The instructions on this page assume you are using the Premium or Enterprise version of Google Apps Login and have already followed the setup steps that apply to all versions, available here.
In Settings -> Google Apps Login (within your WordPress admin panel), click on the License tab. Enter the license key from your purchase email. This will enable automatic update notifications of any future versions of the plugin.
This tab in the admin panel allows you to really harness the extra functionality available in the premium plugin – ensuring your G Suite (formerly Google Apps) userbase is synced to corresponding WordPress user accounts. Enterprise users should read through this section to understand how the Domain Controls work, and then move on to the Enterprise Setup page to learn about the extra granular controls available within the Enterprise version.
If you leave everything in the Domain Control section blank, then any existing WordPress users with a Gmail or G Suite (Google Apps) email address will be able to use ‘Login with Google’ to login to WordPress. If they don’t have an account already set up, then of course they will not gain access. Alternatively, all WordPress users will be able to use their usernames and passwords to login as normal – and that includes Gmail/Google users who choose not to use the ‘Login with Google’ button.
But let’s say you want everyone with an email address on your G Suite domain ‘example.com’ to be able to login to WordPress. The way to enforce this without having to set up every user in WordPress manually is to require everyone to Login with Google, and for the Google Apps Login plugin to auto-create accounts in WordPress for any example.com users who do not yet have accounts.
Enter your G Suite (Google Apps) domain name in the My Google Apps domain box – e.g. “example.com”. (Tip: if you have a few different domains in use, you can list them with a space inbetween, e.g. “example.com altdomain.com” – details here)
Check the Auto-create new users on my domain checkbox.
For now, leave the following checkbox unchecked: Disable WordPress username/password login for my domain.
For the Default role for new Google users dropdown, select a suitable role for any users auto-created via Google Login.
At this point, every valid example.com user has access to a WordPress account, as long as they use Login with Google to access it.
If you think all users who will ‘Login with Google’ will be from your own G Suite domain (e.g. example.com) then check this box: Force Google login to use accounts on my domain (saves user having to select from multiple Google accounts). This will make things easier for your employees if they also have personal Gmail accounts logged-in within the browser – they will no longer have to select between their Google accounts since their corporate account will be selected automatically.
Once you are sure the login and account-creation aspect is working, read the details below to ensure that this is watertight. The problem now is that other unexpected users may also be able to gain access.
Restricting Unauthorized Access
To complete the setup described – where all users with email addresses on example.com should have access to WordPress, but no others should – we need to understand where these potential leaks could come from.
If your WordPress site has not been set up carefully, it may be possible for absolutely anyone on the internet to register for an account! Note this would have been the case even before you set up this Plugin.
To register, these people would go to http://example.com/wp-login.php?action=register or equivalent. To disable this, go in your WordPress admin panel to Settings -> General Settings -> Membership and uncheck Anyone can register.
On the same General Settings page, there will also be a New User Default Role dropdown. If you do want the general public to be able to register then this is the role they will get – you will normally want this at the lowest level of Subscriber. By contrast, users who are auto-created via Google Login will be given the role set separately in the Domain Control section of the Google Apps Login plugin settings, described above.
Another concern may be what happens if a user leaves the company. You will probably have a process to disable their G Suite account, but do you have to remember to remove them from WordPress? If they are using Login with Google, then of course they will not be able to connect to WordPress if they cannot first get in to their Google account.
So that’s all fine unless they first set and learn the password for their WordPress account. That’s why the Google Apps Login plugin also has an option to ensure your example.com users cannot login to WordPress using a regular username and password.
Back in the WordPress admin panel, go to Settings -> Google Apps Login. The second-to-last checkbox is Disable WordPress username/password login for my domain, and you should set this once you are confident your regular Login with Google access is working fine. You could find yourself locked out of WordPress if you check this box before your plugin configuration is complete.
Please note that any existing WordPress sessions will still be accessible to the ex-employee until they expire – but the user will not be able to login again once sessions have expired.
You can also Completely hide WordPress username and password boxes to ensure there is no confusion for your employees as to how they should login. However, please note that it is still possible for any existing WordPress accounts to login (if they are not on your G Suite domain). Those users can override the hiding of username/password boxes by going to the URL /wp-login.php?gahidewplogin=false.
Note that even after you have disabled new registrations for random visitors, and restricted auto-creation to your G Suite domain as above, you may still have existing WordPress users who can access their accounts, and who are not on your Google Apps domain.
The ‘cleanest’ recommendation is to ensure that no such users exist. If you do have a reason to grant access to a non-Google Apps user, then of course just be aware of that and take care if they move on from your organization.
If you are using the Enterprise version of Google Apps Login, find out more about granular Domain Controls here.