Rishav AuthNova OTP Wordpress Plugin - Rating, Reviews, Demo & Download
Plugin Description
Rishav AuthNova OTP adds a one-time-password verification layer to core WordPress authentication flows.
Features include:
- Configurable OTP length and charset (numeric or alphanumeric)
- OTP expiry and retry limits with temporary lockouts
- Login OTP verification step (after password check)
- OTP-gated registration flow
- OTP-gated password reset flow
- Delivery via wp_mail, SendGrid, and Twilio
- OTP storage using hashes (never plaintext)
- Resend OTP with cooldown and challenge rotation
Security highlights:
- OTP values are hashed before storage and are never saved as plaintext
- OTP hashes use keyed HMAC storage and constant-time verification
- OTP challenges expire automatically and enforce retry limits per challenge
- Request throttling applies cooldown and exponential backoff per IP and identifier
- Lockout windows reduce repeated invalid OTP submissions
- Nonces are applied on sensitive form submissions
- Public auth responses are intentionally generic to reduce account-enumeration leakage
- Delivery uses synchronous-first send with bounded async retry fallback and challenge-level delivery status tracking
Security limitations:
- This plugin does not replace passwords, HTTPS, WAF/rate-limiting at the edge, or secure hosting controls
- OTP delivery depends on the configured email/SMS provider uptime and deliverability
- Administrators should combine this plugin with standard WordPress hardening and monitoring
Reliability notes:
- OTP delivery is attempted synchronously first to reduce silent failures
- If synchronous delivery fails and background delivery is healthy, the plugin schedules bounded retries
- If background delivery is unhealthy (for example DISABLE_WP_CRON), fallback queueing is skipped and users receive a retry-safe error
- Resend cooldown state is server-authoritative and exposed through a status endpoint used by frontend countdown UX
- Background queue payload contains only challenge ID (no raw OTP or destination data)
External Services
This plugin can connect to third-party services to deliver OTP messages. These services are optional and only used if enabled in plugin settings.
Twilio (SMS Delivery)
- Service: Twilio Programmable Messaging API
- Purpose: Send OTP codes by SMS
- Data sent: destination phone number, sender phone number, OTP message text, account SID for authentication
- Credential handling: Twilio credentials are stored in WordPress options and used only when sending OTP messages
- When sent: when OTP delivery method includes SMS and an OTP is generated for login, registration, password reset, or resend
- Why sent: to deliver time-sensitive OTP codes to the user by SMS
- Terms of Service: https://www.twilio.com/legal/tos
- Privacy Policy: https://www.twilio.com/en-us/legal/privacy
SendGrid (Email Delivery)
- Service: SendGrid Mail Send API
- Purpose: Send OTP codes by email
- Data sent: recipient email address, sender email/name, message subject, OTP message body, API key for authentication
- Credential handling: SendGrid API key is stored in WordPress options and used only when sending OTP messages
- When sent: when email provider is set to SendGrid and an OTP is generated for login, registration, password reset, or resend
- Why sent: to deliver time-sensitive OTP codes to the user by email
- Terms of Service: https://sendgrid.com/policies/terms/
- Privacy Policy: https://sendgrid.com/policies/privacy/
Configuration
- Set OTP length, type, expiry, retry limit, and lockout duration.
- Choose delivery method: Email, SMS, or Both.
- Configure provider credentials for SendGrid and/or Twilio if needed.
- Enable or disable OTP on login, registration, and password reset flows.
Screenshots
No screenshots provided
