WordPress, social login and the ‘Deadly Embrace’

By Updated: March 26, 2018 6

At first, designing a WordPress website with social login sounds like a great idea. It lets people log into your website without having to create an account – perfect for membership websites, online communities and more. Simply click a button and the website will automatically log people in using Facebook, Twitter or their social network of choice.

This post is about the little-known dark side of WordPress social login plugins. I will also give you some tips on how to design an effective WordPress social login – although as you will see I believe that the whole concept has some fundamental flaws that you should be aware of.

How do WordPress social login plugins work?

To help you understand the problems with WordPress social login plugins, you need to understand what they are doing behind the scenes.

When someone logs into your WordPress website using a social network (e.g. Facebook) for the first time, the website will check their credentials with Facebook and log them straight in. Behind the scenes, WordPress creates an account for them on the website – however the user never knows that this account exists. They think that they are simply logging in with their social network, as they are never prompted to enter a username or password.

On the face of it, this is fine. However it leads to some fundamental issues that are a challenge to resolve.

What’s wrong with WordPress social login?

The best-known problem with social login is that if someone uses a social network to log into a website then if they later stop using that social network, they will no longer have access to the website. The two logins are connected forever. This is a downside but in my experience, most people are prepared to accept this risk (it’s hard to imagine a world without Facebook!) – and even if they stop using a social network, they tend not to delete their account so they can continue using it to log into other websites.

However, we have discovered a more over-arching problem with social login. These became apparent during the post-launch user feedback phase of one of our recent WordPress web design projects.

We had implemented Facebook login on a BuddyPress website using the WP-FB AutoConnect WordPress plugin. The Facebook login function was working correctly, however we started receiving reports that members were logging in with Facebook and then returning to the website and complaining of “incorrect password” errors. Before long, we realised that members were logging in with Facebook on their first visit and then trying to log directly into the website on subsequent visits, which required a username and password. Since they only had a Facebook login, they would inevitably get an “incorrect password” error – they didn’t HAVE a password for the website!

Clearly, the issue was down to user error. However, it raised a wider website usability problem because it’s perfectly reasonable for people to forget which method they previously used to log in. A well-designed system should “just work” and be intuitive, without making assumptions about user behaviour.

But it gets worse. After seeing a failed login, users were clicking the “forgot password” link on the “failed login” screen and resetting their password. The way the WP-FB AutoConnect plugin works, re-setting the password breaks the social login so these members were permanently locked out of the website. The client even started referring to this as the “Deadly Embrace”, as members were getting trapped between the two login methods with no escape.

We identified the following problems with the social login:

  1. Usability design – the WP-FB AutoConnect plugin merges the two login methods in a single widget, visually implying that the two are interchangeable when they are actually quite distinct. In reality, the login method that you choose on your first visit is the method you must ALWAYS use to access the website. You can’t mix and match.
  2. Facebook users were able to get caught in the Deadly Embrace by accessing WordPress features that were only intended for people who had registered directly on the website.
  3. The WP-FB AutoConnect plugin simply wasn’t very good. The free version didn’t display the user’s Facebook photo and instead left a huge gap where the avatar should be. JavaScript issues meant that the ‘Login with Facebook’ option didn’t display at all to users with a particular Google Chrome extension. The plugin didn’t pull through the email address from the user’s Facebook account, which meant that they couldn’t receive any emails from the website (including “lost password” emails which would have allowed them to log directly into the website, even though they couldn’t use the social login any more after resetting their password).

How to overcome the problems with WordPress social login

After much research and analysis, we have created a solution which makes social login as effective as it can possibly be, when implemented alongside WordPress user registration.

Fixing social login and the “Deadly Embrace”

Whichever plugin you use, don’t just install it as it comes. It’s vital to think carefully about its design and usability – the key is to design the login section in a way that makes a clear distinction between the two login methods. This should force the user to make a conscious decision between the two login methods, which will encourage them to make the same choice on subsequent visits.

Compare the above screenshot of the WP-FB AutoConnect login widget with the clearly designed login page at OneAll. Users are prompted to choose EITHER social login OR create a dedicated account on the website. The design makes it pretty clear that you must choose one or the other, and can’t switch between them.

one-all-social-plugin

A well-designed login form will help to discourage users from getting caught in the “Deadly Embrace”. However it’s not a perfect solution because people may still try to login using the wrong method.

Use a better social login plugin

Switching to the OA Social Login plugin can make a big difference. This is far superior and has the much-needed features that are missing from WP-FB AutoConnect – it pulls through the Facebook profile picture, it pulls through the user’s email address so they can receive email notifications from the website. It even disables the ‘Lost password’ option for social login users so they can’t break their social login if they accidentally to try log in using the wrong method. (This isn’t a perfect solution because social login users can still try to reset their password and won’t understand why it’s not working – however at least they can still use the social login, unlike with WP-FB AutoConnect.)

Include social login at all stages of the registration and login process

A well-designed login form is not enough. To truly integrate social login into a WordPress website, you need to provide the option to login using a social network on EVERY screen that users may use to log in. WordPress creates lots of default pages that users may reach when they’re trying to log in:

  • The Lost Password page is usually auto-generated by WordPress. It needs to include the social login option in case users have accidentally tried to log in using the wrong method. Seeing the social login on this page may remind them that they previously logged in using their social network, helping them understand that there is no password to reset.
  • /wp-login – Your WordPress website might have a front end login page or widget and be designed so that users don’t see the default login page /wp-login. However you might be surprised at how easily they can find it! For example, error screens or notification emails may link to /wp-login. You either need to perform thorough usability testing to ensure that there are NO links to /wp-login anywhere on the site, or add the social login option to this page too.
  • Registration page – A well-designed login page showing the two login methods will normally include a link to the ‘Registration page’ which allows people to create a dedicated account on the website. You may think that this page doesn’t need to include a social login option because in reaching this page, people have already made a decision to create a dedicated account. This is not correct because you may have linked directly to the registration page from elsewhere on your site, sent someone a direct link in an email, etc. It’s best to divide this page into 2 distinct sections, forcing them to decide to register directly or to use social login.

As you can see, implementing social login in an effective way is far more complex than simply installing a plugin. A lot of time and usability testing is required to make it intuitive and prevent people from confusing the two login methods.

In my opinion, a website that combines social login with dedicated WordPress accounts is fundamentally flawed. While the above steps will help you to minimise the problems, there is currently no way of designing a WordPress website that allows members to switch between the two login methods. This is a real problem because you can’t reasonably expect everyone to remember which choice they made on their first visit. Your website may be important to you, but it’s probably not the most important thing in your members’ lives!

The only way to design a 100% reliable WordPress social login is to offer this as the ONLY method – with no way to create a dedicated account. This means there will be no confusion, and no risk of people trying to reset their password etc. However I wouldn’t particularly recommend this because you can’t assume that all your users will be willing to use social login. While social login can increase your registrations by providing an easy way to login without having to enter lots of personal information, there are just as many people who are concerned about privacy issues and refuse to use social login at all.

In conclusion, adding social login to WordPress websites is a thorny issue. When deciding whether to integrate a social login plugin, you need to weigh up the pros and cons and decide what will be best for your users. Only use social login if you have a very clear and valid reason for doing so, which outweighs the issues I have described above. And if you do decide to use it, you should put the necessary time and investment into designing it properly and creating an intuitive login journey for your users.

Katie Keith

An active member of the global WordPress community, Barn2 Co-Founder Katie loves collaborating with other plugin companies. Her articles have been published on high profile sites including WPTavern, Torque and IndieHackers. She oversees all plugin support and deals with 'Tier 2' support requests about how to use Barn2's plugins in advanced ways.

6 Comments

  1. Dean Suhr
    September 6, 2018 Reply

    Now you tell me ... ;) Thanks for the great summary - I thought I might be the only person struggling with this!

    Like James, we are currently trying to integrate social logins into our system. We have campaign organizers who can go about their business, at least to start, without an account that they know about. We use the Give WP plugin with lots of extra custom code and data manipulation to internally create a non-social account automatically. However, once they need to edit their campaign they need to login. We want to give them the choice to login normally or with social media in which case we will connect them to their existing account by email – assuming they used the same email in both places. Assumptions ...

    And for beneficiaries of the campaigns, we will have their emails in advance supplied by their campaign organizer. They won't have an account until they first log in, but the same email match issue remains.

    As far as the Deadly Embrace social login being disabled after requesting a new password – that's something we will check out very carefully as we proceed. Ultimate Member, AAM, and currently WordPress Social Login are the plugins we are workin with during our evaluation.

  2. James E Boone
    February 7, 2018 Reply

    Thank you for your excellent analysis of this issue. We wanted to implement social logins and have just started beta testing - already running into many of the issues you pointed out.

    • Katie Keith
      February 8, 2018 Reply

      Thanks James, that's really interesting - this is quite an old post and I had assumed that the social login plugins would have found a solution by now, so it's interesting to hear that you're still coming across the same old issues!

  3. Sarapaul
    January 17, 2017 Reply

    Great step you have define it is really helpful for all developer making a website on

  4. Jeff
    December 19, 2014 Reply

    Yes, you're right there's no easy answer to the WP vs Social login question.

    On my site I've offered both OA Social and traditional WP options. My rationale is that not everyone (myself included) likes to hand over my social credentials to a website/brand, just in order to leave a comment.

    By offering social login only, some site, like Huff Post for example are shooting themselves in the foot. Who want's to leave use Facebook login where everyone can know your business about every article you've read or commented on. Much too intrusive for my liking.

    In my mind offering both social and email authentication, it gives the user choice, and then it's up to the developer to make it clear (via profile pages etc) whether the user has chosen the right method.

    • Katie Keith
      December 22, 2014 Reply

      Thanks for your comment Jeff. I agree that you shouldn't second guess your users by providing social login as the ONLY way to register/login to your website. It's a shame that it's so complex to correctly integrate the WordPress user registration with social login, even using an off-the-shelf plugin. However this can be achieved if you spend the necessary time thinking about different user journeys and make sure the 'deadly embrace' issue is solved.

Please share your thoughts...

Your email address will not be published.