Admin Login Alerts
Admin Login Alerts emails you when someone with administrator access (manage_options) signs in - useful for spotting unfamiliar access without watching the site 24/7.
Requires an active WP PowerSuite license.
What it does
Section titled “What it does”When enabled and at least one recipient email is saved, it:
- Sends an alert after a qualifying admin login (password login, custom login URL, and PowerSuite 2FA flows by default).
- Optionally covers magic links, OAuth, and temporary logins.
- Skips WooCommerce customer storefront account logins.
- Supports quiet IPs, custom IP headers (e.g. behind Cloudflare), optional ipwho.is geo lookup, user-agent hints, and a per-user/IP cooldown.
Emails never include passwords, cookies, or session tokens.
When to use it
Section titled “When to use it”Enable it if:
- You want a paper trail for admin access on production sites.
- Agencies need ops mailboxes notified when client admins sign in.
- You’re pairing it with 2FA and want a second signal for unexpected logins.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”Open Settings under WP PowerSuite -> Modules -> Admin Login Alerts:
| Setting | Purpose | Default |
|---|---|---|
Email addresses (emails) |
Comma-separated recipients. Invalid addresses dropped on save. | Blank (required for alerts) |
Never mail for these IPs (exclude_ips) |
One per line or comma-separated; * wildcards allowed once per octet cluster. |
Blank |
Custom IP header (ip_header) |
Optional server header (e.g. HTTP_X_REAL_IP). Defaults to Cloudflare CF-Connecting-IP when present, else REMOTE_ADDR. Spoofable X-Forwarded-For is blocked. |
Blank |
Include browser / device hint (include_user_agent) |
Adds user-agent to the email. | On |
Approximate location lookup (geo_lookup_enabled) |
Uses ipwho.is. | Off |
Magic links, OAuth, and temporary logins (notify_alternate_logins) |
Also alert on those auth paths. | On |
Strict password-login only (strict_login_detection) |
Ignore non-wp-admin redirects. | Off |
Cooldown (minutes) (throttle_minutes) |
Per user + IP; 0 = no cooldown (max 60). |
5 |
Use Send test email in settings after saving recipients.
How to enable it
Section titled “How to enable it”- Confirm an active license.
- WP PowerSuite -> Modules -> Admin Login Alerts - turn on.
- Open Settings, add recipient emails, adjust quiet IPs / detection, save.
- Optionally send a test email.
How to test it
Section titled “How to test it”- Save a recipient you can read.
- Log out, then sign in as a user with
manage_options. ✅ Working: alert arrives (after cooldown rules). - Sign in from an excluded IP (if configured) - no mail.
- Use Send test email to verify delivery without a full logout cycle.
Troubleshooting
Section titled “Troubleshooting”- No emails. Module off, license invalid, empty
emails, IP excluded, or still inside cooldown. Check spam and thatwp_mailworks on the host. - Too many emails. Raise Cooldown, add office IPs to exclude, or turn off alternate-login notifications.
- Wrong IP in the email. Set Custom IP header for your proxy, or rely on Cloudflare’s connecting IP when present.
- Geo blank. Enable geo lookup and allow outbound HTTPS to ipwho.is.
Who triggers Admin Login Alerts?
Users who can manage_options (typically administrators). WooCommerce customer storefront logins are skipped.
Does it email for Magic Login or OAuth?
Yes when Magic links, OAuth, and temporary logins is enabled (on by default).
What is in the alert email?
Username, role, date/time, IP, and optional location or browser hint. Passwords and session tokens are never included.
How do I stop alerts from my office IP?
Add the IP (or a pattern like 203.0.113.*) under Never mail for these IPs.
Developer notes (hooks & filters)
Source: modules/login-email-notification/module.php. Boot: standard. Contexts: frontend, ajax, login. License required.
wp_login(priority 99) for password logins.wp_powersuite_magic_login_authenticated,wp_powersuite_oauth_login_completed,tl_after_login_successfor alternate paths whennotify_alternate_logins.- Capability check defaults to
manage_options(filterable in code). - Skips likely WooCommerce account/storefront logins.
- Geo via ipwho.is when
geo_lookup_enabled. - Throttle: transient per user + IP,
throttle_minutes0-60.