- Fixed a reflected cross-site scripting issue in plugin’s admin page – reported by Utkarsh Agrawal.
- Beefed up the escaping and filtering of all user input in the plugin’s admin pages.
Release notes: WP 2FA 2.2: 2FA over SMS, Push notification, WhatsApp & more
- 2FA login with push notification, SMS, WhatsApp and incoming call via integration with Authy.
- New setting to configure how to handle logins if an external 2FA service is unavailable during login.
- Added the functionality to exclude users and roles from 2FA, regardless of the type of 2FA enforcement policy you have configured.
- Improved the function that checks which policies apply to the user logging in based on the user role (to address some inconsistencies when users' roles are changed).
- Applied several styling tweaks to the user 2FA setup wizard and plugin settings.
- Improved the text used in the white labelling settings.
- Removed the word "WordPress" from all 2FA user wizards.
- Added more validation checks to some of the plugin settings that accept user input.
- Incorrect licenses notice now is refreshed upon activating new license.
- Improved the text in several notifications to better explain the issue to the user.
- Changed the functionality that hashes some of the configuration files to avoid inconsistencies due to different web server / OS setup.
- Redirects after first-time install wizard improved to better guide administrators.
- Fixed: Insecure direct object reference issue that allows users to disable other users' 2FA settings through a specific request. Issue reported by Maycon Vitali.
- Fixed: Plugin sends two different codes when requesting a new backup code over email.
- Fixed: Fatal error caused in some edge causes, which was caused from the removal of premium code during the build process.
- Fixed: Plugin only redirecting user to a custom "after 2FA setup URL" if they generate the backup codes.
- Fixed: Addressed a PHP warning triggered during logging in when there is are no set policies (support ticket).
- Added a new default user status - user has not logged in yet.
- Update a number of links used in the plugin.
- Updated the redirects and logic that are triggered after the install wizard (improved UX).
- "Link valid for" sub setting is grayed out when the option is disabled (improved UX).
- Better handling of users without user role.
- Fixed: User 2FA state is permanently cached when using Redis object caching.
- Fixed an edge case in which the admin might be locked out of the plugin's settings during an upgrade.
- Professional premium plan was not activating properly.
- Fixed a PHP warning triggered during login on some websites.
- Improved the spacing of several network specific policy options (UI).
- Moved setting inline JS to wp_footer to improve theme compatibility.
- Prefixed all Select2 styling to avoid conflicts.
- Fixed: Close 'X' icon not closing modal wizard.
Release notes: Announcing WP 2FA 2.0 Premium
- Trusted devices: allow trusted devices, so users do not have to specify 2FA code.
- Out of band 2FA method: click link sent over email to log in to the website.
- Whitelabeling module: change the 2FA pages colours, text, logos etc. as per your branding requirements.
- User role 2FA policies: configure different 2FA policies for different user roles.
- Backup 2FA method: users can have a backup 2FA method in case 2FA app is unavailable.
- 2FA reports: easily get an overview of who and how many users have configured 2FA and which methods they are using.
- New setting to allow/disallow users from using other email addresses when configuring 2FA over email.
- New setting to specify for how long is the 2FA code sent over email valid for.
- New setting to select between locking users or forcing users to configure 2FA when grace period is over.
- Users can be sorted by 2FA user status in the WordPress dashboard user view.
- QR code generator: QR codes are generated by the plugin without requiring third party services (such as Google and Cloudflare).
- TOTP code is encrypted in the database (security improvement).
- 2FA code bruteforce protection: user is redirected to the login page and session is reset if the wrong 2FA code is used for 3 times in a row.
- Full support for PHP 8.
- Plugin settings moved to their own page.
- Users are now redirected back to the page from where they launched the 2FA wizard when they configure 2FA.
- Generic UI and UX improvements.
- CSS fix: CSS now restricted to plugin's own pages to avoid UI/CSS conflicts with other plugins.
- User ID no longer shared with client when requesting backup codes (security improvement).
- Refactored the plugin (major improvements in terms of product design, performance, & reliability).
- Refactored the way the plugin saves and retrieves user 2FA properties.
- Moved plugin and 2FA settings in separate menu (no longer under the Settings section).
- Added a number of new tags that can be used in the plugin’s email templates.
- Improved the way and logic of how the plugin works on a multisite network.
- Improved the handling of users with super admin privileges in the 2FA policies.
- Implemented a new check, so administrators cannot deselect all of the available 2FA methods.
- Excluded users/roles setting now only available when 2FA policies are set to “All users” (simplified model)
- Improved the first-time install wizard (both UX and UI)
- Improved the user 2FA wizard (both UX and UI)
- When a user completes the first-time install wizard, the user is redirected to plugin settings.
- Added the new plugin logo in the wizards etc (refer to how to replace or remove the plugin logo from the wizards if you do not want the plugin logo in the 2FA setup wizard).
- User roles that contain a space can now be excluded.
- Custom redirection is now honored even after the backup codes setup.
- Several improvements applied in how plugin settings are saved and checked (during user login).
- All data placeholders in the plugin settings now have the same format.
- Better resolution used for user-entered data in wizard.
- Users are now notified to reconfigure 2FA if the 2FA method they are using is no longer allowed.
- 2FA methods were not shown when administrator skips the first-time install wizard.
- Users were being redirected to custom redirect before finishing the backup codes.
- Buttons were not clickable when using the front-end 2FA setup page.
- Fixed a number of browser compatibility issues (mostly better support for Safari).
- User was still asked for 2FA code even if excluded.
- Settings were not properly populated in some cases, resulting in error on admin pages (Support ticket).
- PHP error when enforcing 2FA policies on a sub-site in a multisite network.
- Issue in logic caused users to be unable to configure 2FA unless specifically enforced.
- Missing blog_id from custom SQL query caused some network users to not be “instantly enforced” (redirected to the WP 2FA setup area) upon login.
- Setting to redirect users to a custom URL after they complete the 2FA setup.
- User’s 2FA status column in the WordPress users page.
- Setting to restrict plugin’s settings to a specific site administrator.
- New 2FA policies for multisite networks (require 2FA for all users of an individual site on the network).
- Setting to change the text of the 2FA code page.
- Backup codes are now optional: administrators can disable them, so the plugin does not suggest users to create them.
- Removed reference to “WordPress” in the 2FA wizard.
- Optimized the code that retrieves the list of users, roles and sites on a multisite network.
- User 2FA settings are now saved as an array in the database instead of a comma separated list.
- Added an alert to notify users that all the changes will be lost if they terminate the wizard without setting up 2FA.
- Improved the wizard and the user input sanitization.
- Converted a number of database settings to filters.
- Standardized the text and button labels on the 2FA code page.
- Hidden the wizard’s holding page.
- Plugin now uses the Site name and site email address as from email address.
- 2FA apps logos in wizard now link directly to the application’s specific instructions.
- In some cases the plugin was sending multiple emails when settings were changed.
- Image URLs in modal wizard contain an extra slash.
- Some sections of the wizard were not displayed properly on the Safari browser.
- In some edge cases users selected the 2FA email method, but they were prompted to scan a QR code when using the front-end wizard.
- New improved “2FA code page” prompt text.
- Fixed an issue that was locking administrators out of the plugin’s configuration – incorrect user ID stored the plugin settings where saved.
- Fixed a CSS compatibility issue caused by non-targeted “.disabled” styling.
- Configured 2FA profile for user was reset after first-time install wizard / possibly settings changes.
Release notes: Fully responsive 2FA wizards & more efficient code
- All the 2FA wizards in the plugin are now fully responsive and mobile friendly.
- Removed duplicate code and improved the plugin’s efficiency in general (plugin can scale much better now as well on bigger websites).
- Improved and optimized the creation and handling of user data when saving the 2FA policies and settings.
- Reduced the overall memory usage when processing settings by switching to direct wpdb queries.
- Switched to a single validation function when processing settings.
- Split each background task into smaller individual classes to reduce the load on the website when saving settings / applying policies.
- New settings overwrite currently queued settings instead of being enqueued when the administrator changes the settings.
- Added a confirmation step in the wizard for when 2FA setup is completed.
- Optimized the code that retrieves the email template settings.
- Unified all email sending functions into one (less code, more efficient, easier to troubleshoot).
- 2FA method is now separate from backup codes – user does not need to regenerate new backup codes when 2FA config is reset.
- Users are logged out from session if 2FA is required and administrator resets the 2FA profile.
- Users were not being redirected to reconfigure 2FA when 2FA was enforced and the admin resets their 2FA profile.
- Users were unable to reconfigure TOTP 2FA via front-end form in some edge cases.
- Pressing Enter when a modal is open was sometimes closing it.
- Awaiting jobs were not being deleted on plugin uninstall.
- Number of errors were generated when a website visitor visited the shortcode page.
- In some edge cases, users could still login to website.
- Addressed a conflict with the session lockout feature of All in One Security plugin.
- Backup codes were not generated at the end of the wizard in some edge cases.
Release notes: WP 2FA 1.4.2: Improved 2FA policies & multisite network support
- Policy to enforce 2FA policies on superadmins only on a multisite network.
- Setting to restrict other site admins from accessing the 2FA settings and policies.
- Support for Okta Verify 2FA app.
- Added new test buttons to test the email delivery system and also to test individual templates.
- Support for custom user roles with multiple words (such as “shop manager”).
- Users can setup 2FA via their smart device without the need to scan the QR code.
- When instant 2FA setup is required, existing user sessions are not terminated. Instead they are redirected to the 2FA wizard.
- The dates and times used in emails and notifications have the same format as that configured in WordPress.
- The dates and times strings used in the plugin and emails are fully translatable.
- Added a subject to the login confirmation code email.
- Better error reporting when required settings are missing.
- Removed all reference to the Google Authenticator app. Now all messages are generic for all 2FA apps.
- Standardized the order of placeholders in 2FA wizard.
- Users were unable to setup 2FA in some edge cases because of a HTTP 400 error response during the wizard.
- Grace period settings hid unexpectedly upon changing the settings.
- The wrong grace period was being added to the user emails.
- Wrong grace period was shown in user email when users are required to instantly setup 2FA.
- Users were able to disable 2FA after setting it up, even when 2FA is enforced.
This is a followup maintenance release of version 1.4.0.
- Updated the plugin settings text and wizards’ text to reflect the new changes (support for multiple 2FA apps).
- Redirect users to the user profile page if they exit the 2FA setup wizard.
- Reset 2FA app method button not working in wizard.
- When a 2FA method is disabled, all enabled user configured 2FA methods are cleared in the usermeta, falsely flagging the user to reconfigure 2FA.
- Fixed a minor UI compatability issue with Jetpack CRM.
Release notes: WP 2FA 1.4: Support for Authy, FreeOTP & other 2FA apps
- Support for the following 2FA apps: Authy, Duo Security, FreeOTP (open source) Microsoft Authenticator, LastPass.
- Optional policy to enforce instant 2FA – users have to configure 2FA otherwise they can’t login to the website.
- Admins now have the option to choose when the plugin sends emails to users who have not configured 2FA yet (emails to setup 2FA).
- New slide in the setup wizard to allow admins to disable initial 2FA setup emails.
- New option to disallow users from disabling 2FA in their profile.
- Plugin no longer changes the email templates when the front-end 2FA page is enabled / disabled.
- Grace period slide in setup wizard updated so admins can require 2FA straight after login.
- Improved the intructions and help text of the front-end 2FA page.
- Applied several minor UI and UX improvements to the wizard.
- Super admin not shown the notification to configure 2FA when policies applied to them.
- Compatibility issue with WordFence (Support ticket).
- Grace period changes in wizard are properly reflected in initial 2FA setup email sent to users.
- Reset button in wizard not working when 2FA is already configured with 2FA app.
- Minor CSS issue with a dashboard widget from Mailster.
Release notes: WP 2FA 1.3: Front-end 2FA setup & improved 2FA policies
- 2FA setup website page for users who do not have access the dashboard and want to setup 2FA.
- Front-end 2FA setup page email tag so the link to setup 2FA can be included in the user emails.
- A number of shortcodes to setup your own 2FA configuration page.
- Setting to enable/disable every individual email notification.
- 2FA Policies can now be enforced both by role and to specific users at the same time.
- Administrators are redirected to the 2FA settings after completing the wizard.
- Standardized the handling and error notifications for the custom from email address and display name placeholders.
- Addressed a number of minor UI issues in the plugin wizard.
- Sites excluded in the wizard on multisite networks not excluded in config.
- Username was not properly retrieved and shown in the backup code print export.
- Users’ grace period database entry was not deleted when admin removed the policies.
- Multisite network support.
- Configurable email templates.
- New setting to also configure the “from email address and display name” for all plugin emails.
- Support for redirect after login plugins.
- Support for custom login pages; user is correctly redirected to enter 2FA code when using one.
- Added a “Send another code” button in the email 2FA wizard (in case first email is not received).
- If they apply, policies are automatically enforced on newly created user (user is sent an email notification).
- 2FA policies are enforced if they apply when a user’s role is changed.
- Locked user is sent an email every time there is a login attempt on the account.
- Backup codes not generated in some specific scenarios.
- Incorrect META title of plugin wizard (Support ticket).
- Plugin does not generate backup codes in certain circumstances.
- Initial release