View Categories

Email OTP – shortcodes instead of passwords

10 min read

Email OTP Setup Guide - VentraConnect Documentation

Email OTP Setup Guide

Set up one-time password login via email for passwordless authentication on your WordPress site.

Email OTP (one-time password) lets users log in or sign up with a short numeric code sent to their inbox. Instead of typing a password, they:

  1. Enter their email address on your login/checkout/comment form
  2. Receive a one-time code by email
  3. Enter the code to finish logging in

You control code length, expiry, throttling, and whether new accounts can be created with OTP.

1

Requirements

Before enabling Email OTP:

  • VentraConnect Social Login Pro add-on is installed and activated
  • Outgoing email works on your site (WordPress can send emails reliably)
  • You've set up at least one login surface where OTP will appear:
    • WordPress login / register forms, and/or
    • WooCommerce login / checkout, and/or
    • Membership / LMS login forms, and/or
    • Comments (if you've enabled comment login integration)

Tip: If normal WordPress emails (lost password, new user, etc.) aren't being delivered, fix that first (SMTP plugin or transactional email service) before rolling out OTP.

2

Enabling Email OTP Login

In the WordPress admin, go to VentraConnect → Login methods.

  1. In the left sidebar list, click OTP (Email).
  2. In the Settings panel: Toggle Active to On.
  3. Click Save Changes at the bottom of the screen.

Once active, Email OTP will appear anywhere you've enabled passwordless / method buttons (login forms, WooCommerce, comments, etc.) according to your placement settings.

3

Code Length, Expiry, and Throttling

Still on the OTP (Email) settings page:

Code length (4–8 digits)
Field: Code length (4–8)
Controls how many digits each OTP code contains.
Guidelines:
  • 4–5 digits - Faster to type on mobile, but easier to guess
  • 6 digits - Good balance for most sites
  • 7–8 digits - Stronger, but slightly more friction
Expiry (minutes)
Field: Expiry (minutes)
Controls how long a code stays valid after it's generated.
When the expiry time passes, the code is treated as expired and the user must request a new OTP.
Guidelines:
  • 5–10 minutes - Good default for most sites
  • 2–3 minutes - More aggressive security, but more chance of timeouts
  • 15+ minutes - Only if you know your email delivery is very slow
Resend throttling & attempt limits
Field: Resend throttle (sec), Max attempts
Resend throttle - How many seconds to wait before the same user can request another code.
Max attempts - Maximum number of times a code can be tried before it's locked.
Guidelines:
  • Resend throttle: 30–60 seconds stops spammy clicks
  • Max attempts: 3–5 attempts per code is a good starting point

Recommendations: Use 6 digits code length, 10 minutes expiry, 60 seconds resend throttle, and 5 max attempts.

4

Registration Mode: Who Can Use OTP?

Email OTP can either allow new account creation, or only allow existing users to log in.

On the OTP (Email) settings page, find Registration mode:

Login & Register (default)
If the email address does not match an existing user, VentraConnect can create a new account. Good for stores and apps where you encourage quick sign-ups.
Login only (existing users)
If the email doesn't already exist as a user, the login will fail. Use this on sites where registration is controlled elsewhere (e.g. closed membership sites).

Choose the option that matches your account policy. This is one of your key guardrails for user creation.

5

Redirect Behaviour (Where Users Land After OTP)

OTP can use the same redirect rules as your other login methods.

On the OTP settings page, find the Redirect override section. Options typically include:

  • Return to previous page (default) - Best for comments and blog logins
  • Go to site homepage - Useful for very simple sites
  • Go to account / dashboard page - Ideal for WooCommerce / membership dashboards
  • Custom URL - Send everyone to a specific URL

Recommendation: For blogs / content sites, "Return to previous page" is best. For stores / membership / LMS, use "Account / dashboard page" or a custom dashboard URL.

6

Customizing the OTP Email

You can tailor the OTP email so it matches your brand and explains clearly what to do.

On the OTP settings page, look for Email sender and Email template fields:

Email sender
Overrides the "From" name for OTP emails (e.g. "Your Store Login"). If left empty, WordPress's default sender is used.
Email subject
Short, clear subject line such as: "Your login code for {site_name}"
Email body
Supports simple tags:
  • {otp_code} - The user's one-time code
  • {expires_in} - How many minutes until the code expires
  • {user_email} - The email address the code was sent to
  • {site_name} - Your site's name
Suggested starting template:
Subject:
Your login code for {site_name}

Body:
Hi,

Here is your one-time login code for {site_name}:

{otp_code}

This code will expire in {expires_in} minutes. If you did not request this code, you can safely ignore this email.

Thanks,
{site_name}

Keep it plain text or simple HTML - This reduces spam filtering problems and makes it easy to read on mobile.

7

Preview & Test

Before rolling OTP out to real users, test it end-to-end.

On the OTP settings page, look for Preview & test.

Testing checklist:

  • Update the button label if needed (e.g. "Continue with Email OTP")
  • Click the Send test button and enter an email address you control
  • Make sure you receive the email promptly
  • Check that the subject, body, and tags render correctly
  • Go to your site's login form and perform a full flow
  • Request a code and enter it correctly (verify successful login)
  • Try an expired or reused code (verify you see an error)

If emails are slow or missing, fix deliverability first (SMTP / transactional service) before enabling OTP for users.

8

Where OTP Appears (Forms & Placements)

Email OTP reuses the same placement system as your other methods. If you've enabled passwordless control for a form, and OTP is active, users will see Social Login buttons, plus Magic Link, plus Email OTP.

Common places:

  • WordPress wp-login.php - If Social/Passwordless is enabled there
  • WooCommerce - Login, registration, checkout, and "My Account" screens
  • Membership / LMS plugins - When their integration toggles are enabled
  • Comments - If you've enabled "Login to comment" and allowed OTP

If OTP isn't showing where you expect:

  • Confirm OTP is Active
  • Confirm the relevant integration is enabled
  • Check your passwordless modes and per-form rules
  • Clear caches if you're using a caching plugin
9

Safety Notes & Best Practices

  • Keep code length ≥ 6 and max attempts reasonable
  • Don't set expiry longer than you need - shorter windows reduce risk if an email account is compromised
  • If you disable OTP later, users will still be able to sign in via other enabled methods (Social, Magic Link, normal password)
  • For high-value admin accounts, keep passwords and 2FA in place - treat OTP as an end-user convenience, not an admin-only method
What are your Feelings

Powered by BetterDocs

Leave a Reply

Let’s Review Your Site

[forminator_form id="1673"]