=== LoginBerry - 2FA, Passwordless & Email Verification === Contributors: berrypress Tags: two-factor authentication, 2fa, passwordless login, email verification, login security, woocommerce, authentication, account security, multi-factor, otp, login logs, user verification Requires at least: 6.0 Tested up to: 6.9 Requires PHP: 8.0 Stable tag: 1.0.2 License: GNU General Public License version 3 or later License URI: https://www.gnu.org/licenses/gpl-3.0.html Complete login security for WordPress & WooCommerce: LoginBerry adds email-based account verification, optional two-factor authentication (2FA), optional passwordless login, and login logging. Settings are under BerryPress → LoginBerry. == Description == LoginBerry bundles **account verification**, **two-factor authentication (2FA)**, **passwordless login**, and **login logs**. Each feature can be enabled or disabled independently. Outgoing codes are delivered by **email**. The plugin works for standard WordPress sites. When WooCommerce is active, additional customer- and order-related options are available (for example 2FA on the My Account login form and optional account activation tied to orders). = User-facing behavior (when features are enabled) = * **Account verification:** After registration, the user signs in and completes activation on the configured activation page using a six-digit code sent by email. * **Two-factor authentication:** After a successful username and password, the user enters a second code sent by email. Per-role modes are Required, Optional, or Disabled. * **Passwordless login:** On `wp-login.php`, eligible roles may request a one-time email code instead of entering a password. * **Login logs:** Success and failure records are listed in the WordPress admin. Authentication codes are email-based; end users do not install a separate authenticator app for the flows described here. = Account verification = * New accounts receive a six-digit activation code by email. * After fifteen failed activation attempts, the account is locked until an administrator intervenes. * Administrators can resend codes, activate accounts manually, and unlock accounts from **Users → All Users**. = Two-factor authentication (2FA) = * Per-role setting: Required, Optional, or Disabled. * Optional mode allows users to enable 2FA from the profile when permitted by role. * Supported on `wp-login.php` and on the WooCommerce **My Account** login form. = Passwordless login = Let users log in without a password - just enter a username or email and receive a one-time login code. Improves user experience while maintaining strong security through email verification. * Toggle between password and passwordless login on wp-login.php * One-time email codes on `wp-login.php`, controlled per role. * When both passwordless login and 2FA are enabled for the same role, the passwordless flow does not require a separate 2FA step (email possession is already verified). = WooCommerce = * Optional automatic account activation when an WooCommerce order is created. * Optional restriction so that only **paid** orders trigger activation. * Integration points include classic checkout, block checkout (Store API), and paid-order completion hooks, as implemented in the plugin. = Login logs = Monitor all login activity on your site. Essential for detecting suspicious behavior and meeting security compliance requirements for e-commerce stores. - Records successful and failed login attempts - Logs username, email, IP address, and timestamp - View all logs in a dedicated admin page with sortable columns - Identify patterns of brute force attacks and suspicious login activity - Audit trail for security compliance and fraud investigation = Admin interface = * Centralized settings under **BerryPress → LoginBerry**, with separate screens per feature. = Email templates = HTML email templates for activation, 2FA, and passwordless login ship in the plugin `templates/` directory. To override, copy the desired template into the active theme or child theme under `templates/loginberry/` (see each template file header for the exact path). = Email delivery = Reliable outbound email is required for codes to arrive. Typical setups use the hosting provider’s mail relay, a transactional email API (for example Brevo, Mailchimp Transactional / Mandrill, Postmark, SendGrid, Amazon SES), or a WordPress plugin that sends mail via SMTP or a provider API. Test delivery with a real signup or code request before relying on the feature in production. = Typical use cases = * Reducing unwanted or automated registrations and limiting abuse of disposable email addresses. * Verifying that a customer or member controls the email address on file. * Adding a second factor after password entry for selected roles. * Reviewing login success and failure history in the admin. * WooCommerce: applying optional post-order account activation, including a paid-order-only mode where configured. = Roadmap = LoginBerry is a brand new plugin and we are improving it quickly based on real user feedback. If you have ideas, feature requests, or run into a theme-specific styling issue, we would love to hear from you. Planned work includes: * Configurable failed-attempt limits (instead of the fixed fifteen for activation lockout) * Track last login time for each user * Custom activation page URL * Custom redirect URL after successful verification * Rate limiting on code verification attempts * Social login options * Improved styling flexibility and theme compatibility Feedback and compatibility reports are welcome via the plugin support channels. New features are prioritized based on user feedback. == Installation == 1. Install LoginBerry from **Plugins → Add New** in WordPress, or upload the ZIP under **Plugins → Add New → Upload Plugin**. 2. Activate the plugin. 3. Open **BerryPress → LoginBerry** and enable the desired features (Account Verification, Two-Factor Auth, Passwordless Login, Login Logs). 4. For account verification, create a page with the slug `account-activate` and add the shortcode `[loginberry_account_activate]`. The Account Verification settings screen includes setup guidance. 5. Send a test code to an administrator account and confirm that email delivery works with your hosting or mail provider configuration. == Frequently Asked Questions == = Do I have to enable every feature? = No. Each feature is independent. You may enable only the components you need. = What are the server requirements? = WordPress 6.0 or newer, PHP 8.0 or newer, and reliable outbound email. = Why are users not receiving emails? = The site must be able to send email. Common approaches include the host’s SMTP relay, a transactional email provider, or a WordPress plugin that sends via SMTP or an HTTP API. Verify end-to-end delivery with a test message after any mail configuration change. = How do I enable two-factor authentication? = Go to **BerryPress → LoginBerry → Two Factor Auth**, enable the feature, and set each role to Required, Optional, or Disabled. = How does passwordless login work? = When enabled for a role, users on `wp-login.php` can request a six-digit code by email instead of entering a password. = Can I use 2FA and passwordless login together? = Yes. When both are enabled for the same role, the passwordless login flow skips the separate 2FA step because possession of the email inbox has already been verified. = Where are the email templates? = In the plugin `templates/` directory: `activation-email.php`, `2fa-email.php`, `passwordless-login-email.php`. Override by copying to the theme where supported. = Does it work with all themes? = The plugin uses clean WordPress markup. Layout may vary slightly depending on theme styles, so if you see any styling quirks, feel free to reach out. = Does LoginBerry work with WooCommerce? = Yes. WooCommerce is optional. Without WooCommerce, verification (if enabled), 2FA on `wp-login.php`, passwordless login (if enabled), and login logs remain available. With WooCommerce active, 2FA is also available on the **My Account** login form, and account verification may optionally be tied to order creation, including a **paid orders only** option. = Does passwordless login work on WooCommerce checkout or arbitrary custom login forms? = Passwordless login is implemented for the standard WordPress login screen (`wp-login.php`). WooCommerce My Account login supports two-factor authentication as described above; passwordless login on other forms is outside the current scope. = Can admins activate a user manually? = Yes. In Users → All Users you will see links to activate accounts, resend codes, or unlock accounts. = Can administrators help users who cannot activate or who are locked? = Yes. Under **Users → All Users**, administrators can view status, resend codes, activate accounts manually, and unlock locked accounts when applicable. = What if an administrator is locked out or no other administrator can help? = Another administrator can usually resolve the issue under **Users → All Users**. If the site cannot be accessed from wp-admin, deactivate the plugin using standard WordPress recovery methods (for example renaming the plugin directory via FTP or SFTP, using WP-CLI where available, editing the `active_plugins` option after a database backup, or WordPress Recovery Mode when applicable). Deactivating plugins when wp-admin is unavailable: https://wordpress.org/documentation/article/how-to-deactivate-all-plugins-when-not-able-to-access-wp-admin/ == Screenshots == 1. BerryPress → LoginBerry dashboard and feature overview. 2. Two-factor authentication settings with per-role modes. 3. Account verification settings including WooCommerce order options. 4. Login logs admin list. == Changelog == = 1.0.2 - May 12, 2026 = * Fixed: "Paid orders only" auto-activation now triggers on the WooCommerce block checkout (Store API), in addition to the classic checkout. = 1.0.1 - April 17, 2026 = **Added and changed** * Two-factor authentication (2FA) via email codes; per-role Required, Optional, or Disabled; supported on `wp-login.php` and WooCommerce My Account login. * Passwordless login with one-time email codes on `wp-login.php`; when both passwordless and 2FA apply to the same role, the extra 2FA step after passwordless is omitted. * Login logging with user, email, IP, and timestamp. * BerryPress → LoginBerry admin area with separate settings pages per feature. * Optional 2FA enrollment from the user profile when the role uses Optional mode. * HTML email templates for activation, 2FA, and passwordless login (theme overrides supported). * WooCommerce: optional automatic customer activation on order creation; optional **paid orders only** mode; hooks for classic checkout, block (Store API) checkout, and paid-order flows. * Locked activation screen messaging and a log out link after repeated failed activation attempts. * Default verification behavior for new installs; existing sites retain prior behavior via configuration versioning where applicable. = 1.0.0 = * Initial email-based account verification before site access (activation page and shortcode).