Email OTP Setup Guide
Set up one-time password login via email for passwordless authentication on your WordPress site.
Email OTP (one-time password) lets users log in or sign up with a short numeric code sent to their inbox. Instead of typing a password, they:
- Enter their email address on your login/checkout/comment form
- Receive a one-time code by email
- Enter the code to finish logging in
You control code length, expiry, throttling, and whether new accounts can be created with OTP.
Requirements
Before enabling Email OTP:
- VentraConnect Social Login Pro add-on is installed and activated
- Outgoing email works on your site (WordPress can send emails reliably)
- You've set up at least one login surface where OTP will appear:
- WordPress login / register forms, and/or
- WooCommerce login / checkout, and/or
- Membership / LMS login forms, and/or
- Comments (if you've enabled comment login integration)
Tip: If normal WordPress emails (lost password, new user, etc.) aren't being delivered, fix that first (SMTP plugin or transactional email service) before rolling out OTP.
Enabling Email OTP Login
In the WordPress admin, go to VentraConnect → Login methods.
- In the left sidebar list, click OTP (Email).
- In the Settings panel: Toggle Active to On.
- Click Save Changes at the bottom of the screen.
Once active, Email OTP will appear anywhere you've enabled passwordless / method buttons (login forms, WooCommerce, comments, etc.) according to your placement settings.
Code Length, Expiry, and Throttling
Still on the OTP (Email) settings page:
Recommendations: Use 6 digits code length, 10 minutes expiry, 60 seconds resend throttle, and 5 max attempts.
Registration Mode: Who Can Use OTP?
Email OTP can either allow new account creation, or only allow existing users to log in.
On the OTP (Email) settings page, find Registration mode:
Choose the option that matches your account policy. This is one of your key guardrails for user creation.
Redirect Behaviour (Where Users Land After OTP)
OTP can use the same redirect rules as your other login methods.
On the OTP settings page, find the Redirect override section. Options typically include:
- Return to previous page (default) - Best for comments and blog logins
- Go to site homepage - Useful for very simple sites
- Go to account / dashboard page - Ideal for WooCommerce / membership dashboards
- Custom URL - Send everyone to a specific URL
Recommendation: For blogs / content sites, "Return to previous page" is best. For stores / membership / LMS, use "Account / dashboard page" or a custom dashboard URL.
Customizing the OTP Email
You can tailor the OTP email so it matches your brand and explains clearly what to do.
On the OTP settings page, look for Email sender and Email template fields:
Your login code for {site_name}
Body:
Hi,
Here is your one-time login code for {site_name}:
{otp_code}
This code will expire in {expires_in} minutes. If you did not request this code, you can safely ignore this email.
Thanks,
{site_name}
Keep it plain text or simple HTML - This reduces spam filtering problems and makes it easy to read on mobile.
Preview & Test
Before rolling OTP out to real users, test it end-to-end.
On the OTP settings page, look for Preview & test.
Testing checklist:
- Update the button label if needed (e.g. "Continue with Email OTP")
- Click the Send test button and enter an email address you control
- Make sure you receive the email promptly
- Check that the subject, body, and tags render correctly
- Go to your site's login form and perform a full flow
- Request a code and enter it correctly (verify successful login)
- Try an expired or reused code (verify you see an error)
If emails are slow or missing, fix deliverability first (SMTP / transactional service) before enabling OTP for users.
Where OTP Appears (Forms & Placements)
Email OTP reuses the same placement system as your other methods. If you've enabled passwordless control for a form, and OTP is active, users will see Social Login buttons, plus Magic Link, plus Email OTP.
Common places:
- WordPress wp-login.php - If Social/Passwordless is enabled there
- WooCommerce - Login, registration, checkout, and "My Account" screens
- Membership / LMS plugins - When their integration toggles are enabled
- Comments - If you've enabled "Login to comment" and allowed OTP
If OTP isn't showing where you expect:
- Confirm OTP is Active
- Confirm the relevant integration is enabled
- Check your passwordless modes and per-form rules
- Clear caches if you're using a caching plugin
Safety Notes & Best Practices
- Keep code length ≥ 6 and max attempts reasonable
- Don't set expiry longer than you need - shorter windows reduce risk if an email account is compromised
- If you disable OTP later, users will still be able to sign in via other enabled methods (Social, Magic Link, normal password)
- For high-value admin accounts, keep passwords and 2FA in place - treat OTP as an end-user convenience, not an admin-only method
