PluginProbe ʕ •ᴥ•ʔ
WP 2FA – Two-factor authentication for WordPress / 3.1.1.2
WP 2FA – Two-factor authentication for WordPress v3.1.1.2
1.7.1 2.0.0 2.0.1 2.1.0 2.2.0 2.2.1 2.3.0 2.4.0 2.4.1 2.4.2 2.5.0 2.6.0 2.6.1 2.6.2 2.6.3 2.6.4 2.7.0 2.8.0 2.9.0 2.9.1 2.9.2 2.9.3 3.0.0 3.0.1 3.1.0 3.1.1 3.1.1.2 trunk 1.2.0 1.3.0 1.4.0 1.4.1 1.4.2 1.5.0 1.5.1 1.5.2 1.6.0 1.6.1 1.6.2 1.7.0
wp-2fa / wp-2fa.php
wp-2fa Last commit date
dist 4 months ago includes 4 months ago languages 4 months ago vendor 4 months ago class-plugin-deactivation.php 4 months ago index.php 4 months ago license.txt 4 months ago readme.txt 1 month ago wp-2fa.php 4 months ago
wp-2fa.php
348 lines
1 <?php
2 /**
3 * WP 2FA - Two-factor authentication for WordPress .
4 *
5 * @copyright Copyright (C) 2013-2026, Melapress - support@melapress.com
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GNU General Public License, version 3 or higher
7 *
8 * @wordpress-plugin
9 * Plugin Name: WP 2FA - Two-factor authentication for WordPress
10 * Version: 3.1.1.2
11 * Plugin URI: https://melapress.com/
12 * Description: Easily add an additional layer of security to your WordPress login pages. Enable Two-Factor Authentication for you and all your website users with this easy to use plugin.
13 * Author: Melapress
14 * Author URI: https://melapress.com/
15 * Text Domain: wp-2fa
16 * Domain Path: /languages/
17 * License: GPL v3
18 * Requires at least: 5.5
19 * Requires PHP: 7.4
20 * Network: true
21 *
22 * @package WP2FA
23 *
24 * This program is free software: you can redistribute it and/or modify
25 * it under the terms of the GNU General Public License as published by
26 * the Free Software Foundation, either version 3 of the License, or
27 * (at your option) any later version.
28 *
29 * This program is distributed in the hope that it will be useful,
30 * but WITHOUT ANY WARRANTY; without even the implied warranty of
31 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
32 * GNU General Public License for more details.
33 *
34 * You should have received a copy of the GNU General Public License
35 * along with this program. If not, see <http://www.gnu.org/licenses/>.
36 *
37 * @fs_ignore /dist/, /extensions/, /freemius/, /includes/, /languages/, /third-party/, /vendor/
38 */
39
40 use WP2FA\WP2FA;
41 use WP2FA\Utils\Migration;
42 use WP2FA\Admin\Setup_Wizard;
43 use WP2FA\Admin\Helpers\WP_Helper;
44 use WP2FA\Admin\Helpers\File_Writer;
45 use WP2FA\Licensing\Licensing_Factory;
46
47 if ( ! defined( 'ABSPATH' ) ) {
48 exit;
49 }
50
51 if ( defined( '\DISABLE_2FA_LOGIN' ) && \DISABLE_2FA_LOGIN ) {
52 return;
53 }
54
55 // Useful global constants.
56 if ( ! defined( 'WP_2FA_VERSION' ) ) {
57 define( 'WP_2FA_VERSION', '3.1.1.2' );
58 define( 'WP_2FA_BASE', plugin_basename( __FILE__ ) );
59 define( 'WP_2FA_URL', plugin_dir_url( __FILE__ ) );
60 define( 'WP_2FA_PATH', WP_PLUGIN_DIR . DIRECTORY_SEPARATOR . dirname( WP_2FA_BASE ) . DIRECTORY_SEPARATOR );
61 define( 'WP_2FA_INC', WP_2FA_PATH . 'includes/' );
62 define( 'WP_2FA_FILE', __FILE__ );
63 define( 'WP_2FA_LOGS_DIR', 'wp-2fa-logs' );
64
65 // Prefix used in usermetas, settings and transients.
66 define( 'WP_2FA_PREFIX', 'wp_2fa_' );
67 define( 'WP_2FA_POLICY_SETTINGS_NAME', WP_2FA_PREFIX . 'policy' );
68 define( 'WP_2FA_SETTINGS_NAME', WP_2FA_PREFIX . 'settings' );
69 define( 'WP_2FA_WHITE_LABEL_SETTINGS_NAME', WP_2FA_PREFIX . 'white_label' );
70 define( 'WP_2FA_PASSKEYS_SETTINGS_NAME', WP_2FA_PREFIX . 'passkeys' );
71 define( 'WP_2FA_EMAIL_SETTINGS_NAME', WP_2FA_PREFIX . 'email_settings' );
72
73 define( 'WP_2FA_PREFIX_PAGE', 'wp-2fa-' );
74
75 define( 'WP_2FA_TEXTDOMAIN', 'wp-2fa' );
76 }
77
78 require_once \plugin_dir_path( __FILE__ ) . 'class-plugin-deactivation.php';
79
80 new WP2FA_Deactivation_Feedback_Server\Plugin_Deactivation();
81
82
83 if ( ! function_exists( 'wp_2f_is_just_in_time_for_2fa_domain' ) ) {
84 /**
85 * Whether it is the just_in_time_error for wp-2fa domains.
86 *
87 * @since 2.9.0
88 *
89 * @param string $status Status of the error.
90 * @param string $function_name Function name.
91 * @param string $message Message.
92 *
93 * @return bool
94 */
95 function wp_2f_is_just_in_time_for_2fa_domain( $status, string $function_name, string $message ): bool {
96
97 return '_load_textdomain_just_in_time' === $function_name && strpos( $message, '<code>' . WP_2FA_TEXTDOMAIN ) !== false;
98 }
99 }
100
101 if ( ! function_exists( 'wp_2fa_trigger_error' ) ) {
102 /**
103 * Catches errors which come from the doing_it_wrong() function, WP core does not provide much information about what is really going on and where, this method adds some more information to the error log.
104 *
105 * @param bool $status - Whether to trigger the error for _doing_it_wrong() calls. Default true.
106 * @param string $function_name - The name of the function that triggered the error (this is the WP function which is not called right, not the real function that actually called it).
107 * @param string $errstr - The WP error string (message).
108 * @param string $version - Since which WP version given error was added.
109 * @param int $errno - The number of the error (type of the error - that probably never get set by WP and always falls to the default which is E_USER_NOTICE).
110 *
111 * @return bool
112 *
113 * @since 2.9.0
114 */
115 function wp_2fa_trigger_error( $status, string $function_name, $errstr, $version, $errno = E_USER_NOTICE ) {
116
117 if ( false === $status ) {
118 return $status;
119 }
120
121 if ( wp_2f_is_just_in_time_for_2fa_domain( '', $function_name, $errstr ) ) {
122 // This error code is not included in error_reporting, so let it fall.
123 // through to the standard PHP error handler.
124 return false;
125 }
126
127 return $status;
128 }
129 }
130
131 if ( ! function_exists( 'wp_2fa_action_doing_it_wrong_run' ) ) {
132 /**
133 * Action for _doing_it_wrong() calls.
134 *
135 * @since 2.9.0
136 *
137 * @param string $function_name The function that was called.
138 * @param string $message A message explaining what has been done incorrectly.
139 * @param string $version The version of WordPress where the message was added.
140 *
141 * @return void
142 */
143 function wp_2fa_action_doing_it_wrong_run( $function_name, $message, $version ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed
144
145 global $wp_filter;
146
147 $function_name = (string) $function_name;
148 $message = (string) $message;
149
150 if ( ! class_exists( '\QM_Collectors', false ) || ! wp_2f_is_just_in_time_for_2fa_domain( '', $function_name, $message ) ) {
151 return;
152 }
153
154 $qm_collector_doing_it_wrong = \QM_Collectors::get( 'doing_it_wrong' );
155 $current_priority = $wp_filter['doing_it_wrong_run']->current_priority();
156
157 if ( null === $qm_collector_doing_it_wrong || false === $current_priority ) {
158 return;
159 }
160
161 switch ( $current_priority ) {
162 case 0:
163 \remove_action( 'doing_it_wrong_run', array( $qm_collector_doing_it_wrong, 'action_doing_it_wrong_run' ) );
164 break;
165
166 case 20:
167 \add_action( 'doing_it_wrong_run', array( $qm_collector_doing_it_wrong, 'action_doing_it_wrong_run' ), 10, 3 );
168 break;
169
170 default:
171 break;
172 }
173 }
174 }
175
176 \add_action( 'doing_it_wrong_trigger_error', 'wp_2fa_trigger_error', 0, 4 );
177
178 \add_action( 'aadvana_trigger_error_doing_it_wrong', 'wp_2fa_trigger_error', 0, 4 );
179
180 \add_action( 'doing_it_wrong_run', 'wp_2fa_action_doing_it_wrong_run', 0, 3 );
181 \add_action( 'doing_it_wrong_run', 'wp_2fa_action_doing_it_wrong_run', 20, 3 );
182
183 // Require Composer autoloader if it exists.
184 if ( file_exists( WP_2FA_PATH . 'vendor/autoload.php' ) ) {
185 require_once WP_2FA_PATH . 'vendor/autoload.php';
186 } else {
187 // Composer autoloader is required.
188 \wp_die( \esc_html__( 'The required libraries for WP 2FA are missing. Please reinstall the plugin.', 'wp-2fa' ) );
189 }
190
191 if ( ! class_exists( '\WP2FA\Licensing\Licensing_Factory' ) ) {
192 return;
193 }
194
195 Licensing_Factory::init();
196 Licensing_Factory::provider_call( 'set_basename', true, __FILE__ );
197 if ( null !== Licensing_Factory::get_provider() ) {
198 Licensing_Factory::get_provider()::add_action( 'after_uninstall', '\WP2FA\Core\uninstall' );
199 }
200 require_once WP_2FA_INC . 'functions/core.php';
201
202 // run any required update routines.
203 Migration::migrate();
204
205 // Setup_Wizard.
206 if ( WP_Helper::is_multisite() ) {
207 \add_action( 'network_admin_menu', array( Setup_Wizard::class, 'network_admin_menus' ), 10 );
208 \add_action( 'admin_menu', array( Setup_Wizard::class, 'admin_menus' ), 10 );
209 } else {
210 \add_action( 'admin_menu', array( Setup_Wizard::class, 'admin_menus' ), 10 );
211 }
212
213 // Activation/Deactivation.
214 \register_activation_hook( WP_2FA_FILE, '\WP2FA\Core\activate' );
215 \register_deactivation_hook( WP_2FA_FILE, '\WP2FA\Core\deactivate' );
216 // Register our uninstallation hook.
217 \register_uninstall_hook( WP_2FA_FILE, '\WP2FA\Core\uninstall' );
218
219 \add_filter( 'plugins_loaded', array( WP2FA::class, 'init' ) );
220 \add_action( 'plugins_loaded', array( WP2FA::class, 'add_wizard_actions' ), 10 );
221
222 // Include files.
223 // require_once WP_2FA_INC . 'functions/core.php';
224
225 // Require Composer autoloader if it exists.
226 // if ( file_exists( WP_2FA_PATH . 'vendor/autoload.php' ) ) {
227 // require_once WP_2FA_PATH . 'vendor/autoload.php';
228 // }
229
230 // run any required update routines.
231 // Migration::migrate();
232
233 // Setup_Wizard.
234 // if ( WP_Helper::is_multisite() ) {
235 // \add_action( 'network_admin_menu', array( Setup_Wizard::class, 'network_admin_menus' ), 10 );
236 // \add_action( 'admin_menu', array( Setup_Wizard::class, 'admin_menus' ), 10 );
237 // } else {
238 // \add_action( 'admin_menu', array( Setup_Wizard::class, 'admin_menus' ), 10 );
239 // }
240
241 // Activation/Deactivation.
242 // \register_activation_hook( WP_2FA_FILE, '\WP2FA\Core\activate' );
243 // \register_deactivation_hook( WP_2FA_FILE, '\WP2FA\Core\deactivate' );
244 // Register our uninstallation hook.
245 // \register_uninstall_hook( WP_2FA_FILE, '\WP2FA\Core\uninstall' );
246
247 // \add_filter( 'plugins_loaded', array( WP2FA::class, 'init' ) );
248 // \add_action( 'plugins_loaded', array( WP2FA::class, 'add_wizard_actions' ), 10 );
249
250
251
252 if ( ! defined( File_Writer::SECRET_NAME ) ) {
253 define( File_Writer::SECRET_NAME, WP2FA::get_secret_key() );
254
255 define( 'WP2FA_SECRET_IS_IN_DB', true );
256 }
257
258 // @free:start
259 if ( ! function_exists( 'wp2fa_free_on_plugin_activation' ) ) {
260 /**
261 * Takes care of deactivation of the premium plugin when the free plugin is activated.
262 *
263 * Note: This code MUST NOT be present in the premium version an is removed automatically during the build process.
264 *
265 * @since 2.0.0
266 */
267 function wp2fa_free_on_plugin_activation() {
268 $premium_version_slug = 'wp-2fa-premium/wp-2fa.php';
269 if ( is_plugin_active( $premium_version_slug ) ) {
270 deactivate_plugins( $premium_version_slug, true );
271 }
272 check_ssl();
273 }
274
275 \register_activation_hook( __FILE__, 'wp2fa_free_on_plugin_activation' );
276 }
277 // @free:end
278
279 /*
280 * Clears the config cache from the DB
281 *
282 * @return void
283 *
284 * @since 2.2.0
285 */
286 \add_action(
287 'upgrader_process_complete',
288 function () {
289 delete_transient( 'wp_2fa_config_file_hash' );
290 },
291 10,
292 2
293 );
294
295 if ( ! function_exists( 'check_ssl' ) ) {
296 /**
297 * Checks if the required library is installed and cancels the process if not.
298 *
299 * @return void
300 *
301 * @since 2.2.0
302 */
303 function check_ssl() {
304 if ( ! \WP2FA\Authenticator\Open_SSL::is_ssl_available() ) {
305 $html = '<div class="updated notice is-dismissible">
306 <p>' . \esc_html__( 'This plugin requires OpenSSL. Contact your web host or website administrator so they can enable OpenSSL. Re-activate the plugin once the library has been enabled.', 'wp-2fa' )
307 . '</p>
308 </div>';
309
310 echo $html; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
311
312 exit();
313 }
314 }
315 }
316
317 if ( \PHP_VERSION_ID < 80000 && ! \interface_exists( 'Stringable' ) ) {
318 interface Stringable {
319 // phpcs:ignore Universal.Files.SeparateFunctionsFromOO.Mixed
320 /**
321 * Mockup function for PHP versions lower than 8.
322 *
323 * @return string
324 */
325 public function __toString();
326 }
327 }
328
329 if ( ! function_exists( 'str_starts_with' ) ) {
330 /**
331 * PHP lower than 8 is missing that function but it required in the newer versions of our plugin.
332 *
333 * @param string $haystack - The string to search in.
334 * @param string $needle - The needle to search for.
335 *
336 * @return bool
337 *
338 * @since 2.6.4
339 */
340 function str_starts_with( $haystack, $needle ): bool {
341 if ( '' === $needle ) {
342 return true;
343 }
344
345 return 0 === strpos( $haystack, $needle );
346 }
347 }
348