Add Secure Authentication to your WordPress Site in 15 Minutes

Add Secure Authentication to your WordPress Site in 15 Minutes

This post will show you how to secure your WordPress login with two-factor authentication by using Okta’s Sign-In Widget.

Charly Vanni

Hi, we have a self-registration form on a Wordpress website, and would like to know if/how we can integrate that process so that users are added to Okta and create their password through it (as we want them to then be able to SSO to other portals from the Wordpress site). We have too many users to manage to be able to manually add them to Okta directly, so we need a self-fulfilment type of workflow.

Would that require setting up an API integration from WP to Okta to create users remotely? Is there an out of the box type of option to support this flow?

Appreciate any insights you can provide. Thanks

Christophe Bardy

Hi the latest version of the plugin code references a json configuration file (env.example.json) that need to be copied into env.json and personalised with our Okta parameters. This file is missing in the sample plugin code and its structure is not documented. Any way you can help on that topic ?


Sorry about that, that’s a bug. I just fixed the code to check for the env.php file instead of the json file.


@aaronpk I almost succeeded to use your plugin, so can you please help me understand what is still missing:

I get the Okta login prompt and once I type in the username and password, the screen clears, but I not get redirected to my “landing page” - instead I see only the empty screen. The URL is <a href=";state=MhEbmAKwB5FPhdZ6uEr55KFPyrIe7d4PACTrqJdsxStBSp2F5WqMjimlTUovPvQV" rel="nofollow noopener" title=";state=MhEbmAKwB5FPhdZ6uEr55KFPyrIe7d4PACTrqJdsxStBSp2F5WqMjimlTUovPvQV"></a>. The screenshot of my app settings is attached and my intent is to get the app routed to <a href="" rel="nofollow noopener" title=""></a> upon successful authentication. https://uploads.disquscdn.c…

Note: I posted the exact URL with the hope it can tell you something from its arguments; at this point I do not care about security issues.


It is likely that I am not aware of WordPress “default landing page” so your plugin is behaving correctly and my app is in error. My intent is to ensure that every user gets to see the login prompt first and that the app is routed to the specific static page if the authentication succeeds.


This last guess turns to be correct. I only need a single Login redirect URI, just as explained in your article (<a href="" rel="nofollow noopener" title=""></a>). My problem was caused by using the bad Org URL which has to be defined in the php.ini file - I remembered that the “base” should be “”, while today I have to use format).

Let me also add that your plugin does not handle the logout action - so the user needs to type in the <a href="" rel="nofollow noopener" title=""></a> URL in order to logout (see “…”) for details. The default WP authentication adds this “link” to the menu.

Sorry for such verbose post and thanks for your plugin related work


It might be a good idea that the whole GitHub repository at… fetched as the zip file (see image below), is the properly formatted WordPress Okta Sign-In plugin.



Yes, it should be. Did you encounter a problem with downloading it?


My original statement is missing a few words - so the correct version is

It might be a good idea TO POINT OUT that the whole GitHub repository at… fetched as the zip file (see image below), is the properly formatted WordPress Okta Sign-In plugin.


No, I had no problem fetching the zip file, once I realized that it is the zip file (instead of more often used clone) that is the Wordpress plugin.


Just wanted to add some points that might help others reading this article get your WP plugin to work.

I was getting 400 errors when logging in.(Identity Provider: Unknown, Error Code: invalid_request, Description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.) Spent a bunch of time trying to debug this and turns out that the solution to avoid this error is to enter for Login redirect URI as:… and for the initiate login URI… (make sure these match. In your screenshot you have an ending / appended and when I added one I received the 400 error. I removed it and all worked as expected. I would also recommend readers go to (in Okta Dashboard > API > Trusted Origins and make sure the Redirect is set up correctly (this is automatically added when you create a web app but if you are experimenting they could get out of sync) Just double check that all URIs match EXACTLY.

You also mention taking the env.example.php to env.php. To do this I suggest cloning the repo locally. Create a new env.php file in the root of the repo you just cloned. Copy your env.example.php code to your env.php code. Update your client id and secret in your new env.php. Save it. Then compress that local repo into a .zip file
Then you can go to Wordpress Dashboard > New Plugin and upload your zip file to WordPress. Click on Plugins to see the new Plugin and then activate it.

That is all you need to do with the env.php file. You don’t need to use composure and download dotenv or anything. Aaron has all the code needed for the plugin to read the env.php inside the plugin.
After reading the article and checking that you followed the steps I just outlined, you should be able to see the Okta Sign In widget when you visit,…
Then enter your Okta username and password credentials and you will be taken to the WP dashboard.
Please make sure you follow Aaron’s advice - "Make sure the email address on your Okta account matches the email address of your WordPress admin user, as that’s what will be used to match up Okta accounts to WordPress accounts."

Another suggestion is that in this article Everyone was assigned to the WP app. Maybe create a group called WP Admins and put all your admins in that group and then assign that group to your WP app.

Thanks Aaron for another great Okta article.

Jonathan Warfield

I’m noticing that after logging in to my Wordpress site using this plugin, a call is made back to www.[my_website_domain]/api/v1/authn and this is returning a 404. It looks like this wordpress endpoint has been deprecated. Is this an issue with this plugin?

Marc Beinder

If I disable or delete a user in Okta does that prevent that user from accessing the wordpress site? I’ve seen plugins for Okta and WP where it will create the wordpress user but not keep the user permissions up to date despite field mapping.


This plugin takes over the wordpress login flow, so if you disable an account in Okta, they will be unable to log in to wordpress. If they are already logged in with a current session, they won’t be kicked out if you disable them in Okta. They just won’t be able to log in again.

Marc Beinder

Thank you! Does it work with WP Multi-Site?


I haven’t tried with multi-site, sorry! I can’t remember the details of how it works to know off-hand whether it would be compatible.

Marc Beinder

I’m migrating about 5 sites this weekend so I’ll install this and report back.

Chris Hutchinson

Could you confirm whether of not this plugin will act as an SSO integration into an existing Okta Application therefore not requiring additional authentication for any user already authenticated with the associated Okta application?

Matt Raible

Yes, it should if you’re using the same org for everything.