=== WP 2FA - Two-factor authentication for WordPress === Contributors: Melapress, robert681 Plugin URI: https://melapress.com/wordpress-2fa/ License: GPLv3 License URI: https://www.gnu.org/licenses/gpl.html Tags: 2FA, two-factor authentication, multi-step authentication, 2-factor authentication, WordPress authentication, two-step authentication Requires at least: 5.0 Tested up to: 6.4.2 Stable tag: 2.6.0 Requires PHP: 7.2.0 Harden your website's authentication; add two-factor authentication (2FA) for all your users with this easy-to-use plugin. == Description == ### A free and easy-to-use two-factor authentication plugin for WordPress Add an extra layer of security to your WordPress website login pages and protect your users. Enable [two-factor authentication (2FA)](https://melapress.com/wordpress-2fa/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa), the best protection against users using weak passwords, automated password guessing, and brute force attacks. [youtube https://www.youtube.com/watch?v=vRlX_NNGeFo] [Features](https://melapress.com/wordpress-2fa/features/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) | [Getting Started](https://melapress.com/support/kb/wp-2fa-plugin-getting-started/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) | [Get the Premium!](https://melapress.com/wordpress-2fa/pricing/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, and to enforce your website users, or users with a specific role to use 2FA. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non technical users can setup 2FA without requiring technical assistance. #### MAINTAINED & SUPPORTED BY MELAPRESS Melapress develops high-quality WordPress management and security plugins such as [Melapress Login Security](https://melapress.com/wordpress-login-security/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa), [CAPTCHA 4WP](https://melapress.com/wordpress-captcha/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa), and [WP Activity Log](https://melapress.com/wordpress-activity-log/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa), the #1 user-rated activity log plugin for WordPress. Browse our list of [WordPress security and administration plugins](https://melapress.com/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users. ### WP 2FA key plugin features and capabilities - Free Two-factor authentication (2FA) for all users - Supports multiple 2FA methods - Universal 2FA app support – generate codes from Google Authenticator, Authy & any other 2FA app - Supports 2FA backup methods - Require 2FA on password reset - Very easy to use and simple to set up - Use 2FA policies to enforce 2FA with a grace period or require users to instantly setup 2FA upon logging in - No WordPress dashboard access is required for users to set up 2FA - Fully editable email templates - Protection against automated password & dictionary attacks - Much more ### Upgrade to WP 2FA Premium and get even more The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level. With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, and extensive white labeling capabilities. ### Premium features list - Everything in the free version - Full white labeling capabilities - Trusted devices (no 2FA required) - One-click integration with WooCommerce - Much more Refer to the [WP 2FA plugin features and benefits page](https://melapress.com/wordpress-2fa/features/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) to learn more about the benefits of upgrading to WP 2FA Premium. ## Free and premium support Premium world-class support for WP 2FA is free via email or through the WordPress support forums. Note: paid customer support is given priority and is provided via one-to-one email. Upgrade to Premium to benefit from priority support. For any other queries, feedback, or if you simply want to get in touch with us, please use our [contact form](https://melapress.com/contact/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa). ## As featured on: - [WP Beginner](https://www.wpbeginner.com/plugins/how-to-add-two-factor-authentication-for-wordpress/) - [IsitWP](https://www.isitwp.com/best-wordpress-security-authentication-plugins/) - [WP Astra](https://wpastra.com/two-factor-authentication-wordpress/) - [MainWP](https://mainwp.com/how-to-use-the-wp-2fa-plugin-on-your-child-sites/) - [FixRunner](https://www.fixrunner.com/wordpress-two-factor-authentication/) - [Inmotion Hosting](https://www.inmotionhosting.com/support/edu/wordpress/plugins/wp-2fa/) - [WP Marmite](https://wpmarmite.com/en/wordpress-two-factor-authentication/) ## Related links and documentation: You can find more detailed information about 2FA and its benefits in the links below - [The benefits of using 2FA on WordPress](https://melapress.com/benefits-2fa-wordpress/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) - [Beginner’s guide to two-factor authentication](https://melapress.com/what-is-2fa-beginners-guide/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) - [Setting up Google Authenticator for WordPress 2FA](https://melapress.com/google-authenticator-app-wordpress-2fa/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) - [List of supported 2FA apps](https://melapress.com/support/kb/wp-2fa-configuring-2fa-apps/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) - [The definitive guide to WordPress security](https://melapress.com/wordpress-security/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) - [Official Melapress website](https://melapress.com/?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa) == Installing WP 2FA == ###From within WordPress 1. Navigate to ‘Plugins > Add New’ 2. Search for ‘WP 2FA’ 3. Install & activate WP 2FA from your Plugins page ###Manually 1. Download the plugin from the WordPress plugins repository 2. Unzip the zip file and upload the folder to the /wp-content/plugins/ directory 3. Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress == Screenshots == 1. The first-time install wizard allows you to setup 2FA on your website and for your user within seconds. 2. The wizards make setting up 2FA very easy, so even non technical users can setup 2FA without requiring help. 3. You can require users to enable 2FA and also give them a grace period to do so. 4. Users can also use one-time codes via email as a two-factor authentication method. 5. You can use policies to require users to instantly set up and use 2FA, so the next time they login they will be prompted with this. 6. You can give users a grace period until they configure 2FA. You can also specify what should the plugin do once the grace period is over. 7. It is recommended for all users to also generate backup codes, in case they cannot access the primary device. 8. In the user profile users only have a few 2FA options, so it is not confusing for them and everything is self explanatory. == Changelog == 2.6.0 (2023-12-14) = Release notes: [QR Code viewer, plugin settings export/import tool, and much more](https://melapress.com/wordpress-2fa/releases/) * **New features** * QR code viewer - users can now see the QR code used to set up TOTP, allowing them to add their user 2FA setup on multiple devices. * New setting to show generic message VS method specific message in the 2FA code page. * **Security fixes** * Fixed an Insecure direct object through which a subscriber-level attacker can email arbitrary users on the site - reported by Ulyses Saicha. * Fixed a Cross-site request forgery which makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request and can trick a users into clicking on a link - reported by Ulyses Saicha. * **Improvements** * Added "from-email address" checks + notifications to help improve email deliverability (and user configuration). * Updated plugin code so it is compatible with WP Activity Log (in preparation for activity logs for WP 2FA). * Changed the text fields placeholders in the White labeling section of the free edition to the standard WordPress editor. * Improved support for Memberpress plugin - now the plugin has out-of-the-box support for Memberpress. * Added JSON errors and improved JS for handling emails (required to report back email problems to user). * Added user ID extraction in the settings store logic for more efficiency. * 2FA user setup information now shown in user profile page. * Added the Cancel button to all modals (accessibility improvement). * Return key can be used now as a click (accessibility improvement). * Made more strings available in the translation files. * Standardized more components in the UI, such as drop down menu's, placeholders etc. * Removed pluggable.php (WordPress core file) from the plugin. * Added more UI checks in the 2FA policies section to improve UX. * Added more sanitaziation checks to placeholders in the install wizard to improve the UX. * Updated the Help page with new plugin icons and branding. * Added more checks in the 2FA policies configuration so the same role or user cannot be included and excluded at the same time. * Unified / centralized all nonce code - now we have just one mothed used to generate / manage nonce when needed. * Improved the text and help text in the plugin. * Improved support for WP Engine's Smart plugin manager. * Updated the License.txt file with the latest version. * **Bug fixes** * Fixed: fatal error when using Advanced Custom Fields Pro + WP 2FA and enforce 2FA on users. * Fixed: user's email address not updated after user set 2FA and changed the email address. * Fixed: User's 2FA email address not updated when the WordPress user email address is changed. * Fixed: "Settings saved" prompt only goes away on refresh, cannot be closed by clicking the close "x" icon. * Fixed: users on multisite who already authenticated via 2FA asked for 2FA code when switching between subsites. * Fixed: in some edge cases, the super admin of a multisite network cannot remove own 2FA configuration or reconfigure. * Fixed: in certain setups users are shown 2FA enforcement message when 2FA is enforced and they log in via a trusted device. * Fixed a number of PHP warnings (improving compatability with PHP 8.X). * Fixed: fatal error accessing website via InstaWP's magic login feature. * The WP 2FA's custom CSS feature can now be disabled on multisites. * Fixed: Front end 2FA page URL on 2FA notice "configure 2FA now" button was not updated dynamically once changed. * Fixed: Some edge case scenarios on multi sites where "Subscriber" was not enforced 2FA on first-time log in. Refer to the complete [plugin changelog](https://melapress.com/support/kb/wp-2fa-plugin-changelog/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=WP2FA&utm_content=plugin+repos+description) for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.