code> and http:\/\/127.0.0.1<\/code> values on production sites \u2014 they're only accepted when WP_DEBUG<\/code> is on (local development) or when a site operator explicitly opts in via the new qrauth_psl_allow_localhost_tenant_url<\/code> filter. Closes a pentest finding: an admin with manage_options<\/code> could previously point Tenant URL at arbitrary localhost ports (e.g. MySQL, Redis), using the plugin's outbound wp_remote_request<\/code> as a port-scanning oracle against the WP host's internal network. Now admin-gated SSRF via this path is blocked by default; https:\/\/<\/code> tenants remain accepted unchanged.<\/li>\n<\/ul>\n\n0.1.12<\/h4>\n\n
\n
actions\/checkout<\/code>, actions\/setup-node<\/code>, softprops\/action-gh-release<\/code>, actions\/upload-artifact<\/code>, ramsey\/composer-install<\/code>) to current major versions so every runner step uses Node.js 24. No plugin behaviour changes \u2014 only the CI environment that builds + releases the plugin changed.<\/li>\n<\/ul>\n\n0.1.11<\/h4>\n\n
\n
composer.json<\/code> alongside vendor\/<\/code> so reviewers can see the provenance of the vendored dependencies. (2) Removed the explicit load_plugin_textdomain()<\/code> call from plugin bootstrap \u2014 WordPress 4.6+ auto-loads translations for plugins hosted on wordpress.org, and an explicit call is now discouraged. (3) Trimmed the 0.1.8 upgrade notice to stay under WordPress.org's 300-character limit.<\/li>\n<\/ul>\n\n0.1.10<\/h4>\n\n
\n
languages\/qrauth-passwordless-social-login.pot<\/code>) and the Greek scaffold (el_GR.po<\/code>) so every user-facing string added between 0.1.1 and 0.1.9 (Client Secret field, Tenant URL description, per-surface enable switches for shortcode and WooCommerce, mobile sign-in setup callout, etc.) is now available to translators. No behaviour changes; string extraction only.<\/li>\n<\/ul>\n\n0.1.9<\/h4>\n\n
\n
wp_validate_redirect<\/code> so a forged Referer can't turn this into an open redirect.<\/li>\n<\/ul>\n\n0.1.8<\/h4>\n\n
\n
redirect-uri<\/code> using WordPress's language-neutral admin URL (site_url<\/code>) instead of the translated home URL, so \/en\/wp-login.php<\/code>, \/fr\/wp-login.php<\/code>, etc. all resolve to the same canonical registration in the QRAuth dashboard.<\/li>\n<\/ul>\n\n0.1.7<\/h4>\n\n
\n
woocommerce_login_form_end<\/code> \/ woocommerce_register_form_end<\/code> template hooks.<\/li>\n0.1.6<\/h4>\n\n
\n
[qrauth_login]<\/code> shortcode for placing the widget on any page, post, or widget area. Supports display=\"inline|button\"<\/code> (default inline<\/code>) and mode=\"login|register\"<\/code> (default login<\/code>). Opt in via Settings \u2192 QRAuth \u2192 \"Show widget on\" \u2192 \"Anywhere via shortcode\".<\/li>\nwp-login.php<\/code>. The ~65 KB bundle is only emitted on pages that actually render the widget \u2014 unused shortcode-enabled sites pay zero bandwidth cost on pages without the tag.<\/li>\n<\/ul>\n\n0.1.5<\/h4>\n\n
\n
redirect-uri<\/code> pointing at wp-login.php<\/code>, and the adapter picks up the qrauth_session_id<\/code> \/ qrauth_signature<\/code> query params that qrauth.io appends when the user approves on their phone. The WP tab being suspended while the user was on qrauth.io no longer breaks the flow.<\/li>\nhttps:\/\/<site>\/wp-login.php<\/code>). Required one-time setup for phone sign-in; desktop still works without it.<\/li>\n<\/ul>\n\n0.1.4<\/h4>\n\n
\n
\/verify<\/code> on 0.1.3 but bounced with provision_disabled<\/code> \u2014 regardless of whether auto-provisioning was on. The widget's scope attribute was emitted as