Wapu Auth – Google Social Login for WordPress & WooCommerce

Wapu Auth is a free Google Social Login plugin for WordPress and WooCommerce. Let your visitors register and sign in using their Google account — no passwords, no forms, no friction.

Whether you run a WooCommerce store, a membership site, or any WordPress site, Wapu Auth makes authentication instant, secure, and completely free — including WooCommerce integration.

Wapu Auth Pro is coming soon with additional social login providers, advanced analytics exports, and priority support.

Free WooCommerce Social Login — No Pro Upgrade Required

Most social login plugins lock WooCommerce compatibility behind a paid plan. Wapu Auth includes free WooCommerce social login out of the box. The Google login button is automatically placed on your WooCommerce login page, registration page, and checkout form — zero configuration needed.

Store owners: let customers register and sign in at checkout with their Google account. Fewer abandoned carts. More completed purchases.

Features

Google Login — One Click
Let visitors register and sign in with their Google account instantly. No passwords, no forms, no friction. Fast and invisible.

Google One Tap
Show a non-intrusive sign-in prompt that authenticates users with a single click, without leaving the current page.

Magic Link — Passwordless Login
Let customers sign in with a secure one-click link sent to their email. No password required. Links expire automatically for security.

Two-Factor Authentication (Email OTP)
Add email verification codes to the sign-in flow. Enable globally for all users, require it for administrators only, or let customers opt in from their account page.

Active Sessions & Trusted Devices
Customers can see every device signed in to their account and revoke sessions remotely. Trusted devices skip 2FA automatically for smoother return visits.

Unified Security Tab (WooCommerce My Account)
Customers manage two-factor authentication, active sessions, trusted devices, and their Google connection from a single “Security” page in My Account.

Built-in SMTP Mailer
Send magic links and OTP codes reliably using a custom SMTP server configured directly in the plugin settings — no third-party plugin required.

Free WooCommerce Login Integration
Google login button automatically appears on all WooCommerce forms: login, register, and checkout. Free. No Pro plan required.

Smart Redirect Post-Login
After signing in on the cart or checkout page, customers return to that page — not to My Account.

Analytics Dashboard
Track every Google login attempt, new registration, and user activity from your WordPress admin panel.

Domain Restrictions
Whitelist or blacklist email domains for your Google social login. Only @yourcompany.com users can sign in? Done.

Sandbox Mode
Test the complete Google OAuth login flow with specific test emails before going live. No risk to production data.

Customizable Google Login Button
Match the login button to your brand. Adjust colors, text, size, and style with a live visual editor — no CSS required.

Popup Mode
Display the Google login prompt in a popup window for a seamless, redirect-free experience.

Activity Log
Full log of every login attempt: status, email, timestamp, and optional GeoIP location data.

Shortcode Support
Place the Google login button anywhere on your site:
[wapu_auth_button] — Google login button
[wapu_auth_login_form] — Full custom login form with Google login
[wapu_auth_register_form] — Full custom registration form with Google login

Custom Login & Registration Form Templates
Replace the default WordPress login and register pages with three built-in templates: Classic, Modern, and Compact. All include the Google login button.

Setup Wizard
Step-by-step guided setup walks you through creating Google OAuth credentials and configuring the plugin in under 5 minutes.

Full Internationalization
Fully translated into English and Spanish. Ready for community translation via translate.wordpress.org.

Who Uses Wapu Auth?

WooCommerce store owners looking to reduce cart abandonment by adding Google login to the checkout page — free, without a Pro plan.

Membership site owners who want fast, trusted social login and registration using Google accounts.

WordPress developers and agencies who need a clean, standards-compliant Google OAuth plugin for client sites.

Users switching from Nextend Social Login who need free WooCommerce social login integration without paying for a Pro addon.

How Google Social Login Works

1. Visitor clicks the Google login button on your site
2. Google authenticates the user via secure OAuth 2.0
3. Wapu Auth creates or matches their WordPress account by email
4. User is logged in — done. The whole process takes under 3 seconds.

Existing users who already have a WordPress account with the same Google email address are automatically matched and logged in — no duplicate accounts, no confusion.

Privacy & Compliance

Wapu Auth connects to Google’s OAuth API only when a user actively clicks the Google login button. GeoIP enrichment and Google Analytics integration are optional and disabled by default. Site owners are responsible for appropriate consent mechanisms for their jurisdiction (GDPR, CCPA, etc.).

Requirements

• WordPress 6.0 or higher
• PHP 8.0 or higher
• SSL certificate (HTTPS) — required by Google OAuth
• Free Google Cloud Console account — to generate OAuth credentials
• WooCommerce 7.0 or higher (optional, for automatic WooCommerce social login integration)

Hooks & Filters

Wapu Auth exposes the following WordPress action and filter hooks so developers can extend the authentication flow without modifying plugin files.

Actions

• wapu_auth_before_login — Fires right before a user is authenticated by Wapu Auth.
• wapu_auth_user_authenticated — Fires after a WordPress user is logged in via Google. Passes $user (WP_User), $google_user (array), and $is_new_user (bool).
• wapu_auth_user_created — Fires after a new WordPress user is created from a Google account. Passes $user_id, $email, and $google_id.
• wapu_auth_google_account_unlinked — Fires when a user disconnects their Google account from My Account. Passes $user_id.
• wapu_auth_analytics_event — Fires when an analytics event is recorded. Passes $event_type, $user_id, and $data.
• wapu_auth_log — Fires on every plugin log entry. Passes $message, $level, and $context. Useful for routing logs to a custom handler.
• wp_login — The standard WordPress action fires on every successful Google login so security and 2FA plugins receive Google logins uniformly.

Filters

• wapu_auth_auth_params — Modify the query parameters sent to Google’s OAuth authorization endpoint (scope, prompt, hd, etc.).
• wapu_auth_user_data — Modify the user data array returned by Google before Wapu Auth creates or matches an account.
• wapu_auth_redirect_url — Override the URL users are redirected to after a successful login. Passes $url, $user, and $is_new_user.
• wapu_auth_error_message — Customize the error message shown to the user when authentication fails. Passes $message and $code.
• wapu_auth_button_html — Modify the rendered login button HTML. Passes $html, $args, and $settings.
• wapu_auth_redirect_uri — Override the OAuth callback redirect URI registered with Google. Passes the current URI string.
• wapu_auth_geoip_enabled — Enable or disable GeoIP lookup programmatically. Passes the current boolean value.

External Services

This plugin connects to the following external services only under clearly documented conditions.

1. Google OAuth 2.0 / OpenID Connect (required for Google social login)

Endpoints:
* https://accounts.google.com/o/oauth2/v2/auth
* https://oauth2.googleapis.com/token
* https://www.googleapis.com/oauth2/v2/userinfo
* https://accounts.google.com/.well-known/openid-configuration (admin diagnostics only)

Data sent: Client ID, redirect URI, OAuth scope, state token, and authorization code. An access token is sent to retrieve the user’s Google profile.

Data received: Google account ID, email address, display name, profile picture URL, email verification status, and locale.

When triggered: Only when a user actively clicks the Google login button, or when an admin runs connection diagnostics from the settings page.

Google’s policies: Privacy Policy | Terms of Service

2. GeoIP Providers (optional — disabled by default)

Services: https://ipapi.co/ with https://ipwho.is/ as fallback.

Data sent: Visitor IP address for location lookup.

When triggered: Only when GeoIP enrichment is enabled in the plugin’s security settings.

Note: Enable only with appropriate legal basis and user consent where required (e.g. GDPR).

Policies: ipapi.co | ipwhois

3. Google Analytics 4 Event Bridge (optional — disabled by default)

Service: Uses the site’s existing gtag / GA4 setup, if present.

Data sent: Social login event names and metadata only (login_start, success/error status).

When triggered: Only when a GA4 Measurement ID is configured and analytics is enabled in plugin settings.

Note: Site owners are responsible for obtaining required user consent before enabling this feature.

4. Google Fonts (optional frontend asset)

Services: https://fonts.googleapis.com | https://fonts.gstatic.com

Data sent: Standard browser request headers (IP, user-agent) to retrieve font CSS.

When triggered: When the social login button is rendered on the frontend.

Google’s policies: Privacy Policy

Automatic Installation (Recommended)

1. Go to Plugins > Add New in your WordPress admin
2. Search for Wapu Auth Social Login
3. Click Install Now, then Activate
4. Go to Wapu Auth in your admin menu and follow the setup wizard

Manual Installation

1. Download the plugin ZIP from WordPress.org
2. Go to Plugins > Add New > Upload Plugin
3. Upload the ZIP and click Install Now
4. Activate the plugin and go to Wapu Auth to configure

Google OAuth Setup (~5 minutes)

1. Go to Google Cloud Console and create a free project
2. Navigate to APIs & Services > Credentials
3. Create OAuth 2.0 credentials — select Web application type
4. Copy the Authorized Redirect URI from Wapu Auth settings and paste it into Google Cloud
5. Copy your Client ID and Client Secret back into Wapu Auth settings
6. Enable Sandbox Mode to safely test your Google login before going live

Do I need a paid Google account to set up Google social login?

No. A free Google account is all you need. Google Cloud Console is free, and creating OAuth credentials for Google login on a WordPress site has no usage fees for standard traffic volumes.

Does Google social login work without WooCommerce?

Yes. Wapu Auth works on any WordPress site. When WooCommerce is active, the Google login button is automatically added to WooCommerce login, registration, and checkout forms. Without WooCommerce, the plugin works perfectly via shortcodes and the standard WordPress login page.

Is HTTPS required for Google login?

Yes. Google OAuth requires HTTPS for all production social login implementations. Most hosting providers include a free SSL certificate via Let’s Encrypt. Without HTTPS, Google will reject the OAuth request.

How is Wapu Auth different from Nextend Social Login?

Nextend Social Login is an excellent plugin. However, its WooCommerce social login integration is only available in their paid Pro addon. Wapu Auth includes free WooCommerce login integration — no Pro plan required. Wapu Auth also includes a built-in analytics dashboard, sandbox testing mode, and domain restrictions that are not available in Nextend’s free version.

Can I customize the Google login button?

Yes. The plugin includes a live visual editor to change the Google login button’s colors, label text, size, shape, and position — all previewed in real time before saving.

Where can I place the Google social login button?

Anywhere on your site using the [wapu_auth_button] shortcode. Place it in pages, posts, widgets, or theme templates. Use [wapu_auth_login_form] or [wapu_auth_register_form] for full form replacements. WooCommerce forms receive the Google login button automatically.

What happens when someone uses Google login for the first time?

Wapu Auth creates a standard WordPress user account from their Google profile (email, display name) and logs them in automatically. On every future visit, one click is all it takes.

What if a user already has a WordPress account with their Google email?

Wapu Auth detects the existing account by email and links the Google social login to it. The user is logged in to their existing account — no duplicate accounts are ever created.

Can I control which Google accounts are allowed to register and login?

Yes. The Domain Restrictions feature lets you whitelist specific email domains (allow only @yourcompany.com) or blacklist domains you want to block. Works for both registration and login.

Is Wapu Auth compatible with caching plugins?

Yes. The Google OAuth flow uses server-side session handling, which is fully compatible with WP Rocket, LiteSpeed Cache, W3 Total Cache, and other caching plugins.

Is there a Pro version with more social login providers?

Wapu Auth Pro is in development. It will add more social login providers (Facebook, Apple, GitHub), advanced analytics data exports, and priority support. Follow the plugin page on WordPress.org to be notified at launch.

Where do I report bugs or get support?

Open a thread in the Support Forum on WordPress.org. Include your WordPress version, PHP version, and a description of the issue. We aim to respond within 24 hours.

1.1.0

• Added: Magic Link passwordless login — customers sign in via a secure one-click link emailed to them, no password required
• Added: Google One Tap — non-intrusive one-click sign-in overlay without leaving the page
• Added: Two-Factor Authentication (email OTP) — 6-digit codes expire after 10 minutes; configurable as optional per-user, required for admins, or required for all users
• Added: Trusted Devices — devices that skip 2FA verification for a configurable number of days
• Added: Active Sessions management — customers can view and revoke individual sessions or sign out all other devices from My Account
• Added: Built-in SMTP mailer — configure a custom SMTP server for magic link and OTP email delivery directly from plugin settings
• Added: Smart redirect post-login — after signing in on the cart or checkout page, customers are returned to that page instead of My Account
• Added: Unified Security tab in WooCommerce My Account — consolidates 2FA settings, active sessions, trusted devices, and connected Google account into a single page
• Improved: Disconnect Google account uses an in-page modal confirmation instead of a separate page
• Fixed: SMTP Send Test button now sends to the logged-in admin’s email address (previously used the site admin email)

1.0.3

• Added: Smart email detection warns users about typos (gmial.com → gmail.com) and disposable emails, suggesting Google login for a verified email address
• Security: Destroy any pre-existing session before issuing a new auth cookie after Google login to prevent session fixation
• Security: Fire the standard wp_login action on Google logins so security and 2FA plugins can hook in uniformly
• Security: Full JWT validation for Google ID tokens (iss, aud, exp, RS256 signature against cached JWKS) now integrated into the main OAuth flow with automatic fallback to the /userinfo endpoint
• Security: Sensitive fields (tokens, secrets, passwords) are now redacted from plugin logs
• Added: Google profile picture is now synced on every login — the avatar stays in sync when users update their Google account picture
• Added: Optional “Google Account” page in WooCommerce My Account where customers can review their connection and disconnect their Google account from their WordPress account (opt-in from the Integration tab)
• Added: Toggle to preserve or delete all plugin data on uninstall (defaults to preserve)
• Added: Toggle for “Remember me” behavior on Google logins
• Added: WooCommerce checkout autofill using Google profile data (first name, last name, email)
• Added: Info row on the plugins list showing the current data-retention choice
• Changed: Minimum PHP requirement raised from 7.4 to 8.0
• Changed: Client secret field now shows a protected placeholder — click “Change secret” to replace it, preventing accidental overwrite
• Changed: Admin-only notification when a new user is created via Google (previously also emailed the new user)
• Improved: Google user listing in analytics now uses a single WP_User_Query (removes N+1 query pattern)
• Improved: Popup strings (“Show password” / “Hide password”) are now translatable
• Improved: GeoIP lookup timeout reduced from 5s to 3s to avoid slowing down logins when providers are unreachable
• Improved: WooCommerce settings are now cached per request to avoid repeated option lookups
• Fixed: Cache headers are now sent on OAuth callback responses to prevent intermediaries from caching them

1.0.2

• Fixed: Admin notices now display correctly in all languages (translation keys were in Spanish)
• Fixed: Plugin name unified across readme.txt and plugin header
• Changed: WooCommerce checkout button enabled by default for new installations
• Added: Plugin URI in plugin header pointing to WordPress.org listing
• Improved: Translation loading now uses load_plugin_textdomain() for GlotPress / language-pack compatibility
• Updated: Tested up to WordPress 6.9.4 and WooCommerce 9.8.0

1.0.1

• Fix: Admin notices now correctly persist their dismissed state across page reloads
• Dev: PHPCS/WPCS coding standards improvements throughout the codebase

1.0.0

• Initial release
• Google OAuth 2.0 social login and registration
• Customizable Google login button with live visual editor
• Admin dashboard with social login analytics
• Activity log with optional GeoIP tracking
• Domain restriction feature (whitelist and blacklist) for social login access control
• Sandbox mode for safe pre-launch Google login testing
• Custom login and register form templates: Classic, Modern, Compact
• Free WooCommerce social login integration — automatic button placement on login, register, and checkout forms
• Shortcode support: [wapu_auth_button], [wapu_auth_login_form], [wapu_auth_register_form]
• Full internationalization: English and Spanish included