=== Duo Two-Factor Authentication === Contributors: duosecurity Tags: authentication, two-factor, authenticator, login, username, password, duo, security Requires at least: 3.0 Tested up to: 3.8.1 Stable tag: 2.2 Easily add Duo Security two-factor authentication to your WordPress website. Enable two-factor authentication for your admins and/or users. == Description == [Watch our demo to see how easy it is to add Duo's two-factor authentication to your WordPress blog.](https://blog.duosecurity.com/2013/01/introducing-the-duo-5-minute-challenge/) Duo Security provides two-factor authentication as a service to protect against account takeover and data theft. Using the Duo plugin you can easily add Duo two-factor authentication to your WordPress website in just a few minutes! Rather than relying on a password alone, which can be phished or guessed, Duo's authentication service adds a second layer of security to your WordPress accounts. Duo enables your admins or users to verify their identities using something they have—like their mobile phone or a hardware token—which provides strong authentication and dramatically enhances account security. Duo is easy to setup and use. With Duo there’s no extra hardware or complicated software to install, just install this plugin and sign up for Duo’s service. Then you can set which user roles you want to enable two-factor authentication for—admins, editors, authors, contributors, and/or subscribers—without setting up user accounts, directory synchronization, servers, or hardware. When they log in, your users have multiple ways they can authenticate, including: * One-tap authentication using Duo’s mobile app (our fastest, easiest way to authenticate) * One-time passcodes generated by Duo’s mobile app (works even with no cell coverage) * One-time passcodes delivered to any SMS-enabled phone (works even with no cell coverage) * Phone callback to any phone (mobile or landline!) * One-time passcodes generated by an OATH-compliant hardware token (if you’re feeling all old school) Protect your WordPress website in minutes with Duo. == Installation == Integrating Duo two-factor authentication with WordPress is a breeze. Follow these quick installation steps: 1. Sign up for a free Duo account at [duosecurity.com](https://www.duosecurity.com) and follow the activation instructions. 2. From your Duo administrative interface, add an integration and select “WordPress” as the Integration Type. You’ll need the "Integration Key," "Secret Key," and “API hostname” values shown here when you set up the Duo plugin in WordPress. 3. Also from the Duo administrative interface, you can check which user roles you'd like to require use Duo two-factor authentication. 4. From your WordPress dashboard, install and activate this Duo WordPress plugin. 5. In the Duo WordPress plugin settings, fill in the "Integration Key," "Secret Key," and “API hostname” with the values provided in the Duo administrative interface for the WordPress integration that you added in Step 2. All done! Log out of your WordPress instance. When you log back in, you'll be prompted to enroll in Duo and authenticate using Duo's two-factor service. Get [more detailed instructions](https://www.duosecurity.com/docs/wordpress) at duosecurity.com == Frequently Asked Questions == = How do I get started with Duo? = Before installing the plugin, you'll need to sign up for a free account at [http://www.duosecurity.com](http://www.duosecurity.com). = Is Duo's two-factor service really free? = Yes, Duo is free up to 10 users and no credit card is required to get started! If you go beyond 10 users, it's only $3/user/month. = WordPress integration is great, but what if I want to protect my own web applications with two-factor? = If you're interested in protecting other web applications with Duo's two-factor authentication, check out [all our online documentation](https://www.duosecurity.com/docs) to see all of our drop-in integrations and to access our APIs and web SDK. == Screenshots == 1. Duo's WordPress plugin adds strong two-factor authentication to any WordPress login. You users will log in as usual with their primary credentials (their WordPress username and password). Then they’ll be challenged to complete secondary authentication via Duo Push, phone callback, or one-time passcodes generated via the Duo Mobile app or delivered via SMS. 2. The Duo Mobile application allows users to generate passcodes or use Duo Push to perform secondary authentication using their mobile device. == Changelog == = 2.2 = * Fix an issue that caused users to see 'Access Denied' when WordPress secret keys are not set correctly * Fix 'Access Denied' issue due to a plugin caching our old JavaScript file * Fix an issue that forced users to log in multiple times when going to a non-secure page from an SSL page * Minor fix for sites using a proxy = 2.1 = * Fix an issue that caused 503 errors for some users * Add support for proxy servers * Fix an issue where the "Remember Me" checkbox on the login page was being ignored * Use an application-specific key when signing Duo requests * Add debug mode which enables verbose logging * Remove unnecessary assets to reduce package size = 2.0 = * Fix an issue that allowed some users to bypass 2FA on multisite networks = 1.8.1 = * Fix multi-site login issue = 1.8 = * Add support for modal login pages in wordpress 3.8 = 1.7 = * Fix various single-site and multi-site compatability issues with WordPress instances running 3.0 and 3.2 * Support for WordPress 3.7.1 * Compatability with WP-Engine WordPress hosting service * Fix some style issues on the settings page = 1.6.2 = * Fix a rare conflict with other plugins = 1.6.1 = * Add support for Wordpress 3.6.1 * Fix an issue that prevented admins from enabling XMLRPC on multisite instances * Remove Duo configurations when the plugin is uninstalled from a multisite wordpress instance * Better support for some custom themes * Make Duo skey setting a password field = 1.6 = * Add support for Duo's new user enrollment frame = 1.5.3 = * Improve the way we ping Duo servers = 1.5.2 = * Included the root cert we validate agianst for better ssl certificate validation = 1.5.1 = * Add better SSL certificate validation when fetching server time * Modify duo_web to remove the need for NTP = 1.5 = * Removed NTP sync requirement * All duo options will now be removed when plugin is uninstalled = 1.4.2 = * Better compatibility with other plugins * Added setting for enabling/disabling XML-RPC access = 1.4.1 = * Improved handling of enabling Duo for specific roles = 1.4 = * Improved WordPress Multisite compatibility = 1.3.4 = * Compatibility with >3.3 = 1.3.3 = * Added additional error checking = 1.3.2 = * Verified compatibility with WordPress 3.2 = 1.3.1 = * Fixed a bug with user roles = 1.3 = * Default all roles to enable Duo login for upgraded users (same as new installs). * Require the API hostname setting * Code cleanups = 1.2 = * Select which roles need to authenticate with Duo = 1.1.1 = * CSS fixes for IE 6, 7, and 8 = 1.1 = * Minor tweaks = 1.0 = * Initial release! == Upgrade Notice == = 2.2 = * Please disable the plugin before upgrading, then reactivate after upgrade is done * Fix an issue that caused users to see 'Access Denied' * Fix an issue that forced users to log in multiple times when going to a non-secure page from an SSL page * Minor fix for sites using a proxy = 2.1 = * Please disable the plugin before updating. Make sure to enable the plugin when upgrade is done * Fix an issue that caused 503 errors for some users * Add support for proxy servers * Fix an issue where the "Remember Me" checkbox on the login page was being ignored * Use an application-specific key when signing Duo requests * Add debug mode which enables verbose logging * Remove unnecessary assets to reduce package size = 2.0 = * Fix an issue that allowed some users to bypass 2FA on multisite networks * Please disable the plugin before updating * Notice that when enabling the plugin, you will immediately get prompted for two factor = 1.8.1 = * Fix multi-site login issue = 1.8 = * Add support for modal login pages in wordpress 3.8 = 1.7 = * Fix various single-site and multi-site compatability issues with WordPress instances running 3.0 and 3.2 * Support for WordPress 3.7.1 * Compatability with WP-Engine WordPress hosting service * Fix some style issues on the settings page = 1.6.2 = * Fix a rare conflict with other plugins = 1.6.1 = * Add support for Wordpress 3.6.1 * Fix an issue that prevented admins from enabling XMLRPC on multisite instances * Remove Duo configurations when the plugin is uninstalled from a multisite wordpress instance * Better support for some custom themes * Make Duo skey setting a password field = 1.6 = * Added support for Duo's new enrollment frame. * If you can't see the new frame style, you can enable it by logging in to your Duo administrative interface, then enable the updated enrollment on the settings page. = 1.5.3 = * Improve the way we ping Duo servers = 1.5.2 = * Included the root cert we validate agianst for better ssl certificate validation = 1.5.1 = * Add better SSL certificate validation when fetching server time * Modify duo_web to remove the need for NTP = 1.5 = * Removed NTP sync requirement * All duo options will now be removed when plugin is uninstalled = 1.4.2 = * Better compatibility with other plugins * Added setting for enabling/disabling XML-RPC access = 1.4.1 = * Improved handling of enabling Duo for specific roles = 1.4 = * Improved WordPress Multisite compatibility = 1.3.4 = * Compatibility with >3.3 = 1.3.3 = * Added additional error checking = 1.3.2 = * Verified compatibility with WordPress 3.2 = 1.3.1 = * Fixed a bug with user roles = 1.3 = * Default all roles to enable Duo login for upgraded users (same as new installs). = 1.2 = * Select which roles need to authenticate with Duo = 1.1.1 = * CSS fixes for IE 6, 7, and 8 = 1.1 = * Minor tweaks = 1.0 = * Initial release!