Secure SMS-based OTP login, password reset, and WooCommerce / form notifications for WordPress, powered by the kwtSMS gateway.
Version: 3.3.1 | Requires: WordPress 6.0+, PHP 7.4+
Don't have a kwtSMS account? Sign up at kwtsms.com →
kwtSMS is a Kuwaiti SMS gateway trusted by top businesses to deliver messages anywhere in the world, with private Sender ID, free API testing, non-expiring credits, and competitive flat-rate pricing. Secure, simple to integrate, built to last. Open a free account in under 1 minute, no paperwork or payment required. Get started →
- 2FA mode: standard password login followed by a one-time SMS code
- Passwordless login: phone number + OTP only, no password needed
- Both: let each user choose their preferred method
- Password reset via OTP: replaces the default email reset flow with SMS
- Per-role enforcement: choose which user roles require OTP (e.g. skip OTP for subscribers)
- Welcome SMS: send a customisable welcome message when a new user registers
- Google reCAPTCHA v3 and Cloudflare Turnstile bot protection
- Country code dropdown on login forms: restrict to GCC or custom country list
- Cryptographically secure OTP generation
- Sliding-window rate limiting: per-phone, per-IP, and per-account, immune to fixed-window boundary exploits
- Duplicate OTP guard: reuses existing valid OTP on double-click or page reload, no duplicate SMS
- IP Allowlist/Blocklist: CIDR support for IPv4 and IPv6. Allowlisted IPs bypass rate limiting; blocklisted IPs receive a silent refusal
- IPHub proxy/VPN detection: optional integration to silently block or flag OTP requests from known proxies and VPNs, with per-IP caching
- Registration OTP gate: verify phone number via OTP before the WordPress account is created, preventing registrations with invalid numbers
- Trusted Devices: after completing 2FA, users can trust a device for 30 days. Subsequent logins skip OTP on trusted devices. Tokens stored as SHA-256 hashes. Profile page shows all trusted devices with revoke controls
- Phone blocking list: block specific numbers from ever receiving an OTP (anti-enumeration)
- Timing-safe OTP verification
- Hardened session cookies
- Emergency bypass option for admin lockout recovery
- 7 order status SMS: Processing, On-Hold (Shipped), Completed, Cancelled, Pending Payment, Refunded, Failed
- Admin SMS notifications: notify a configurable phone number on any order status change
- Per-order custom SMS: send a free-text SMS to the customer from the order edit screen
- OTP gate on checkout: verify phone before placing order, with optional COD-only mode
- Stock alerts: low stock, out-of-stock, and backorder notifications to admin
- New product SMS: notify admin when a product is first published
- Back-in-stock notifications: customers subscribe via product page, SMS sent when stock returns
- Instant new order SMS: fires once per order at checkout, before any status change
- Multivendor support: route order SMS to the vendor (Dokan, WCFM, WC Vendors)
- Cart abandonment recovery: detect abandoned carts, send recovery SMS with a generated coupon code, track recovery rate in the dashboard widget
- HPOS (High-Performance Order Storage) compatible
Each integration supports two modes: Notification (send confirmation SMS on submit) or OTP Gate (block submission until phone is verified via OTP).
| Plugin | Auto-detected | Notification | OTP Gate |
|---|---|---|---|
| Contact Form 7 | ✓ | ✓ | ✓ |
| WPForms | ✓ | ✓ | ✓ |
| Ninja Forms | ✓ | ✓ | ✓ |
| Elementor Pro | ✓ | ✓ | ✓ |
| Gravity Forms | ✓ | ✓ | ✓ |
Need a specific plugin supported? Open an issue and we will look into it.
- Account balance displayed on Gateway and Help pages without re-verifying credentials
- Pre-send balance check: warns before sending if credits are zero
- Test phone country code validation with hint text
- Test Mode: SMS is queued but never delivered. Credits are deducted; recover them by deleting queued messages from your kwtSMS dashboard. OTP code is visible under kwtSMS → Logs → Debug Log.
- 6 admin pages under the kwtSMS menu: General, Gateway, Templates, Integrations, Logs, Help
- Users Without Phone sub-page: lists all users missing a phone number, with inline edit and dynamic count badge on the Users menu item
- Live credential verification with Sender ID auto-population
- OTP send log (last 100 entries)
- Dashboard widget with today's send count
- Full Arabic (RTL) translation included
 General Settings: OTP mode, rate limits, CAPTCHA |
 SMS Templates: English and Arabic with character counter |
 2FA: OTP step after password login |
 Passwordless: phone + OTP, no password needed |
 Password reset: OTP replaces email link |
 WooCommerce: order status SMS and checkout OTP gate |
 Integrations: WooCommerce, CF7, WPForms, and more |
 CF7: Notification or OTP Gate mode per form |
| Version | |
|---|---|
| WordPress | 6.0 or later |
| PHP | 7.4 or later (8.x recommended) |
| kwtSMS account | Sign up free |
| WooCommerce | Optional |
| Contact Form 7 / WPForms / Ninja Forms | Optional |
The plugin has been submitted to the WordPress.org directory and is pending review. Once approved:
- In your WordPress dashboard, go to Plugins → Add New Plugin.
- Search for kwtSMS.
- Click Install Now next to "kwtSMS: OTP & SMS Notifications", then click Activate.
- Download the latest
wp-kwtsms.zipfrom the Releases page. - In your WordPress dashboard, go to Plugins → Add New Plugin → Upload Plugin.
- Choose the downloaded
.zipfile and click Install Now. - Click Activate Plugin.
# Download and install from the latest GitHub release
wp plugin install https://github.com/boxlinknet/kwtsms-wordpress/releases/latest/download/wp-kwtsms.zip --activate# 1. Download and extract the release zip
wget https://github.com/boxlinknet/kwtsms-wordpress/releases/latest/download/wp-kwtsms.zip
unzip wp-kwtsms.zip
# 2. Upload the extracted wp-kwtsms/ folder to your server
scp -r wp-kwtsms/ user@yourserver.com:/var/www/html/wp-content/plugins/
# 3. Activate via WP-CLI (or from the Plugins screen in wp-admin)
wp plugin activate wp-kwtsmscd /var/www/html/wp-content/plugins/
git clone https://github.com/boxlinknet/kwtsms-wordpress.git wp-kwtsms
wp plugin activate wp-kwtsmsAfter activation:
- Go to kwtSMS → Gateway in your WordPress dashboard.
- Enter your API Username and API Password (from your kwtSMS account under Account → API Settings, not your login credentials).
- Click Login to verify credentials. The Sender ID dropdown will populate automatically.
- Select your Sender ID and click Save Settings.
- Go to kwtSMS → General to configure OTP mode (2FA, Passwordless, or both), rate limits, and CAPTCHA.
- Optionally enable Test Mode while setting up: SMS is queued but never delivered, and the OTP code is visible under kwtSMS → Logs → Debug Log. Note: credits are still deducted for queued messages. Delete them from your kwtSMS dashboard to recover them.
This plugin connects to the following external services:
1. kwtSMS API (required): sends all SMS messages.
- Endpoint:
https://www.kwtsms.com/API/ - Data sent: phone number, message text, API credentials
- When: every time an OTP or notification SMS is dispatched
- Terms of Service | Privacy Policy
2. ipapi.co (optional): detects the visitor's country to pre-select the dial-code flag on the phone input.
- Data sent: visitor IP address only
- When: on the login page when Passwordless or 2FA mode is active; result cached 24 hours per IP
- Falls back to the default country in General Settings if unavailable
- Terms of Service | Privacy Policy
3. Google reCAPTCHA v3 (optional): bot protection on OTP forms. Only active when a reCAPTCHA Site Key is entered in General Settings.
4. Cloudflare Turnstile (optional): alternative bot protection. Only active when a Turnstile Site Key is entered in General Settings.
5. IPHub (optional): detects proxies and VPNs to block or flag suspicious OTP requests. Only active when an IPHub API key is entered and the feature is enabled in General Settings.
- Endpoint:
https://v2.api.iphub.info/ip/{ip} - Data sent: visitor IP address (in URL), API key (in request header)
- When: on every OTP request when enabled; result cached per IP (default 24 hours)
- Website | Privacy Policy
| Code | Meaning | Fix |
|---|---|---|
| ERR003 | Wrong credentials | Verify username/password at kwtsms.com |
| ERR008 | Sender ID not allowed | Choose an approved Sender ID |
| ERR010/011 | Insufficient credits | Top up your kwtSMS balance |
| ERR026 | No SMS coverage | Enable coverage for this country in your kwtSMS account |
| ERR006/025 | Invalid phone number | Ensure country code is included, digits only |
| ERR028 | Resend too fast | Wait 15 seconds between resend requests |
| ERR031/032 | Content rejected | Check template for spam-flagged content or bad language |
Full error code reference: kwtSMS API Documentation (PDF)
1. Do I need a kwtSMS account?
Yes. Sign up free at kwtsms.com. API credentials (username and password, not your login mobile) are entered in kwtSMS > Gateway.
2. What is the difference between Test Mode and Live Mode?
In Test Mode, messages are queued on the kwtSMS server but never delivered to the recipient's phone. Credits are still deducted. To recover them, log in to your kwtSMS dashboard and delete the queued messages from the outbox. The OTP code is visible under kwtSMS → Logs → Debug Log so you can complete flows during development without a real phone. In Live Mode, the SMS is delivered and credits are deducted. Always develop with Test Mode on, then disable it before going live.
3. My SMS status shows OK but the recipient did not receive it. What happened?
Check the Sending Queue at kwtsms.com. If the message is stuck there, it was accepted but not dispatched. Common causes: emoji or hidden characters in the message body, spam filter triggers, or Test Mode still enabled. Delete the stuck message from the queue to recover your credits.
4. What is a Sender ID and why should I not use the shared KWT-SMS sender?
A Sender ID is the name that appears on the recipient's phone instead of a random number. KWT-SMS is a shared test sender: it causes delivery delays and is blocked on Virgin Kuwait. For OTP you must use a Transactional Sender ID, which bypasses DND filtering on Zain and Ooredoo. Promotional Sender IDs are silently filtered, meaning OTP messages fail while credits are still deducted. Register a private Sender ID through your kwtSMS account.
5. I am getting an authentication error when I save my credentials. What should I check?
The plugin requires your API username and API password, not your account mobile number or login password. Log in to kwtsms.com, go to Account > API settings, and copy the API credentials. They are case-sensitive.
6. Can I send SMS to numbers outside Kuwait?
International sending is disabled by default on all kwtSMS accounts. Log in to your kwtSMS account and activate coverage for the countries you need. Enable IP and phone rate limiting before turning on international coverage to prevent balance drain from automated abuse.
7. Does the plugin work without WooCommerce?
Yes. WooCommerce is fully optional. All login, password reset, and contact form features work on any WordPress site.
8. How do I recover if I am locked out due to OTP?
Add this line to wp-config.php (before the /* That's all, stop editing! */ line):
define( 'KWTSMS_OTP_DISABLED', true );Log in normally, fix your phone number or gateway issue, then remove the line.
Alternatively, use WP-CLI to remove the phone from your account: wp user meta delete <user_id> kwtsms_phone (replace <user_id> with your user ID, usually 1 for the first admin).
- kwtSMS FAQ: Answers to common questions about credits, sender IDs, OTP, and delivery.
- kwtSMS Support: Open a support ticket or browse help articles.
- Contact kwtSMS: Reach the kwtSMS team directly for Sender ID registration and account issues.
- API Documentation (PDF): kwtSMS REST API v4.1 full reference.
- Best Practices: SMS API implementation best practices.
- Integration Test Checklist: Pre-launch testing checklist.
- Sender ID Help: Sender ID registration and guidelines.
- kwtSMS Dashboard: Recharge credits, buy Sender IDs, view message logs, and manage coverage.
- Other Integrations: Plugins and integrations for other platforms and languages.
- Plugin Issues: Report bugs or request features.
See CHANGELOG.md for the full version history.
GPL-2.0-or-later. See GNU GPL v2.0
Powered by kwtSMS.com, Kuwait's SMS gateway