The Magic Links feature allows you to log in to your WordPress site while your username is locked out by the iThemes Security Local Brute Force Protection feature.
When your username is locked out, you can request an email with a special login link. Using the emailed link will bypass the username lockout for you while brute-force attackers are still locked out.
Automatic Activation of Magic Links
Once you’ve updated (or installed) iThemes Security Pro, Magic Links will need to be enabled.
You’ll find the Magic Links module on the iThemes Security > Settings > Features > Lockouts page in your WordPress dashboard.
Requesting Magic Link from the WordPress Login Screen
If your username has been locked out during a brute force attack detected by iThemes Security, you’ll see this message on the WordPress login screen.
Simply click the “Send authorized login link” link to receive your Magic Links email.
From your inbox, you’ll find an email sent by iThemes Security that contains your login link.
Note: You’ll still need to enter both your username and password to successfully log in from the Magic Link in the email.
Are Magic Links Secure?
Yes. iThemes Security delivers the Magic Link email to the email address associated with the username, so an attacker would also need access to the email account of the user. Once the Magic Link is clicked, a username and password must still be entered successfully to login to your WordPress website. Plus, if you have Two-Factor Authentication enabled (which we highly recommend), Magic Links require this secondary code to successfully log in.