WP 2FA plugin changelog
- Refactored the plugin (major improvements in terms of product design, performance, & reliability).
- Refactored the way the plugin saves and retrieves user 2FA properties.
- Moved plugin and 2FA settings in separate menu (no longer under the Settings section).
- Added a number of new tags that can be used in the plugin’s email templates.
- Improved the way and logic of how the plugin works on a multisite network.
- Improved the handling of users with super admin privileges in the 2FA policies.
- Implemented a new check, so administrators cannot deselect all of the available 2FA methods.
- Excluded users/roles setting now only available when 2FA policies are set to “All users” (simplified model)
- Improved the first-time install wizard (both UX and UI)
- Improved the user 2FA wizard (both UX and UI)
- When a user completes the first-time install wizard, the user is redirected to plugin settings.
- Added the new plugin logo in the wizards etc (refer to how to replace or remove the plugin logo from the wizards if you do not want the plugin logo in the 2FA setup wizard).
- User roles that contain a space can now be excluded.
- Custom redirection is now honored even after the backup codes setup.
- Several improvements applied in how plugin settings are saved and checked (during user login).
- All data placeholders in the plugin settings now have the same format.
- Better resolution used for user-entered data in wizard.
- Users are now notified to reconfigure 2FA if the 2FA method they are using is no longer allowed.
- 2FA methods were not shown when administrator skips the first-time install wizard.
- Users were being redirected to custom redirect before finishing the backup codes.
- Buttons were not clickable when using the front-end 2FA setup page.
- Fixed a number of browser compatibility issues (mostly better support for Safari).
- User was still asked for 2FA code even if excluded.
- Settings were not properly populated in some cases, resulting in error on admin pages (Support ticket).
- PHP error when enforcing 2FA policies on a sub-site in a multisite network.
- Issue in logic caused users to be unable to configure 2FA unless specifically enforced.
- Missing blog_id from custom SQL query caused some network users to not be “instantly enforced” (redirected to the WP 2FA setup area) upon login.
- Setting to redirect users to a custom URL after they complete the 2FA setup.
- User’s 2FA status column in the WordPress users page.
- Setting to restrict plugin’s settings to a specific site administrator.
- New 2FA policies for multisite networks (require 2FA for all users of an individual site on the network).
- Setting to change the text of the 2FA code page.
- Backup codes are now optional: administrators can disable them, so the plugin does not suggest users to create them.
- Removed reference to “WordPress” in the 2FA wizard.
- Optimized the code that retrieves the list of users, roles and sites on a multisite network.
- User 2FA settings are now saved as an array in the database instead of a comma separated list.
- Added an alert to notify users that all the changes will be lost if they terminate the wizard without setting up 2FA.
- Improved the wizard and the user input sanitization.
- Converted a number of database settings to filters.
- Standardized the text and button labels on the 2FA code page.
- Hidden the wizard’s holding page.
- Plugin now uses the Site name and site email address as from email address.
- 2FA apps logos in wizard now link directly to the application’s specific instructions.
- In some cases the plugin was sending multiple emails when settings were changed.
- Image URLs in modal wizard contain an extra slash.
- Some sections of the wizard were not displayed properly on the Safari browser.
- In some edge cases users selected the 2FA email method, but they were prompted to scan a QR code when using the front-end wizard.
- New improved “2FA code page” prompt text.
- Fixed an issue that was locking administrators out of the plugin’s configuration – incorrect user ID stored the plugin settings where saved.
- Fixed a CSS compatibility issue caused by non-targeted “.disabled” styling.
- Configured 2FA profile for user was reset after first-time install wizard / possibly settings changes.
Release notes: Fully responsive 2FA wizards & more efficient code
- All the 2FA wizards in the plugin are now fully responsive and mobile friendly.
- Removed duplicate code and improved the plugin’s efficiency in general (plugin can scale much better now as well on bigger websites).
- Improved and optimized the creation and handling of user data when saving the 2FA policies and settings.
- Reduced the overall memory usage when processing settings by switching to direct wpdb queries.
- Switched to a single validation function when processing settings.
- Split each background task into smaller individual classes to reduce the load on the website when saving settings / applying policies.
- New settings overwrite currently queued settings instead of being enqueued when the administrator changes the settings.
- Added a confirmation step in the wizard for when 2FA setup is completed.
- Optimized the code that retrieves the email template settings.
- Unified all email sending functions into one (less code, more efficient, easier to troubleshoot).
- 2FA method is now separate from backup codes – user does not need to regenerate new backup codes when 2FA config is reset.
- Users are logged out from session if 2FA is required and administrator resets the 2FA profile.
- Users were not being redirected to reconfigure 2FA when 2FA was enforced and the admin resets their 2FA profile.
- Users were unable to reconfigure TOTP 2FA via front-end form in some edge cases.
- Pressing Enter when a modal is open was sometimes closing it.
- Awaiting jobs were not being deleted on plugin uninstall.
- Number of errors were generated when a website visitor visited the shortcode page.
- In some edge cases, users could still login to website.
- Addressed a conflict with the session lockout feature of All in One Security plugin.
- Backup codes were not generated at the end of the wizard in some edge cases.
Release notes: WP 2FA 1.4.2: Improved 2FA policies & multisite network support
- Policy to enforce 2FA policies on superadmins only on a multisite network.
- Setting to restrict other site admins from accessing the 2FA settings and policies.
- Support for Okta Verify 2FA app.
- Added new test buttons to test the email delivery system and also to test individual templates.
- Support for custom user roles with multiple words (such as “shop manager”).
- Users can setup 2FA via their smart device without the need to scan the QR code.
- When instant 2FA setup is required, existing user sessions are not terminated. Instead they are redirected to the 2FA wizard.
- The dates and times used in emails and notifications have the same format as that configured in WordPress.
- The dates and times strings used in the plugin and emails are fully translatable.
- Added a subject to the login confirmation code email.
- Better error reporting when required settings are missing.
- Removed all reference to the Google Authenticator app. Now all messages are generic for all 2FA apps.
- Standardized the order of placeholders in 2FA wizard.
- Users were unable to setup 2FA in some edge cases because of a HTTP 400 error response during the wizard.
- Grace period settings hid unexpectedly upon changing the settings.
- The wrong grace period was being added to the user emails.
- Wrong grace period was shown in user email when users are required to instantly setup 2FA.
- Users were able to disable 2FA after setting it up, even when 2FA is enforced.
This is a followup maintenance release of version 1.4.0.
- Updated the plugin settings text and wizards’ text to reflect the new changes (support for multiple 2FA apps).
- Redirect users to the user profile page if they exit the 2FA setup wizard.
- Reset 2FA app method button not working in wizard.
- When a 2FA method is disabled, all enabled user configured 2FA methods are cleared in the usermeta, falsely flagging the user to reconfigure 2FA.
- Fixed a minor UI compatability issue with Jetpack CRM.
Release notes: WP 2FA 1.4: Support for Authy, FreeOTP & other 2FA apps
- Support for the following 2FA apps: Authy, Duo Security, FreeOTP (open source) Microsoft Authenticator, LastPass.
- Optional policy to enforce instant 2FA – users have to configure 2FA otherwise they can’t login to the website.
- Admins now have the option to choose when the plugin sends emails to users who have not configured 2FA yet (emails to setup 2FA).
- New slide in the setup wizard to allow admins to disable initial 2FA setup emails.
- New option to disallow users from disabling 2FA in their profile.
- Plugin no longer changes the email templates when the front-end 2FA page is enabled / disabled.
- Grace period slide in setup wizard updated so admins can require 2FA straight after login.
- Improved the intructions and help text of the front-end 2FA page.
- Applied several minor UI and UX improvements to the wizard.
- Super admin not shown the notification to configure 2FA when policies applied to them.
- Compatibility issue with WordFence (support ticket).
- Grace period changes in wizard are properly reflected in initial 2FA setup email sent to users.
- Reset button in wizard not working when 2FA is already configured with 2FA app.
- Minor CSS issue with a dashboard widget from Mailster.
Release notes: WP 2FA 1.3: Front-end 2FA setup & improved 2FA policies
- 2FA setup website page for users who do not have access the dashboard and want to setup 2FA.
- Front-end 2FA setup page email tag so the link to setup 2FA can be included in the user emails.
- A number of shortcodes to setup your own 2FA configuration page.
- Setting to enable/disable every individual email notification.
- 2FA Policies can now be enforced both by role and to specific users at the same time.
- Administrators are redirected to the 2FA settings after completing the wizard.
- Standardized the handling and error notifications for the custom from email address and display name placeholders.
- Addressed a number of minor UI issues in the plugin wizard.
- Sites excluded in the wizard on multisite networks not excluded in config.
- Username was not properly retrieved and shown in the backup code print export.
- Users’ grace period database entry was not deleted when admin removed the policies.
- Multisite network support.
- Configurable email templates.
- New setting to also configure the “from email address and display name” for all plugin emails.
- Support for redirect after login plugins.
- Support for custom login pages; user is correctly redirected to enter 2FA code when using one.
- Added a “Send another code” button in the email 2FA wizard (in case first email is not received).
- If they apply, policies are automatically enforced on newly created user (user is sent an email notification).
- 2FA policies are enforced if they apply when a user’s role is changed.
- Locked user is sent an email every time there is a login attempt on the account.
- Backup codes not generated in some specific scenarios.
- Incorrect META title of plugin wizard (Support ticket).
- Plugin does not generate backup codes in certain circumstances.
- Initial release