Configuration Reference

All available options and their wp_options keys.

All LoginPlus options are stored in the WordPress Options table. You can read or update them with get_option() / update_option().

Option keyTypeDefaultDescription
lp_brute_force_enabledbool (0/1)1Enable brute force lockout
lp_max_attemptsint5Failed attempts before lockout
lp_lockout_durationint (seconds)900Lockout window length
lp_allowlist_ipsstring“”Newline-separated IPs (IPv4 or IPv6) exempt from lockout
lp_logging_enabledbool (0/1)1Enable activity logging
lp_log_retention_daysint (days)90Log entries older than this are auto-deleted daily
lp_hash_ip_addressesbool (0/1)0Store IPs as SHA-256 hashes instead of plain text
lp_2fa_enabledbool (0/1)0Enable TOTP 2FA globally
lp_2fa_required_adminsbool (0/1)0Force 2FA for administrators
lp_google_login_enabledbool (0/1)0Enable Google OAuth button
lp_google_client_idstring“”Google OAuth client ID
lp_google_client_secretstring“”Encrypted Google client secret
lp_email_alerts_enabledbool (0/1)1Send email on suspicious logins and lockouts, to the site’s Admin Email

Note: lp_google_client_secret is stored AES-256-CBC encrypted — but only when the openssl PHP extension is available; otherwise it’s stored base64-encoded, not encrypted. Do not set it directly with update_option() — use the LoginPlus Settings page, which handles the encryption before saving.

There’s no separate “alert email” option — email alerts always go to whatever address is set as the site’s Admin Email under Settings → General.

Internal-only options

These two are used internally and are not registered with the WordPress Settings API — treat them as read-only:

Option keyPurpose
lp_wizard_completeSet to 1 once the Setup Wizard has been saved or skipped, so it won’t show again
lp_db_versionTracks the activity-log table’s schema version for future upgrades