=== Rat Two-Factor Authentication === Contributors: rathsh Tags: two-factor, authentication, security, 2fa, otp Requires at least: 5.0 Tested up to: 6.8 Requires PHP: 7.4 Stable tag: 1.0.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Lightweight and powerful Two-Factor Authentication plugin for WordPress with email-based OTP verification. == Description == **Rat Two-Factor Authentication** is a lightweight yet powerful security plugin that adds an extra layer of protection to your WordPress site through email-based One-Time Password (OTP) verification. = Key Features = * **Email-based OTP verification** - Secure 6-digit codes sent to user's email * **Lightweight and fast** - Minimal impact on site performance * **User-friendly interface** - Clean, responsive design that works on all devices * **Flexible settings** - Enable 2FA globally or per user * **Role-based requirements** - Require 2FA for specific user roles * **Session management** - Secure session handling with timeout protection * **AJAX-powered** - Smooth user experience without page reloads * **Auto-submit functionality** - Automatically submits form when 6 digits are entered * **Resend functionality** - Users can request new codes with cooldown protection * **Mobile-friendly** - Optimized for mobile login experiences * **Security-first** - Nonce protection, input sanitization, and secure coding practices = How It Works = 1. User enters their username and password normally 2. If 2FA is enabled, they're redirected to an OTP verification screen 3. A 6-digit code is sent to their registered email address 4. User enters the code to complete login 5. Code expires after 10 minutes for security = Perfect For = * **Business websites** requiring enhanced security * **E-commerce stores** protecting customer accounts * **Membership sites** with sensitive user data * **Multi-author blogs** securing contributor access * **Any WordPress site** wanting better login security = Admin Features = * **Global 2FA setting** - Enable for all users * **Force 2FA option** - Make it mandatory for selected roles * **Role-based configuration** - Choose which roles require 2FA * **User profile integration** - Users can enable/disable 2FA individually * **Clean admin interface** - Easy to configure and manage = Developer Friendly = * **Well-documented code** with inline comments * **WordPress coding standards** compliant * **Hook system** for customization * **Lightweight codebase** for easy modification * **No external dependencies** - Pure WordPress integration = Security Features = * **Nonce verification** for all AJAX requests * **Input sanitization** and validation * **Secure OTP generation** using WordPress built-in functions * **Session timeout** protection (10 minutes) * **Rate limiting** on resend requests * **No plain text storage** of OTP codes == Installation == = Automatic Installation = 1. Login to your WordPress admin panel 2. Navigate to Plugins > Add New 3. Search for "Rat Two-Factor Authentication" 4. Click "Install Now" and then "Activate" = Manual Installation = 1. Download the plugin zip file 2. Upload it to `/wp-content/plugins/` directory 3. Extract the zip file 4. Activate the plugin through the 'Plugins' menu in WordPress = After Installation = 1. Go to Settings > Two-Factor Auth 2. Configure your preferred settings 3. Enable 2FA for your user account in your profile 4. Test the functionality == Configuration == = Global Settings = Navigate to **Settings > Two-Factor Auth** to configure: * **Enable 2FA Globally**: Turn on 2FA for all users * **Force 2FA for All Users**: Make 2FA mandatory regardless of user preference * **Required User Roles**: Select specific roles that must use 2FA = User Settings = Each user can enable/disable 2FA in their profile: 1. Go to **Users > Profile** (or **Users > Your Profile**) 2. Find the "Two-Factor Authentication" section 3. Check "Enable 2FA" to activate for that user 4. Save the profile = Email Configuration = The plugin uses WordPress's built-in `wp_mail()` function. Ensure your site can send emails properly. Consider using: * SMTP plugins for reliable email delivery * Email services like SendGrid, Mailgun, or Amazon SES * Proper SPF/DKIM records for your domain == Frequently Asked Questions == = Is this plugin free? = Yes, Rat Two-Factor Authentication is completely free and open-source. = Does it work with any email provider? = Yes, it works with any email provider as it uses WordPress's standard email system. = Can I customize the email template? = Yes, you can use WordPress hooks to customize the email content and styling. = What happens if a user loses access to their email? = Administrators can disable 2FA for any user from their profile page in the admin area. = Does it work with other security plugins? = Yes, it's designed to work alongside other security plugins without conflicts. = Is it compatible with multisite? = The plugin works on multisite installations and can be configured per site. = How secure are the OTP codes? = OTP codes are generated using WordPress's secure random functions and are hashed before storage. = Can I change the code expiry time? = Currently set to 10 minutes, but developers can modify this using plugin hooks. = Does it support app-based authentication? = This version focuses on email-based OTP. App-based authentication may be added in future versions. = Is there a premium version? = Currently, there's only the free version with all features included. == Screenshots == 1. **Admin Settings Page** - Configure global 2FA settings and role requirements 2. **User Profile Settings** - Individual user 2FA enable/disable option 3. **Login OTP Screen** - Clean, user-friendly verification interface 4. **Mobile Login View** - Responsive design optimized for mobile devices 5. **Email OTP Example** - Sample verification email sent to users == Changelog == = 1.0.1 - 2024-12-19 = * Initial release * Email-based OTP verification * User and admin interfaces * Role-based requirements * Session management * AJAX functionality * Mobile optimization * Security implementations * WordPress 6.4 compatibility == Upgrade Notice == = 1.0.1 = Initial release of Rat Two-Factor Authentication. Install to add powerful 2FA security to your WordPress site. == Support == For support, feature requests, or bug reports: * **Plugin Support**: [WordPress.org Support Forum](https://wordpress.org/support/plugin/rat-two-factor-authentication) * **Documentation**: Available in the plugin's admin area * **Bug Reports**: Please provide detailed information about your setup == Contributing == We welcome contributions! The plugin follows WordPress coding standards and best practices. == Privacy Policy == This plugin: * Stores minimal user data (2FA preference and temporary OTP hashes) * Does not send data to external services * Uses WordPress's built-in email system * Follows WordPress privacy guidelines * Allows data export/erasure as per GDPR requirements == Technical Requirements == * WordPress 5.0 or higher * PHP 7.4 or higher * MySQL 5.6 or higher (or equivalent MariaDB) * Ability to send emails from WordPress * Modern web browser with JavaScript enabled == Credits == Developed with ❤️ by the Rat Plugins team, focused on creating lightweight, powerful, and user-friendly WordPress plugins. == License == This plugin is licensed under the GPL v2 or later. > This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. > > This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.