=== Password Less Login ===
Contributors: sadekur
Plugin URI: https://profiles.wordpress.org/sadekur/
Tags: passwordless login, email authentication, OTP login, secure login, easy login
Author URI: https://profiles.wordpress.org/sadekur/
Requires at least: 5.9
Tested up to: 6.8
Stable tag: 1.0.0.1
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

A powerful and easy-to-use WordPress plugin for passwordless and OTP-based login.

== Description ==
**Password Less Login** is a passwordless and OTP-based login system for WordPress.  
Every user — both existing and new — must verify their identity using a **One-Time Password (OTP)** sent to their email before being logged in.

This ensures that no one can access an account without confirming ownership of the email address, providing a secure, passwordless authentication process.

### How It Works
1. The user enters their email address.
2. The plugin sends a **6-digit OTP** to that email.
3. The user enters the OTP:
   * If the email exists → the user is securely logged in.
   * If the email is new → the user provides a username, verifies the OTP, and a new account is created automatically.
4. The OTP is valid for **10 minutes** and expires after use.

> **Note:** The plugin never logs in users without OTP verification.

---

### Key Features

* **OTP-Based Authentication for All Users** – Both existing and new users must verify the OTP before login.
* **Passwordless Login** – Securely log in using only your email and OTP.
* **Auto User Registration** – New users can register instantly after OTP verification.
* **Temporary OTP (10 Minutes)** – Each OTP expires after 10 minutes and can only be used once.
* **Rate Limiting** – Prevents brute-force or spam OTP requests (maximum 5 per 15 minutes per email).
* **Nonce Verification** – Protects REST API endpoints from unauthorized access.
* **Secure Email Handling** – Emails are hashed when stored in transients to protect user data.
* **Streamlined User Experience** – Clean, minimal login flow with conditional fields for existing vs. new users.

---

### Why Choose Password Less Login?

* No passwords to remember or reset.
* OTP verification ensures true ownership of email.
* Protects against brute-force attacks.
* Simple setup – works with the native WordPress login page.
* Modern and user-friendly design.
* Reduces “Forgot Password” support requests.

---

== Installation ==

**Automatic Installation**

1. Go to your WordPress dashboard → **Plugins → Add New**.
2. Search for **Password Less Login**.
3. Click **Install Now** and then **Activate**.

**Manual Installation**

1. Download the plugin from WordPress.org.
2. Upload the `password-less-login` folder to `/wp-content/plugins/`.
3. Activate the plugin through the **Plugins** menu.

---

== Usage ==

1. Go to your WordPress login page.
2. Enter your email address and click “Send OTP”.
3. Check your email for the OTP.
4. Enter the OTP in the login form:
   - If your account exists, you’ll be logged in.
   - If not, you’ll be prompted to provide a username before registration and login.
5. You’ll be redirected to your dashboard after successful verification.

---

== Frequently Asked Questions ==

**Q: Does this plugin log in users automatically when they submit their email?**  
A: No. Users are only logged in **after successful OTP verification**. Email submission only sends the OTP.

**Q: What is OTP?**  
A: OTP (One-Time Password) is a 6-digit temporary code valid for 10 minutes.

**Q: How many times can a user request OTP?**  
A: Users can request up to 5 OTPs every 15 minutes per email to prevent abuse.

**Q: Is the OTP stored securely?**  
A: Yes. OTPs are stored temporarily and securely using hashed transient keys.

**Q: Can I customize the OTP email message?**  
A: Yes, you can modify the email template in the plugin settings page.

---

== Screenshots ==

1. Login screen with email input.
2. OTP verification form for existing users.
3. Registration form (email, username, OTP) for new users.
4. Admin settings page for customizing OTP email templates.

---

== Changelog ==

= 1.0.1 =
* Added OTP verification for both existing and new users.
* Added nonce verification for REST API requests.
* Added rate limiting (5 OTP requests per 15 minutes).
* Enhanced email and OTP sanitization.
* Improved overall security and error handling.

= 1.0.0 =
* Initial release with passwordless email login, OTP verification, and auto-registration.

---

== Upgrade Notice ==

= 1.0.1 =
Critical security update — existing users now require OTP verification before login.  
Please update immediately for improved protection and reliability.

---

== License ==
This plugin is released under the GPL license. You are free to use and modify it.

For support, contact: [sadekur0rahman@gmail.com](mailto:sadekur0rahman@gmail.com)
