PluginProbe ʕ •ᴥ•ʔ
WP 2FA – Two-factor authentication for WordPress / 4.0.0
WP 2FA – Two-factor authentication for WordPress v4.0.0
4.0.0 1.7.1 2.0.0 2.0.1 2.1.0 2.2.0 2.2.1 2.3.0 2.4.0 2.4.1 2.4.2 2.5.0 2.6.0 2.6.1 2.6.2 2.6.3 2.6.4 2.7.0 2.8.0 2.9.0 2.9.1 2.9.2 2.9.3 3.0.0 3.0.1 3.1.0 3.1.1 3.1.1.2 trunk 1.2.0 1.3.0 1.4.0 1.4.1 1.4.2 1.5.0 1.5.1 1.5.2 1.6.0 1.6.1 1.6.2 1.7.0
wp-2fa / readme.txt
wp-2fa Last commit date
css 14 hours ago dist 14 hours ago includes 14 hours ago js 14 hours ago languages 14 hours ago templates 14 hours ago vendor 14 hours ago class-plugin-deactivation.php 14 hours ago index.php 14 hours ago license.txt 14 hours ago readme.txt 14 hours ago wp-2fa.php 14 hours ago
readme.txt
216 lines
1 === WP 2FA - Two-factor authentication for WordPress ===
2 Contributors: Melapress, robert681
3 Plugin URI: https://melapress.com/wordpress-2fa/
4 License: GPLv3
5 License URI: https://www.gnu.org/licenses/gpl.html
6 Tags: 2FA, two-factor authentication, 2-factor authentication, WordPress authentication, Google Authenticator
7 Requires at least: 5.5
8 Tested up to: 7.0
9 Stable tag: 4.0
10 Requires PHP: 7.4.0
11
12 Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.
13
14 == Description ==
15
16 ### A free and easy-to-use two-factor authentication plugin for WordPress
17
18 Add an extra layer of security to your WordPress website login and protect your users. Enable two-factor authentication (2FA), the best protection against password leaks, automated password guessing, and brute force attacks.
19
20 Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, enforce 2FA for all your website users, or for users with specific roles. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non-technical users can set up 2FA without requiring technical assistance.
21
22 [youtube https://www.youtube.com/watch?v=vRlX_NNGeFo]
23
24 [Features](https://melapress.com/wordpress-2fa/features/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) | [Getting Started](https://melapress.com/support/kb/wp-2fa-plugin-getting-started/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) | [Get the Premium!](https://melapress.com/wordpress-2fa/pricing/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa)
25
26
27 ### 🔒 WP 2FA key plugin features and capabilities
28 - **Passkeys support** for passwordless logins
29 - **Free two-factor authentication (2FA)** for all users
30 - **Multiple 2FA methods** supported, including authenticator app (TOTP) and code over email
31 - **Developer API** to integrate any alternative 2FA method (WhatsApp, OTP Token, etc.)
32 - **Universal 2FA app support** – works with Google Authenticator, Authy, and any TOTP-compatible app
33 - **Backup codes** (16 digits) for recovery access
34 - **Wizard-driven setup** – no technical knowledge required
35 - **2FA policies** to enforce setup with grace periods or instant activation
36 - **REST API endpoints** for custom integrations and headless WordPress setups
37 - **Dashboard-free setup** – users can configure 2FA without WP admin access
38 - **Editable email templates** for full customization
39 - **Much more!**
40
41 ### 💎 Upgrade to WP 2FA Premium and get even more benefits
42
43 The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.
44
45 With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, extensive white labeling capabilities, and much more!
46
47 [Check out WP 2FA Premium!](https://melapress.com/wordpress-2fa/pricing/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa)
48
49 ### Premium features list
50
51 - **Everything in the free version**
52 - **Full white labeling capabilities** to change all text and visuals in the wizards, emails, SMS, and 2FA pages
53 - **Support for multiple passkeys per user** for flexible passwordless logins
54 - **Zero-setup email 2FA** that automatically enrolls users without manual configuration
55 - **YubiKey hardware key support** for enterprise-grade security
56 - **Additional 2FA methods** such as SMS, email link, and more
57 - **Trusted devices** so users can log in without 2FA for a configured period
58 - **Require 2FA on password reset** to strengthen account protection
59 - **Allow next user login without 2FA** to help recover accounts locked out of authentication
60 - **One-click WooCommerce integration** to enable 2FA for customers and store admins
61 - **And much more!**
62
63 Refer to the [WP 2FA plugin features and benefits page](https://melapress.com/wordpress-2fa/features/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) to learn more about the benefits of upgrading to WP 2FA Premium.
64
65 ## 🛠️ Free and premium support
66
67 Support for the free edition of WP 2FA is free on the [WordPress support forums](https://wordpress.org/support/plugin/wp-2fa/). Premium world-class support via one-to-one email is available to the Premium users - [upgrade to premium](https://melapress.com/wordpress-2fa/pricing/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) to benefit from email support.
68
69 For any other queries, feedback, or if you simply want to get in touch with us, please use our [contact form](https://melapress.com/contact/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa).
70
71 #### MAINTAINED & SUPPORTED BY MELAPRESS
72
73 Melapress develops high-quality WordPress management and security plugins, such as Melapress Login Security, Melapress Role Editor, and WP Activity Log; the #1 user-rated activity log plugin for WordPress.
74
75 Browse our list of [WordPress security and administration plugins](https://melapress.com/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.
76
77 == Installing WP 2FA ==
78
79 ###From within WordPress
80
81 1. Navigate to ‘Plugins' > 'Add New’
82 2. Search for ‘WP 2FA’
83 3. Install & activate WP 2FA from your Plugins page
84
85 ###Manually
86
87 1. Download the plugin from the WordPress plugins repository
88 2. Unzip the zip file and upload the folder to the '/wp-content/plugins/ directory'
89 3. Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress
90
91 ## As featured on:
92
93 - [WP Beginner](https://www.wpbeginner.com/plugins/how-to-add-two-factor-authentication-for-wordpress/)
94 - [IsitWP](https://www.isitwp.com/best-wordpress-security-authentication-plugins/)
95 - [WP Astra](https://wpastra.com/two-factor-authentication-wordpress/)
96 - [MainWP](https://mainwp.com/how-to-use-the-wp-2fa-plugin-on-your-child-sites/)
97 - [FixRunner](https://www.fixrunner.com/wordpress-two-factor-authentication/)
98 - [Inmotion Hosting](https://www.inmotionhosting.com/support/edu/wordpress/plugins/wp-2fa/)
99 - [WP Marmite](https://wpmarmite.com/en/wordpress-two-factor-authentication/)
100
101 == Frequently Asked Questions ==
102
103 = Does the plugin send any data to Melapress? =
104 No, the plugin does not send any data to us whatsoever. The only data we receive is license data from the premium edition of the plugin.
105
106 = What 2FA methods are available with the plugin? =
107 The free edition of WP 2FA includes the following 2FA methods: Authenticator app 2FA and code over email. This allows you to use Google Authenticator OTP The premium edition adds YubiKey, one-click email link, SMS 2FA, and Authy push notifications.
108
109 = How can I integrate two-factor authentication (2FA) into my custom login process or AJAX-based form? =
110 WP 2FA includes a REST API that allows developers to enable and verify 2FA during custom authentication flows, such as AJAX-based login forms, mobile apps, or headless WordPress websites. Refer to the [REST API in WP 2FA documentation](https://melapress.com/support/kb/wp-2fa-rest-api/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) for more information.
111
112 = How can I ensure I do not get locked out? =
113 WP 2FA includes backup authentication methods so that if the primary authentication method fails, you and your users can still log in. The free version of the plugin includes backup codes, which can be configured during 2FA configuration or at any point after that from the profile page. The premium edition adds 2FA backup codes over email.
114
115 = What happens if I get locked out? =
116 In the unlikely event that you are unable to supply your 2FA code, there are several steps you can take to gain access to your WordPress dashboard. First, check if there is another administrator who can reset your 2FA. If this is not possible, manually deactivate the plugin, log in without 2FA, re-activate the plugin, and then reconfigure your 2FA.
117
118 = Does WP 2FA support multi-site networks? =
119 Yes, WP 2FA is multisite compatible. The plugin can be activated at the network level. 2FA policies can be enforced on all users, a subsection of users, or per site on the network. It also supports network setups with different domains.
120
121 = Does the plugin receive updates? =
122 We update the plugin fairly regularly to ensure the plugin continues to run in tip-top shape while adding new features from time to time.
123
124 = Does the plugin support Google Authenticator? =
125 Yes, WP 2FA fully supports Google Authenticator on WordPress. [WP 2FA also supports many other 2FA authenticator apps](https://melapress.com/support/kb/wp-2fa-configuring-2fa-apps/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa).
126
127 = Can I get support if I get stuck? =
128 Support for the free edition of the plugin is provided only via the WordPress.org support forums. You can also refer to our [support pages](https://melapress.com/support/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) for all the technical and product documentation.
129
130 If you are using the Premium edition, you get direct access to our support team via one-to-one [email support](https://melapress.com/support/submit-ticket/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=mls).
131
132 = How can I report security bugs? =
133 You can report security bugs through the Patchstack Vulnerability Disclosure Program. Please use this [form](https://patchstack.com/database/vdp/wp-2fa). For more details, please refer to our [Melapress plugins security program](https://melapress.com/plugins-security-program/).
134
135 == Screenshots ==
136
137 1. The first-time install wizard allows you to set up 2FA on your website and for your users within seconds.
138 2. The wizards make setting up 2FA very easy, so even non-technical users can set up 2FA without requiring help.
139 3. Setting up Passkeys is also a straightforward in WP 2FA. The users just have to follow the step by step instructions.
140 4. You can require users to enable 2FA and also give them a grace period to do so.
141 5. Users can also use one-time codes via email as a two-factor authentication method.
142 6. Users can configure and use Passkeys to log in to the website when using WP 2FA.
143 7. Users can easily manage their Passkeys from their user profile page.
144 8. You can use policies to require users to instantly set up and use 2FA, so the next time they log in, they will be prompted with this.
145 9. You can give users a grace period until they configure 2FA. You can also specify what the plugin should do once the grace period is over.
146 10. It is recommended for all users to also generate backup codes, in case they cannot access the primary device.
147 11. In the user profile, users only have a few 2FA options, so it is not confusing for them, and everything is self-explanatory.
148
149 == Changelog ==
150
151 = 4.0 (2027-07-07) =
152
153 * **New User Interface (UI)**
154
155 * A completely redesigned plugin interface, offering improved navigation, a more streamlined setup experience, better organization of settings, and a modern design.
156
157 **Important:** Switching to the new interface is a one-way process. New installations use the new interface by default, while upgrades retain the current interface and can switch at any time via a new **Switch to the new WP 2FA Interface** setting under General Settings.
158
159 * **New Features & functionality**
160
161 * Added an **Export table as CSV** feature in the Reports, allowing administrators to export 2FA status data for analysis and reporting.
162
163 * **Improvements**
164
165 * The "learn more about backup codes" URL shown on the user profile is now editable via white labeling, allowing brands to replace or remove the default link.
166 * Updated the bundled Select2 library to a more recent and secure version.
167 * Hardened the shortcode `return` parameter handling to use proper URL validation instead of `strip_tags()`, preventing potential URL manipulation.
168 * Updated the SSL check to use wp_die() instead of bare exit() calls for safer request termination.
169 * Refreshed the install wizard copy across all four slides for clearer, more welcoming language and consistent use of the term "secondary 2FA method" instead of "alternative".
170 * Improved the libxml missing extension notice (required for TOTP method) with a clearer, more actionable message directing users to their hosting provider.
171 * Moved the main **2FA code page text* * field to the top of the White Labeling → Customize 2FA code page tab,
172 * Shortened the default SMS templates on fresh installs to stay under 160 characters, improving deliverability with strict carriers while remaining Twilio-compliant.
173 * The verification code input on the 2FA login screen is now auto-focused, so users can start typing their code immediately without clicking into the field.
174 * The `{login_code}` placeholder now also works in email subject lines, not only in the email body.
175 * Improved feedback on the 3rd party integrations page: verification modals for Twilio, Clickatell, and all other providers are now consistently styled and show clear error messages when credentials are empty or invalid.
176 * Verified 3rd party integration credentials are now automatically saved on successful validation, so they persist after a page refresh.
177 * Declared WooCommerce compatibility with HPOS, Cart/Checkout Blocks, and the Product Block Editor, so WP 2FA no longer appears as "uncertain" in the WooCommerce compatibility dashboard.
178 * Removed `declare(strict_types=1)` from all files to improve compatibility with WordPress hooks and prevent intermittent TypeError fatals when filters or actions pass loosely-typed values.
179 * Removed a large block of commented-out legacy code from `wp-2fa.php` for cleaner code and easier maintenance.
180 * Fixed inconsistent text domain usage in the deactivation class (was `'textdomain'`, now correctly uses `'wp-2fa'`), ensuring all deactivation strings are translatable.
181 * Updated the deactivation feedback form to version 1.1.
182 * Refactored the plugin's licensing architecture to improve maintainability and support future enhancements.
183 * Removed the Quick Links feature from the plugin, along with its underlying code.
184 * Removed the Survey and Changelog banners from the plugin UI.
185 * Removed an obsolete white labeling option under **Method selection**.
186 * Added a check when enabling the "Use custom logo" option: if no logo has been uploaded, a clear error message is now shown pointing to the 2FA code page design settings.
187 * Removed the unecessary "Activate free version" button from Premium licensing prompt.
188 * Improved custom CSS handling for buttons on the user profile area, so all WP 2FA buttons consistently pick up plugin styling (or the user's custom CSS overrides) instead of falling back to WordPress defaults inconsistently.
189 * Added help text under all subtitles on **White Labeling → Customize 2FA code page → Edit content**, providing a short description for each rich-text field.
190 * Added missing hint help text on the **Customize setup wizard** page for the Email (HOTP), Yubico, Clickatell, Twilio, and Authy methods, explaining what the hint field controls during 2FA setup.
191 * Added an upgrade modal that explains the benefits of full white labeling when users click locked white labeling options.
192 * Passkeys can now be revoked only by the person who generated them instead of other site administrators.
193
194 * **Bug fixes**
195
196 * Fixed: The WooCommerce `/my-account/{2fa-endpoint}/` URL returned a 404 after any rewrite rules flush triggered from an admin request (e.g. saving Settings → Permalinks).
197 * Optimized performance by removing unnecessary front-end checks for an expired event banner.
198 * Fixed: `wp_delete_post` was being called with a post ID of 0 when saving settings under WordPress 6.9, triggering a `_doing_it_wrong()` notice and causing 500 errors on sites using Acorn / Sage.
199 * Fixed: PHP Deprecated `htmlspecialchars(): Passing null to parameter #1` shown inside the SMS template boxes on PHP 8.3 with WordPress 6.9.4+.
200 * Fixed: PHP Deprecated `Automatic conversion of false to array` in the Authy and role settings controller extensions on PHP 8.3 multisite installations.
201 * Fixed: PHP Notice `Function WP_Scripts::add was called incorrectly. The script with the handle "wp_2fa_yubico" was enqueued with dependencies that are not registered: wp2fa-dialog` in WordPress 6.9.1+.
202 * Fixed: The **Locked** user status was not displayed next to a user after their grace period expired and they attempted to log in again.
203 * Fixed: Users who configured 2FA voluntarily (without being enforced by a policy) were shown as **Configured** instead of the correct **Configured (but not required)** status.
204 * Fixed: Users not covered by 2FA enforcement were shown as "User has not logged in yet, 2FA status is unknown" instead of "Not required".
205 * Fixed: Passkeys were always counted as 0 on the Reports page, regardless of how many passkeys had actually been registered.
206 * Fixed: Horizontal scrolling caused by the encryption and enforcement dashboard notices when viewing WP 2FA admin pages.
207 * Fixed: CSS selectors that started with a number (e.g. `#2fa-user-global-configuration`) have been renamed to valid, `wp-2fa`-prefixed selectors for consistency and to work correctly with SCSS/LESS preprocessors.
208 * Fixed: The FlyOut remote configuration fetch is now respectful of user preferences, aligning better with WordPress.org compliance expectations.
209
210 * **Breaking changes**
211
212 * JSON settings exports created in versions earlier than 4.0 cannot be imported to a version 4.0 install. Recreate the settings export using version 4.0.
213 * Email template customization is now available as an Enterprise feature. Existing custom email templates will continue to work without interruption.
214
215 Refer to the complete [plugin changelog](https://melapress.com/support/kb/wp-2fa-plugin-changelog/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=WP2FA&utm_content=plugin+repos+description) for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.
216