WordPress, social login and the 'Deadly Embrace'

March 26, 2018

At first, designing a WordPress website with social login sounds like a great idea. It lets people log into your website without having to create an account - perfect for membership websites, online communities and more. Simply click a button and the website will automatically log people in using Facebook, Twitter or their social network of choice.

This post is about the little-known dark side of WordPress social login plugins. I will also give you some tips on how to design an effective WordPress social login - although as you will see I believe that the whole concept has some fundamental flaws that you should be aware of.

How do WordPress social login plugins work?

To help you understand the problems with WordPress social login plugins, you need to understand what they are doing behind the scenes.

When someone logs into your WordPress website using a social network (e.g. Facebook) for the first time, the website will check their credentials with Facebook and log them straight in. Behind the scenes, WordPress creates an account for them on the website - however the user never knows that this account exists. They think that they are simply logging in with their social network, as they are never prompted to enter a username or password.

On the face of it, this is fine. However it leads to some fundamental issues that are a challenge to resolve.

What's wrong with WordPress social login?

The best-known problem with social login is that if someone uses a social network to log into a website then if they later stop using that social network, they will no longer have access to the website. The two logins are connected forever. This is a downside but in my experience, most people are prepared to accept this risk (it's hard to imagine a world without Facebook!) - and even if they stop using a social network, they tend not to delete their account so they can continue using it to log into other websites.

However, we have discovered a more over-arching problem with social login. These became apparent during the post-launch user feedback phase of one of our recent WordPress web design projects.

We had implemented Facebook login on a BuddyPress website using the WP-FB AutoConnect WordPress plugin. The Facebook login function was working correctly, however we started receiving reports that members were logging in with Facebook and then returning to the website and complaining of "incorrect password" errors. Before long, we realised that members were logging in with Facebook on their first visit and then trying to log directly into the website on subsequent visits, which required a username and password. Since they only had a Facebook login, they would inevitably get an "incorrect password" error - they didn't HAVE a password for the website!

Clearly, the issue was down to user error. However, it raised a wider website usability problem because it's perfectly reasonable for people to forget which method they previously used to log in. A well-designed system should "just work" and be intuitive, without making assumptions about user behaviour.

But it gets worse. After seeing a failed login, users were clicking the "forgot password" link on the "failed login" screen and resetting their password. The way the WP-FB AutoConnect plugin works, re-setting the password breaks the social login so these members were permanently locked out of the website. The client even started referring to this as the "Deadly Embrace", as members were getting trapped between the two login methods with no escape.

We identified the following problems with the social login:

  1. Usability design - the WP-FB AutoConnect plugin merges the two login methods in a single widget, visually implying that the two are interchangeable when they are actually quite distinct. In reality, the login method that you choose on your first visit is the method you must ALWAYS use to access the website. You can't mix and match.
  2. Facebook users were able to get caught in the Deadly Embrace by accessing WordPress features that were only intended for people who had registered directly on the website.
  3. The WP-FB AutoConnect plugin simply wasn't very good. The free version didn't display the user's Facebook photo and instead left a huge gap where the avatar should be. JavaScript issues meant that the 'Login with Facebook' option didn't display at all to users with a particular Google Chrome extension. The plugin didn't pull through the email address from the user's Facebook account, which meant that they couldn't receive any emails from the website (including "lost password" emails which would have allowed them to log directly into the website, even though they couldn't use the social login any more after resetting their password).

How to overcome the problems with WordPress social login

After much research and analysis, we have created a solution which makes social login as effective as it can possibly be, when implemented alongside WordPress user registration.

Fixing social login and the "Deadly Embrace"

Whichever plugin you use, don't just install it as it comes. It's vital to think carefully about its design and usability - the key is to design the login section in a way that makes a clear distinction between the two login methods. This should force the user to make a conscious decision between the two login methods, which will encourage them to make the same choice on subsequent visits.

Compare the above screenshot of the WP-FB AutoConnect login widget with the clearly designed login page at OneAll. Users are prompted to choose EITHER social login OR create a dedicated account on the website. The design makes it pretty clear that you must choose one or the other, and can't switch between them.


A well-designed login form will help to discourage users from getting caught in the "Deadly Embrace". However it's not a perfect solution because people may still try to login using the wrong method.

Use a better social login plugin

Switching to the OA Social Login plugin can make a big difference. This is far superior and has the much-needed features that are missing from WP-FB AutoConnect - it pulls through the Facebook profile picture, it pulls through the user's email address so they can receive email notifications from the website. It even disables the 'Lost password' option for social login users so they can't break their social login if they accidentally to try log in using the wrong method. (This isn't a perfect solution because social login users can still try to reset their password and won't understand why it's not working - however at least they can still use the social login, unlike with WP-FB AutoConnect.)

Include social login at all stages of the registration and login process

A well-designed login form is not enough. To truly integrate social login into a WordPress website, you need to provide the option to login using a social network on EVERY screen that users may use to log in. WordPress creates lots of default pages that users may reach when they're trying to log in:

  • The Lost Password page is usually auto-generated by WordPress. It needs to include the social login option in case users have accidentally tried to log in using the wrong method. Seeing the social login on this page may remind them that they previously logged in using their social network, helping them understand that there is no password to reset.
  • /wp-login - Your WordPress website might have a front end login page or widget and be designed so that users don't see the default login page /wp-login. However you might be surprised at how easily they can find it! For example, error screens or notification emails may link to /wp-login. You either need to perform thorough usability testing to ensure that there are NO links to /wp-login anywhere on the site, or add the social login option to this page too.
  • Registration page - A well-designed login page showing the two login methods will normally include a link to the 'Registration page' which allows people to create a dedicated account on the website. You may think that this page doesn't need to include a social login option because in reaching this page, people have already made a decision to create a dedicated account. This is not correct because you may have linked directly to the registration page from elsewhere on your site, sent someone a direct link in an email, etc. It's best to divide this page into 2 distinct sections, forcing them to decide to register directly or to use social login.

As you can see, implementing social login in an effective way is far more complex than simply installing a plugin. A lot of time and usability testing is required to make it intuitive and prevent people from confusing the two login methods.

In my opinion, a website that combines social login with dedicated WordPress accounts is fundamentally flawed. While the above steps will help you to minimise the problems, there is currently no way of designing a WordPress website that allows members to switch between the two login methods. This is a real problem because you can't reasonably expect everyone to remember which choice they made on their first visit. Your website may be important to you, but it's probably not the most important thing in your members' lives!

The only way to design a 100% reliable WordPress social login is to offer this as the ONLY method - with no way to create a dedicated account. This means there will be no confusion, and no risk of people trying to reset their password etc. However I wouldn't particularly recommend this because you can't assume that all your users will be willing to use social login. While social login can increase your registrations by providing an easy way to login without having to enter lots of personal information, there are just as many people who are concerned about privacy issues and refuse to use social login at all.

In conclusion, adding social login to WordPress websites is a thorny issue. When deciding whether to integrate a social login plugin, you need to weigh up the pros and cons and decide what will be best for your users. Only use social login if you have a very clear and valid reason for doing so, which outweighs the issues I have described above. And if you do decide to use it, you should put the necessary time and investment into designing it properly and creating an intuitive login journey for your users.


  1. Peter Shaw
    June 10, 2020 Reply

    The article makes some good points. But stupidly recommends disabling password reset for accounts created by social networks.

    This makes no sense at all.

    The only requirement should be that if a user is created by social registration/login that the email address is pulled in and that the user knows their account is linked to that email. This I mandatory, and if that is ensured then password resets will work fine and if a user wishes they can fall back easily to traditional login.

    • Edge
      December 23, 2020 Reply

      Hi, Peter. Thanks for chiming in and sorry for the late reply. I wouldn't go as far as calling our article's advice stupid, as in case it didn't occur to you, it was first published years ago and social login plugins may have found a solution to the issue. Thanks for your suggestion as an alternative that readers can also try on their sites.

Please share your thoughts...

Your email address will not be published.