Features
Google Social Login
Let users sign in with their Google account via OAuth 2.0.
LoginPlus implements the OAuth 2.0 Authorization Code flow. The token exchange happens server-side — user credentials and tokens never pass through the browser.
Setup
- Go to Google Cloud Console and create a new project (or select an existing one).
- Navigate to APIs & Services → OAuth consent screen. Set the app type to External and fill in the required fields.
- Go to APIs & Services → Credentials → Create Credentials → OAuth client ID.
- Choose Web application. Under Authorized redirect URIs, add your callback URL (shown in LoginPlus Settings).
- Copy the Client ID and Client Secret.
- In WordPress, go to LoginPlus → Settings → Google Social Login. Paste the Client ID and Client Secret, then save.
Callback URL
The callback URL shown in LoginPlus Settings is the URL you must add to Google Cloud Console. It follows the format:
https://your-site.com/?lp_oauth=google
Account matching
When a user signs in with Google, LoginPlus resolves their account using this priority order. Google Login never creates a new WordPress account — it only signs in to an existing one:
| Condition | Action |
|---|---|
Google ID already stored in user meta (_lp_google_id) | Log in immediately |
| Email matches an existing WP user, Google ID not yet stored | Link the Google account to that user and log in |
| No matching WP user found | Login is rejected. Google Login cannot be used to register a new account — the person must already have (or be given) a WordPress account with a matching email. |
Google must also report the email as verified (email_verified) — if the person’s Google account has an unverified email, login is rejected even if a matching WordPress account exists.
If the matched account has Two-Factor Authentication enabled, signing in with Google does not bypass it — the user is still sent through the normal 2FA challenge before the login completes.
Security notes
- CSRF protection: a random, single-use state token is generated per login attempt and verified on the callback before anything else happens.
- The Client Secret is stored encrypted (AES-256-CBC) in the database — it is never stored in plaintext. This requires the
opensslPHP extension; see the Requirements doc. - Token exchange is server-to-server only; the access token is discarded after fetching the user profile.