Security Plugin Compatibility
OneTap Login is designed to work alongside WordPress security plugins. This guide covers compatibility, configuration, and troubleshooting for popular security solutions.
Overview
Common Security Features
Security plugins may affect OneTap Login through:
- Firewall rules - Blocking Google API requests
- Login protection - Rate limiting, CAPTCHAs
- Two-factor authentication - Additional verification
- Brute force protection - IP blocking
- File integrity - Monitoring plugin files
General Compatibility
OneTap Login is compatible with most security plugins when properly configured.
Wordfence Security
Status: ✅ Compatible
Configuration
Firewall Settings
Ensure these are not blocking Google:
- Go to Wordfence > Firewall
- Check "Allowed IPs" if using strict mode
- Whitelist Google OAuth endpoints (usually automatic)
Login Security
For Wordfence Login Security:
- 2FA integration supported (see 2FA Plugins)
- reCAPTCHA may conflict - see below
reCAPTCHA Conflict
If Wordfence reCAPTCHA is enabled:
- Google button still works
- But may show CAPTCHA after Google auth
- Consider disabling reCAPTCHA for logged-in users
Recommendation: Disable reCAPTCHA for Google sign-in flow:
add_filter('wordfence_ls_require_captcha', function($require, $action) {
// Skip CAPTCHA for Google OAuth callback
if (isset($_GET['code']) && isset($_GET['state'])) {
return false;
}
return $require;
}, 10, 2);
Troubleshooting
Issue: "Access Denied" during Google callback
Solution:
- Temporarily disable Wordfence firewall
- Test Google sign-in
- If works, add callback URL to whitelist
- Re-enable firewall
Solid Security (iThemes Security)
Status: ✅ Compatible
Configuration
File Change Detection
OneTap Login files may trigger alerts:
- Go to Security > Settings > File Change Detection
- Add to exclusion list:
wp-content/plugins/onetap-login-for-woocommerce/
Login Lockout
Solid Security's lockout features work alongside:
- IP lockout still functions
- Google sign-in bypasses password attempts
- Failed Google auth doesn't count against lockout
2FA Integration
Solid Security 2FA supported - see 2FA Plugins.
Troubleshooting
Issue: Locked out after Google sign-in attempts
Solution: Check if IP was blocked for other reasons; Google sign-in shouldn't trigger lockout.
Sucuri Security
Status: ✅ Compatible
Configuration
Firewall (Sucuri WAF)
If using Sucuri's cloud WAF:
- Login to Sucuri dashboard
- Go to Firewall > Settings
- Ensure Google's OAuth endpoints aren't blocked
Hardening
Most hardening options compatible:
- Disable file editing: Compatible
- Block PHP in uploads: Compatible
- Security keys: Compatible
Troubleshooting
Issue: 403 Forbidden on OAuth callback
Solution: Add callback URL to Sucuri WAF whitelist.
All In One WP Security
Status: ✅ Compatible
Configuration
Login Lockdown
Settings to check:
- Go to WP Security > User Login
- Google sign-in works alongside lockdown
- Failed Google attempts don't count
Firewall
Basic firewall compatible:
- 6G/7G rules work
- Custom rules may need adjustment
Brute Force
Compatible - Google auth bypasses brute force protection since it doesn't use passwords.
Shield Security
Status: ✅ Compatible
Configuration
Bot Protection
May need adjustment:
- Go to Shield > Bot Detection
- If Google sign-in blocked as bot
- Add exception for OAuth callback
Login Guard
Works alongside Shield's login protection.
Defender Pro (WPMU DEV)
Status: ✅ Compatible (with configuration)
Important Configuration
Defender Pro's firewall may block the Google OAuth callback. Here's how to fix:
Allowlist REST API
- Go to Defender > Firewall > IP Lockout
- Click Allowlist
- Add your site's callback URL pattern:
/wp-json/onetap/v1/callback
Configure User Agent
If blocking by user agent:
- Go to Defender > Firewall > User Agent Banning
- Ensure "Googlebot" is not blocked (shouldn't be by default)
- Check custom rules don't block Google
2FA Compatibility
Defender 2FA is supported - see 2FA Plugins.
Recommended Settings
| Feature | Setting | Notes |
|---|---|---|
| IP Lockout | Enabled | Add callback to allowlist |
| 404 Detection | Enabled | Won't affect OAuth |
| User Agent Banning | Default | Don't block Google |
| Geolocation | Careful | May block Google servers |
Troubleshooting
Issue: 403/401 error on Google callback
Steps:
- Go to Defender > Firewall > Logs
- Search for your IP or "onetap"
- If blocked, add to allowlist
- Test again
Issue: Lockout after testing
Steps:
- Go to Defender > Firewall > IP Lockout
- Find your IP in blocked list
- Remove from blocklist
- Add to allowlist if needed
Cloudflare
Status: ✅ Compatible (with configuration)
While not a plugin, many sites use Cloudflare. Common issues and fixes:
WAF Rules
If using Cloudflare WAF:
- Login to Cloudflare dashboard
- Go to Security > WAF
- Check for blocked requests from Google
- Create exception rule if needed
Challenge Pages
Cloudflare challenges may interfere:
- Create Page Rule for callback URL
- Set Security Level to "Essentially Off" for:
yourdomain.com/wp-json/onetap/*
Bot Fight Mode
May block legitimate Google auth:
- Monitor for false positives
- Create exception if needed
CSRF Token Issues
Cloudflare can cause CSRF token mismatches:
- Go to Caching > Configuration
- Exclude from caching:
/wp-json/onetap/*
/wp-admin/admin-ajax.php
See Cloudflare Troubleshooting for detailed guide.
NinjaFirewall
Status: ⚠️ Compatible with configuration
Configuration
NinjaFirewall may block OAuth callbacks:
- Go to NinjaFirewall > Firewall Policies
- Check POST/GET restrictions
- Whitelist callback endpoint
Add to Whitelist
// In NinjaFirewall rules
$nfw_rules['callback_whitelist'][] = '/wp-json/onetap/v1/callback';
BulletProof Security
Status: ⚠️ Compatible with configuration
Configuration
May need .htaccess adjustments:
- Go to BPS > htaccess
- Ensure REST API not blocked
- Check custom rules
General Security Plugin Guidelines
What Security Plugins Should NOT Block
| Endpoint | Purpose |
|---|---|
/wp-json/onetap/v1/callback | OAuth callback |
accounts.google.com | Google authentication |
oauth2.googleapis.com | Token verification |
www.googleapis.com | API requests |
Testing After Security Plugin Install
- Install/configure security plugin
- Test Google sign-in on My Account
- Check for errors
- Review security plugin logs
- Adjust rules if blocked
Debug Mode
Enable WordPress debug logging:
// wp-config.php
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
Check /wp-content/debug.log for issues.
Rate Limiting
OneTap's Built-in Rate Limiting
OneTap Login has its own rate limiting:
- 10 requests per 5 minutes per IP
- Prevents abuse
- Works alongside plugin rate limiting
Interaction with Security Plugins
Most security plugins' rate limiting is compatible:
- Password attempts: Not triggered by Google sign-in
- Login attempts: May count OAuth callbacks
- API requests: May need adjustment
IP Blocking Considerations
Proxy/CDN Considerations
If using:
- Cloudflare
- Sucuri WAF
- Other CDN/proxy
Ensure security plugin gets real IP:
// Most plugins auto-detect, but verify:
// Real IP should show in security logs, not CDN IP
Google IP Ranges
Don't block Google's IP ranges:
- Google uses many IPs
- Blocking can break OAuth
- Let Google handle their security
CAPTCHA Conflicts
Common Issue
Security plugins adding CAPTCHA to login:
- May show after Google auth
- Unnecessary for OAuth users
- Creates friction
Solutions
- Disable CAPTCHA for OAuth flow
- Use plugin settings to exclude
- Custom code to bypass
// Example: Skip CAPTCHA for Google callbacks
add_filter('option_recaptcha_enabled', function($enabled) {
if (isset($_GET['code']) && strpos($_SERVER['REQUEST_URI'], 'onetap') !== false) {
return false;
}
return $enabled;
});
File Integrity Monitoring
What to Expect
Security plugins may flag:
- OneTap Login plugin files (legitimate)
- Cached Google scripts (legitimate)
- Temporary files (legitimate)
Configuration
Add to exclusion/whitelist:
wp-content/plugins/onetap-login-for-woocommerce/
Best Practices
Do's
- Test Google sign-in after security plugin changes
- Whitelist OAuth callback endpoints
- Monitor security logs for false positives
- Keep security plugins updated
- Document custom rules
Don'ts
- Don't block Google IPs
- Don't add aggressive rules without testing
- Don't disable security features entirely
- Don't ignore blocked request logs
Getting Help
If security plugin blocks OneTap Login:
- Check logs: Security plugin logs show what's blocked
- Test without: Temporarily disable security plugin
- Contact support: Provide security plugin name and version
- Document: Note which rule caused the block
Next Steps
- 2FA Plugins - Two-factor authentication
- Cloudflare Troubleshooting - Cloudflare-specific issues
- Rate Limiting - OneTap's rate limiting