{"id":251593,"date":"2026-02-03T14:12:30","date_gmt":"2026-02-03T14:12:30","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/bye-bye-passwords\/"},"modified":"2026-02-26T18:34:06","modified_gmt":"2026-02-26T18:34:06","slug":"bye-bye-passwords","status":"publish","type":"plugin","link":"https:\/\/pcd.wordpress.org\/plugins\/bye-bye-passwords\/","author":23363617,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.7","stable_tag":"1.2.7","tested":"6.9.4","requires":"5.0","requires_php":"7.2","requires_plugins":null,"header_name":"Bye Bye Passwords","header_author":"Clayton","header_description":"Passwordless login with WebAuthN and Passkeys for WordPress","assets_banners_color":"ffdddd","last_updated":"2026-02-26 18:34:06","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/claytonlz.com\/","header_plugin_uri":"https:\/\/github.com\/clayton\/byebyepw","header_author_uri":"https:\/\/claytonlz.com\/","rating":0,"author_block_rating":0,"active_installs":20,"downloads":243,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.2.5":{"tag":"1.2.5","author":"claytonlz","date":"2026-02-03 14:12:45"},"1.2.6":{"tag":"1.2.6","author":"claytonlz","date":"2026-02-03 15:21:16"},"1.2.7":{"tag":"1.2.7","author":"claytonlz","date":"2026-02-26 18:34:06"}},"upgrade_notice":{"1.2.7":"<p>Full internationalization support. All strings are now translatable. Translation scaffolds for 8 languages included.<\/p>","1.2.6":"<p>Password login can no longer be disabled unless all administrators have generated recovery codes. Prevents accidental lockouts.<\/p>","1.2.5":"<p>Removes development file flagged during WordPress.org review. Recommended for all users.<\/p>","1.2.4":"<p>File naming convention update per WordPress.org review. Recommended for all users.<\/p>","1.2.3":"<p>WordPress.org compliance update: Improved CSS enqueue, removed PHP sessions for cache compatibility, documented external services. Recommended for all users.<\/p>","1.2.0":"<p>WordPress.org compliance update: Enhanced security, improved nonce verification, and plugin directory requirements. Recommended for all users.<\/p>","1.1.2":"<p>Security update: Fixes username enumeration, timing attacks, and adds CSRF protection. Recommended upgrade.<\/p>","1.1.1":"<p>Recommended update: Fixes authentication issues with platform authenticators while maintaining security.<\/p>","1.1.0":"<p>CRITICAL SECURITY UPDATE: Fixes multiple high-risk vulnerabilities. Immediate upgrade recommended.<\/p>","1.0.0":"<p>Initial release of Bye Bye Passwords - Enable passwordless authentication for WordPress using WebAuthn\/Passkeys technology.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":0},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3452960,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3452960,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3452960,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3452960,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.2.5","1.2.6","1.2.7"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3452935,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3452935,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3452935,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3452935,"resolution":"4","location":"assets","locale":""},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3452935,"resolution":"5","location":"assets","locale":""}},"screenshots":{"1":"Login page with both password and \"Sign in with Passkey\" options","2":"Registering a new passkey from the admin dashboard","3":"Recovery codes for emergency account access","4":"Plugin settings page with security configuration","5":"Passwordless-only login page with password authentication disabled"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[710,222353,9223,600,183349],"plugin_category":[38,54],"plugin_contributors":[255141],"plugin_business_model":[],"class_list":["post-251593","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-passkeys","plugin_tags-passwordless","plugin_tags-security","plugin_tags-webauthn","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-claytonlz","plugin_committers-claytonlz"],"banners":{"banner":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/banner-772x250.png?rev=3452960","banner_2x":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/banner-1544x500.png?rev=3452960","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/icon-128x128.png?rev=3452960","icon_2x":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/icon-256x256.png?rev=3452960","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/screenshot-1.png?rev=3452935","caption":"Login page with both password and \"Sign in with Passkey\" options"},{"src":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/screenshot-2.png?rev=3452935","caption":"Registering a new passkey from the admin dashboard"},{"src":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/screenshot-3.png?rev=3452935","caption":"Recovery codes for emergency account access"},{"src":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/screenshot-4.png?rev=3452935","caption":"Plugin settings page with security configuration"},{"src":"https:\/\/ps.w.org\/bye-bye-passwords\/assets\/screenshot-5.png?rev=3452935","caption":"Passwordless-only login page with password authentication disabled"}],"raw_content":"<!--section=description-->\n<p><strong>Bye Bye Passwords<\/strong> brings modern passwordless authentication to WordPress using WebAuthn\/Passkeys technology. Say goodbye to weak passwords and hello to secure, convenient login with biometrics, security keys, or platform authenticators.<\/p>\n\n<h4>Key Features<\/h4>\n\n<ul>\n<li><strong>Passwordless Login<\/strong> - Sign in using Touch ID, Face ID, Windows Hello, or security keys<\/li>\n<li><strong>Multiple Passkeys<\/strong> - Register multiple devices for convenient access anywhere<\/li>\n<li><strong>Recovery Codes<\/strong> - Generate one-time backup codes for emergency access<\/li>\n<li><strong>Enhanced Security<\/strong> - Eliminate password-based attacks completely<\/li>\n<li><strong>User-Friendly<\/strong> - Simple setup with no technical knowledge required<\/li>\n<li><strong>Privacy-Focused<\/strong> - Your authentication data stays on your server<\/li>\n<li><strong>WordPress Integration<\/strong> - Seamlessly integrated into WordPress admin and login<\/li>\n<\/ul>\n\n<h4>How It Works<\/h4>\n\n<ol>\n<li>Register a passkey from your WordPress admin profile<\/li>\n<li>Use your device's built-in authentication (fingerprint, face, PIN)<\/li>\n<li>Sign in instantly without typing passwords<\/li>\n<\/ol>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>SSL\/HTTPS enabled website (required for WebAuthn)<\/li>\n<li>Modern browser with WebAuthn support<\/li>\n<li>PHP 7.2 or higher<\/li>\n<li>WordPress 5.0 or higher<\/li>\n<\/ul>\n\n<h3>External Services<\/h3>\n\n<p>This plugin may connect to the FIDO Alliance Metadata Service (MDS) to download root certificates for authenticator validation.<\/p>\n\n<h4>FIDO Alliance Metadata Service<\/h4>\n\n<ul>\n<li><strong>URL:<\/strong> https:\/\/mds.fidoalliance.org\/<\/li>\n<li><strong>Purpose:<\/strong> Downloads attestation root certificates to verify the authenticity of security keys and passkey devices<\/li>\n<li><strong>When:<\/strong> Only when attestation verification is enabled and the plugin needs to update its certificate store (not during normal authentication)<\/li>\n<li><strong>Data sent:<\/strong> No personal or user data is transmitted - only a standard HTTP GET request<\/li>\n<li><strong>Service provider:<\/strong> FIDO Alliance<\/li>\n<li><strong>Terms of Use:<\/strong> https:\/\/fidoalliance.org\/metadata\/<\/li>\n<li><strong>Privacy Policy:<\/strong> https:\/\/fidoalliance.org\/privacy-policy\/<\/li>\n<\/ul>\n\n<p>No user data, credentials, or personal information is ever sent to external services. All authentication happens locally on your server.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to the <code>\/wp-content\/plugins\/<\/code> directory<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>Navigate to \"Bye Bye Passwords\" in the admin menu<\/li>\n<li>Register your first passkey<\/li>\n<li>Generate recovery codes as backup<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"what%20browsers%20support%20webauthn%2Fpasskeys%3F\"><h3>What browsers support WebAuthn\/Passkeys?<\/h3><\/dt>\n<dd><p>Chrome\/Edge 67+, Firefox 60+, Safari 14+, and Opera 54+ all support WebAuthn.<\/p><\/dd>\n<dt id=\"what%20happens%20if%20i%20lose%20my%20device%3F\"><h3>What happens if I lose my device?<\/h3><\/dt>\n<dd><p>Use your recovery codes to regain access, then register a new passkey. We recommend registering multiple devices.<\/p><\/dd>\n<dt id=\"is%20this%20more%20secure%20than%20passwords%3F\"><h3>Is this more secure than passwords?<\/h3><\/dt>\n<dd><p>Yes! Passkeys are phishing-resistant, can't be stolen in data breaches, and use cryptographic authentication.<\/p><\/dd>\n<dt id=\"do%20i%20need%20special%20hardware%3F\"><h3>Do I need special hardware?<\/h3><\/dt>\n<dd><p>No, most modern devices have built-in authenticators (Touch ID, Face ID, Windows Hello). You can also use USB security keys.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.7<\/h4>\n\n<ul>\n<li>i18n: Full localization of all user-facing strings in PHP and JavaScript<\/li>\n<li>i18n: Generated POT template with 100+ translatable strings<\/li>\n<li>i18n: Added PO scaffolds for 8 languages (Spanish, French, Italian, German, Dutch, Japanese, Chinese, Korean)<\/li>\n<\/ul>\n\n<h4>1.2.6<\/h4>\n\n<ul>\n<li>Security: Gate \"Disable Password Login\" setting behind recovery codes for all administrators<\/li>\n<li>Enhancement: Show admin recovery code status on settings page<\/li>\n<\/ul>\n\n<h4>1.2.5<\/h4>\n\n<ul>\n<li>Compliance: Removed CLAUDE.md development file from plugin distribution<\/li>\n<\/ul>\n\n<h4>1.2.4<\/h4>\n\n<ul>\n<li>Compliance: Renamed main plugin file to bye-bye-passwords.php per WordPress.org naming convention<\/li>\n<li>Compliance: Plugin folder structure updated to match plugin slug<\/li>\n<\/ul>\n\n<h4>1.2.3<\/h4>\n\n<ul>\n<li>Compliance: Use wp_enqueue commands for all CSS (removed inline styles)<\/li>\n<li>Compliance: Document external FIDO Alliance Metadata Service in readme<\/li>\n<li>Compliance: Replace PHP sessions with cookies + transients for cache compatibility<\/li>\n<li>Security: Mandatory nonce validation for authentication challenge endpoint<\/li>\n<li>Performance: Plugin no longer starts sessions on every page load<\/li>\n<\/ul>\n\n<h4>1.2.2<\/h4>\n\n<ul>\n<li>Compliance: Text domain changed to 'bye-bye-passwords' to match WordPress.org slug<\/li>\n<li>Security: Added ABSPATH direct access protection to template files<\/li>\n<li>Compliance: Removed plugin assets from ZIP (uploaded via SVN separately)<\/li>\n<\/ul>\n\n<h4>1.2.1<\/h4>\n\n<ul>\n<li>Fix: Text domain corrected to match plugin slug (byebyepw)<\/li>\n<li>Fix: Property name bug in user profile display<\/li>\n<li>Security: Session regeneration after successful authentication<\/li>\n<li>Security: HTTPS enforcement check with admin notice<\/li>\n<li>Security: Browser WebAuthn support detection with user feedback<\/li>\n<li>Enhancement: Complete uninstall cleanup (tables, options, transients)<\/li>\n<li>Enhancement: Deactivator cleanup for transients<\/li>\n<li>Enhancement: Dependency injection in Admin class<\/li>\n<li>Enhancement: Removed duplicate AJAX handler registrations<\/li>\n<li>Enhancement: Increased recovery code entropy to 64-bit (4 segments)<\/li>\n<li>Compliance: Fixed global variable and function name prefixes<\/li>\n<li>Compliance: Updated to WordPress 6.9 compatibility<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Compliance: Complete WordPress.org plugin directory compliance overhaul<\/li>\n<li>Security: Enhanced nonce verification for all AJAX endpoints to meet WordPress.org standards<\/li>\n<li>Security: Fixed output escaping throughout WebAuthn library with WordPress-specific modifications<\/li>\n<li>Security: Improved input sanitization and validation across all user-facing forms<\/li>\n<li>Security: Removed discouraged PHP functions (unlink, curl) in favor of WordPress equivalents<\/li>\n<li>Enhancement: Updated text domain to match WordPress.org requirements (bye-bye-passwords)<\/li>\n<li>Enhancement: Cleaned up plugin structure removing development files from distribution<\/li>\n<li>Documentation: Added comprehensive phpcs ignore comments for legitimate security exceptions<\/li>\n<li>Library: Forked and customized WebAuthn library for WordPress.org compliance requirements<\/li>\n<\/ul>\n\n<h4>1.1.2<\/h4>\n\n<ul>\n<li>Security: Fix username enumeration vulnerability by standardizing authentication error messages<\/li>\n<li>Security: Implement constant-time comparison for recovery code verification to prevent timing attacks<\/li>\n<li>Security: Add comprehensive CSRF protection for all public authentication endpoints<\/li>\n<li>Enhancement: Strengthen session security with secure CSRF token management<\/li>\n<li>Enhancement: Improve error message consistency across all authentication flows<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Fix: Resolve authentication failure with platform authenticators (Touch ID, Face ID, Windows Hello)<\/li>\n<li>Fix: Improve sign count validation to be more lenient with authenticators that don't increment counters<\/li>\n<li>Security: Maintain protection against cloned authenticators while allowing normal platform authenticator operation<\/li>\n<li>Improved: Enhanced logging for sign count validation debugging<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Security: Critical security updates - Fix session hijacking and race conditions<\/li>\n<li>Security: Strengthen challenge management to prevent authentication bypass  <\/li>\n<li>Security: Re-enable sign count validation to detect cloned authenticators<\/li>\n<li>Security: Add rate limiting to authentication endpoints (10 challenges\/5min, 5 auth attempts\/5min, 3 recovery codes\/10min)<\/li>\n<li>Enhancement: Implement secure session handling with proper timeout and regeneration<\/li>\n<li>Enhancement: Replace predictable transient keys with secure UUIDs<\/li>\n<li>Enhancement: Add comprehensive challenge validation and immediate invalidation<\/li>\n<li>Update: Domain references changed from labountylabs.com to claytonlz.com<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Core WebAuthn\/Passkeys authentication functionality<\/li>\n<li>Multiple passkey registration per user<\/li>\n<li>Recovery codes system with one-time use codes<\/li>\n<li>Admin interface for managing passkeys and recovery codes<\/li>\n<li>Login page integration with passkey authentication<\/li>\n<li>Option to disable password login for enhanced security<\/li>\n<li>Debug tools for troubleshooting<\/li>\n<li>WordPress coding standards compliance<\/li>\n<li>GPL v2 licensing for WordPress.org compatibility<\/li>\n<\/ul>","raw_excerpt":"Enable passwordless authentication for WordPress using WebAuthn\/Passkeys. More secure, more convenient.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/251593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=251593"}],"author":[{"embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/claytonlz"}],"wp:attachment":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=251593"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=251593"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=251593"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=251593"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=251593"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=251593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}