How can we help?

Search for answers or browse our knowledge base.

Table of Contents

WP 2FA plugin changelog

This is the plugin’s changelog, which is mainly a detailed list of all the plugin changes and bug fixes introduced in every version update. Refer to the plugin release notes for a high level overview of what is new and improved with every plugin version update.

2.6.4 (2024-03-07)

Improvements

  • The default “From email address” used by the plugin now includes the website’s domain, thus improving email deliverability. Previously the plugin used the admin notifications email address configured in the WordPress settings.
  • All one-time codes generated by the plugin are now 6 digits long.
  • Applied some coding best practices in some sections to ensure better protection against timing base attacks.

Security fix

  • Fixed a sensitive information disclosure issue; users’ salts can only be potentially exposed if debug is enabled and the web server is not Apache.

Bug fixes

  • Fixed: Text changes in the “logged out users trying to access 2FA config” setting not saved.
  • Fixed: User not redirected to the URL configured in the settings when all backup codes are disabled.
  • Fixed: Formatting / layout of advert in the configuration, which in some cases it was showing over some of the help text.

2.6.3 (2024-02-15)

Improvements

  • Added new notices and a few “missing” strings to the POT (translation) file.
  • Improved and added sanitization to more user inputs in the plugin.

Security fix

  • Fixed a security issue reported by Rafi Muhammad.

Bug fixes

  • Fixed: Added missing ‘ div’ HTML element in the front-end 2FA form.
  • Fixed: Updated legacy plans / features – some features were missing from the Enterprise legacy plan (now called Ent).

2.6.2 (2024-02-07)

Improvements

  • Added support for the new plans & pricing (February 2024 update).
  • Added support for wp-config.php file in non-default location.
  • Upgraded the Freemius SDK to 2.6.2.

Bug fixes

  • Fixed a number of PHP warnings generated when switching to custom “From” email address in the plugin settings.
  • Fixed: Wizard’s CSS resets to default after changing some white labelling options.
  • User still not forced to configure 2FA after removed from the exclusion list.

2.6.1 (2023-12-19)

Bug fixes

  • Fixed: Configured 2FA policies reset in certain cases while upgrading from 2.5 to 2.6.
  • Fixed: PHP deprecated message in class-role-settings-controller.php in some edge setups.
  • Fixed: HOTP email of choice for users setting gets reset after migration.
  • Fixed: Removed a debug / test message from the first-install wizard.

2.6.0 (2023-12-14)

New features

  • Order of 2FA methods can be changed via all new drag & drop functionality in settings.
  • Plugin settings export/import functionality.
  • QR code viewer – users can now see the QR code used to set up TOTP, allowing them to add their user 2FA setup on multiple devices.
  • New setting to show generic message VS method specific message in the 2FA code page.

Security fixes

  • Fixed an Insecure direct object through which a subscriber-level attacker can email arbitrary users on the site – reported by Ulyses Saicha.
  • Fixed a Cross-site request forgery which makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request and can trick a users into clicking on a link – reported by Ulyses Saicha.             

Improvements

  • Added “from-email address” checks + notifications to help improve email deliverability (and user configuration).
  • Reports can now report data on sites with tens of thousands of users without timing out.
  • 2FA code confirmation email used during setup now available as a template – admins can now edit it.
  • The 2FA methods names are available in the white labelling options, allowing admins to change them as well.
  • Updated plugin code so it is compatible with WP Activity Log (in preparation for activity logs for WP 2FA).
  • Changed the text fields placeholders in the White labelling section of the free edition to the standard WordPress editor.
  • Improved support for Memberpress plugin – now the plugin has out-of-the-box support for Memberpress.
  • Added JSON errors and improved JS for handling emails (required to report back email problems to user).
  • Added user ID extraction in the settings store logic for more efficiency.
  • Added the {backup_codes} template tag to the email templates.
  • 2FA user setup information now shown in user profile page.
  • Added the Cancel button to all modals (accessibility improvement).
  • Return key can be used now as a click (accessibility improvement).
  • 2FA methods names now also available in white labelling options.
  • Made more strings available in the translation files.
  • Standardized more components in the UI, such as drop down menu’s, placeholders etc.
  • Removed the file pluggable.php (WordPress core file) from the plugin.
  • Added more UI checks in the 2FA policies section to improve UX.
  • Added more “days” options to trusted devices. Admins can now choose from 7, 15, 30, 45, 60 and 90.
  • Allow user to login without 2FA” option was not working when Twilio was unavailable.
  • Added “trusted device” period check to avoid showing “0 days” in some edge cases in the 2FA code page.
  • Added more sanitaziation checks to placeholders in the install wizard to improve the UX.
  • Updated the Help page with new plugin icons and branding.
  • Added more checks in the 2FA policies configuration so the same role or user cannot be included and excluded at the same time.
  • Unified / centralized all nonce code – now we have just one mothed used to generate / manage nonce when needed.
  • Improved the text and help text in the plugin.
  • Improved support for WP Engine’s Smart plugin manager.
  • Updated the License.txt file with the latest version.          

Bug fixes

  • Fixed: fatal error when using Advanced Custom Fields Pro + WP 2FA and enforce 2FA on users.
  • Fixed: user’s email address not updated after user set 2FA and changed the email address.
  • Fixed: User’s 2FA email address not updated when the WordPress user email address is changed.
  • Fixed: “Settings saved” prompt only goes away on refresh, cannot be closed by clicking the close “x” icon.
  • Fixed: users on multisite who already authenticated via 2FA asked for 2FA code when switching between subsites.
  • Fixed: in some edge cases, the super admin of a multisite network cannot remove own 2FA configuration or reconfigure.
  • Fixed: in certain setups users are shown 2FA enforcement message when 2FA is enforced and they log in via a trusted device.
  • Fixed: a number of PHP warnings.
  • Fixed: fatal error accessing website via InstaWP’s magic login feature.
  • Fixed: Email template for “User reset password code email” not being properly saved once edited.
  • The WP 2FA’s custom CSS feature can now be disabled on multisites.
  • Fixed: Front end 2FA page URL on 2FA notice “configure 2FA now” button was not updated dynamically once changed.
  • Fixed: Some edge case scenarios on multi sites  where “Subscriber” was not enforced 2FA on first-time log in.

2.5.0 (2023-07-20)

Release notes: 2FA for password resets, more branding options for the 2FA code page & much more

New features

  • Require 2FA on user reset password.
  • CSS editor for the 2FA code page, allowing users to also apply their CSS to the 2FA login page.
  • Front-end 2FA support for multisite network – the plugin creates a front-end 2FA page for every subsite on the network.
  • User licensing tab in the plugin settings, allowing admins to see the number of users and websites using user-activations.

Improvements

  • Disabled auto complete in the 2FA code placeholder.
  • User private key is regenerated each time they start the 2FA setup process and they do not finish it.
  • Backup code email template added to editable email templates.
  • Email tags are populated even test emails.
  • Updated the “user count” licensing logic on multisite networks – now the plugin counts the users on the network (more accurate).
  • Full compatability with Flywheel’s and WP Engine’s seamless sign-on (no sign on is required).
  • Revised and improved the text used in the 2FA SMS login process.
  • Added all SMS 2FA text (used in wizards, login pages etc) to the whitelabelling options.
  • Removed the 2FA plugin menu completely when access to the plugin is restricted to certain website admins.
  • Added more strings to the Whitelabelling options.
  • Removed a number of font files from the QR library since no text is used and it makes the plugin size smaller.
  • Select2 library is now shipped directly with the plugin instead of it being downloaded from a CDN.
  • Applied a number of performance improvements to the plugin – the loading mechanism is more efficient and determining when the plugin is needed and when not.
  • Plugin no longer loads on the front-end part of the website – only on the shortcode page.
  • Removed a number of JS and CSS scripts that were loading on the frontend and were made redundand.
  • Full support for multsite networks using different domains for subsites – users are no longer required to access the network dashboad to set up 2FA.
  • Improved the CSS in the whitelabelling settings so all the text in the 2FA code page can be edited, recoloured etc.
  • Removed some code that was left in the plugin for backward compatability (no longer required at this stage).
  • Removed all third party’s admin notices from the plugin settings pages.
  • The 2FA usage reports have also been improved so they report accurate numbers on a multsite network.
  • Improved a number of error and users messages in the plugin.
  • Updated the CSS of the backup codes wizard page to have the buttons all in one line.
  • Plugin now automatically removes the extra space at the end of the one-time code if entered in the 2FA code prompt.
  • Updated the CSS of the plugin’s own admin notices so they fit better within the plugin’s UI.
  • Improved the text used in the wizards, especially the text used when setting up alternative 2FA methods.
  • All plugin strings are now available on WPML.
  • Plugin now displays the Twilio service error directly in the wizard when there are issues with the Twilio setup.

Bug fixes

  • Fixed: Cannot change the users phone number on Twilio unless you reset the 2FA configuration.
  • Fixed: In some edge cases admins were unable to access the plugin settings, instead they were shown the policies page.
  • Fixed: WP 2FA disconnects ManageWP sessions.
  • Fixed: Rest 2FA configuration button in user profile missing when the license quota is reached.
  • Fixed: Premium plugin ads still showing when Premium edition is activated on a multisite network.
  • Fixed: The 2FA code page styling was not being saved when only changing the 2FA button colour.
  • Fixed: Number of PHP warnings are triggered when WP 2FA is installed alongside Melapress Login Security.
  • Fixed: Expired license on multisite network leads to a blockage of logins.
  • Fixed: “Remember this device for 0 days” string shows up on the login page after rebranding the page (whitelabelling).
  • Fixed: On some cases the users were not prompted for 2FA in the /my-account page on WooCommerce.
  • Fixed: Plugin’s private key not stored in wp-config.php file after permissions are updated.
  • Fixed: Subscribers are not asked to set up 2FA even when 2FA is enforced when registering on a multisite network without subsites.
  • Fixed a number of PHP notices when running the plugin on a multisite network with a specific PHP version (older versions).
  • Fixed: Users can’t set up SMS 2FA (over Twilio) after the grace period expires.

2.4.2 (2023-07-05)

Bug fixes

  • Fixed issue which could cause setting up 2FA via SMS to fail once grace period has passed.
  • Fixes issue which could cause a fatal error upon login.

Other improvements

  • Updated Freemius SDK to the latest version (addressing a security issue).

2.4.1 (2023-02-15)

Release notes URL: https://melapress.com/wordpress-2fa/releases/

New features

  • New option to send newly generated backup codes via email with just a click.

Improvements

  • Added instructions on how to manually copy the private key to the wp-config.php file in the dashboard notification.
  • Applied several changes to the licensing / quota check mechanism to ensure no user activity is blocked even when the quotas are reached or exceeded.
  • Added additional checks for private key in wp-config.php file.
  • Reviewed & improved the first-time install wizard’s text and layout.
  • Updated the text of the plugin feature matrix.
  • Improved the build script to automatically remove all files not required by the plugin when installed.
  • “Remove 2FA” button in user profile page is removed when 2FA is enforced on a user.
  • Updated the CSS of the 2FA notification in the WooCommerce portal.

Bug fixes

  • Fixed: users were not advised of plugin update and forced update was failing.
  • Fixed: broken “Contact us” link in the support page.
  • Fixed: “Settings saved” banner shown twice when changing WordPress settings
  • Fixed: a number of strings were missing in the translation file.
  • Fixed: dropdown Menu Arrow is misplaced when the dropdown menu is opened.

2.4.0 (2023-02-02)

Release notes: 2FA SMS via Twilio & one-click WooCommerce integration

New features

  • SMS 2FA via Twilio integration.
  • One-click 2FA integration with WooCommerce customers portal.
  • Setting to choose between locking a user or forcing the user to configure 2FA when the grace period is over.
  • New option to reset list of 2FA trusted devices per user.

Improvements

  • Several improvements to the whitelabelling settings, e.g. added an option to not display the default wizard help text.
  • Licensing mechanism now fully supports non-production websites such as staging and dev environments; no license is required for these websites.
  • Redirect user to sub-site on a multisite network after completing the 2FA setup.
  • Made alternative 2FA backup methods available in first-install wizard to give them more prominance so users can use them.
  • Improved the UI (looks and feel) of the admin 2FA wizard.
  • Plugin creates its own salts in the wp-config.php file to avoid conflicts with other plugins.
  • Applied several improvements to the 2FA user wizard for better UX.
  • Removed redundant cron job wp_2fa_check_grace_period_status.
  • Better handling of users with no role on a multisite network (improved exception handling).
  • Disable wizard styling button now also applies to front-end wizards.
  • Added notifications in user profile page and admin pages when no more licenses are available.
  • Added more help text in the 2FA install setup wizard to better assist administrators setting up the plugin.
  • Improved licensing-related messages shown to website administrators.
  • Better UX when the license limit is reached.
  • Better interoperability with post-login redirect plugins.
  • Removed redundant code (it was no longer needed due to change and improvement in functionality).

Bug fixes

  • Fixed: edge case issue that caused the cron job that checks for grace periods to be inactive.
  • Fixed: plugin sends two emails when clicking the “Resend code” button.
  • Fixed: unable to change the account phone number after configuring Authy as primary 2FA method.
  • Added additional checks toensure that all the “No 2FA method selected” scenarios are handled.
  • Fixed a number of spelling mistakes in the plugin UI.
  • Fixed: fatal error when plugin usind alongside the Events Calendar plugin.
  • Addressed a number of PHP warnings in free edition.
  • Fixed: not possible to configure backup 2FA methods when the primary method is Authy.
  • Fixed: Plugin sends two emails when requesting a backup code over email.

2.3.0 (2022-09-01)

Release notes: More white labelling options & better licensing.

New features

  • Fully responsive and fully customizable user 2FA wizards – refer to 2FA white labelling on WordPress for more information.
  • Added an optional Welcome Slide website owners can add to the user 2FA wizards to add own notes and business information, T&C etc.
  • Added a new plugin setting so admins can disable the 2FA wizards styling.
  • CSS importer in the plugin settings to allow administrators to import and apply their own CSS styling to the 2FA user wizards.

Improvements

  • Several UI and styling improvements in the plugin’s settings pages.
  • User’s 2FA configuration is removed when user is excluded.
  • Licensing now only counts users that are using 2FA instead of users which can use 2FA – advantageous to the user.
  • Applied improved and responsive styling to the user 2FA wizards.
  • Better out-of-the-box support for websites on which access to wp-login.php & wp-admin is blocked.
  • Super administrators can now log in and use 2FA even if they do not have any role on any sub sites.
  • Added support for websites hosted on Godaddy that also have the Sucuri plugin enabled (Sucuri plugin was breaking the 2FA code page).
  • Better UX for when creating the front-end 2FA page settings.
  • Updated the Freemius SDK to version 2.4.5 to support PHP 8.1.
  • Applied several updates to the “user 2FA status check” code for more reliable status reporting.
  • Applied several maintenance and WP coding standards checks.
  • Plugin bails out early instead of trying to process users with ID 0.
  • Addressed a number of licensing PHP notices and reduced memory usage and impact.
  • Placeholders in plugin settings have been replaced by onces which allow you to see all the content without scrolling.
  • Improved the process that extracts the user role on multisite networks resulting in improvement of how the plugin handles users with multiple roles.
  • Removed the words “Google Authenticator” from all the wizards and using “2FA app” instead – plugin supports multiple 2FA apps.
  • Fixed the “focus” in the user 2FA wizard so the cursor is always in the expected location – user does not have to click to select where to enter the verification code.
  • Updated the plugin logo in the license activation screen.

Security Improvement

  • Plugin now uses the WordPress salts to store and encrypt 2FA data in the database.
  • Improved the comparison of authentication codes – ensuring the plugin is not vulnerable to time-based side-channel attacks.

Bug fixes

  • Fixed: error when logging in by using one-time code over email as a secondary 2FA method.
  • Fixed: broken licensing notification in WordPress plugins’ page.
  • Fixed: secondary 2FA email cannot be removed.
  • Fixed: QR code not loading in user 2FA wizard in some edge cases on a multisite network.
  • Fixed: the setting “Hide Remove 2FA button” was not properly reflecting the status on multisite networks.
  • Fixed: grace period check cron called the wrong settings.
  • Fixed: two emails are sent when a backup code over email is requested.
  • Fixed: incorrect 2FA methods count was showing in the user wizard.

2.2.1 (2022-05-02)

Security fix

  • Fixed a reflected cross-site scripting issue in plugin’s admin page – reported by Utkarsh Agrawal.

Plugin improvements

  • Beefed up the escaping and filtering of all user input in the plugin’s admin pages.

2.2.0 (2022-04-30)

Release notes: WP 2FA 2.2: 2FA over SMS, Push notification, WhatsApp & more

New features

  • 2FA login with push notification, SMS, WhatsApp and incoming call via integration with Authy.
  • New setting to configure how to handle logins if an external 2FA service is unavailable during login.

Plugin improvements

  • Added the functionality to exclude users and roles from 2FA, regardless of the type of 2FA enforcement policy you have configured.
  • Improved the function that checks which policies apply to the user logging in based on the user role (to address some inconsistencies when users’ roles are changed).
  • Applied several styling tweaks to the user 2FA setup wizard and plugin settings.
  • Improved the text used in the white labelling settings.
  • Removed the word “WordPress” from all 2FA user wizards.
  • Added more validation checks to some of the plugin settings that accept user input.
  • Incorrect licenses notice now is refreshed upon activating new license.
  • Improved the text in several notifications to better explain the issue to the user.
  • Changed the functionality that hashes some of the configuration files to avoid inconsistencies due to different web server / OS setup.
  • Redirects after first-time install wizard improved to better guide administrators.

Security fix

  • Fixed: Insecure direct object reference issue that allows users to disable other users’ 2FA settings through a specific request. Issue reported by Maycon Vitali.

Bug fixes

  • Fixed: Plugin sends two different codes when requesting a new backup code over email.
  • Fixed: Fatal error caused in some edge causes, which was caused from the removal of premium code during the build process.
  • Fixed: Plugin only redirecting user to a custom “after 2FA setup URL” if they generate the backup codes.
  • Fixed: Addressed a PHP warning triggered during logging in when there is are no set policies.
  • Fixed: JavaScript responsible for storing the email backup code was removed from the admin part.

2.1.0 (2022-01-12)

New features

  • Added a new default user status – user has not logged in yet.

Improvements

  • Update a number of links used in the plugin.
  • Updated the redirects and logic that are triggered after the install wizard (improved UX).
  • “Link valid for” sub setting is grayed out when the option is disabled (improved UX).
  • Better handling of users without user role.

Bug fixes

  • Fixed: User 2FA state is permanently cached when using Redis object caching.
  • Fixed an edge case in which the admin might be locked out of the plugin’s settings during an upgrade.
  • Professional premium plan was not activating properly.
  • Fixed a PHP warning triggered during login on some websites.

2.0.1 (2021-12-09)

Improvements

  • Improved the spacing of several network specific policy options (UI).
  • Moved setting inline JS to wp_footer to improve theme compatibility.
  • Prefixed all Select2 styling to avoid conflicts.

Bug fix

  • Fixed: Close ‘X’ icon not closing modal wizard.

2.0.0 (2021-12-03)

Release notes: Announcing WP 2FA 2.0 Premium

New features

  • Trusted devices: allow trusted devices, so users do not have to specify 2FA code.
  • Out of band 2FA method: click link sent over email to log in to the website.
  • Whitelabeling module: change the 2FA pages colours, text, logos etc. as per your branding requirements.
  • User role 2FA policies: configure different 2FA policies for different user roles.
  • Backup 2FA method: users can have a backup 2FA method in case 2FA app is unavailable.
  • 2FA reports: easily get an overview of who and how many users have configured 2FA and which methods they are using.
  • New setting to allow/disallow users from using other email addresses when configuring 2FA over email.
  • New setting to specify for how long is the 2FA code sent over email valid for.
  • New setting to select between locking users or forcing users to configure 2FA when grace period is over.
  • Users can be sorted by 2FA user status in the WordPress dashboard user view.
  • QR code generator: QR codes are generated by the plugin without requiring third party services (such as Google and Cloudflare).

Improvements

  • TOTP code is encrypted in the database (security improvement).
  • 2FA code bruteforce protection: user is redirected to the login page and session is reset if the wrong 2FA code is used for 3 times in a row.
  • Full support for PHP 8.
  • Plugin settings moved to their own page.
  • Users are now redirected back to the page from where they launched the 2FA wizard when they configure 2FA.
  • Generic UI and UX improvements.

Bug fixes

  • CSS fix: CSS now restricted to plugin’s own pages to avoid UI/CSS conflicts with other plugins.
  • User ID no longer shared with client when requesting backup codes (security improvement).

1.7.0 (2021-07-15)

Release notes: WP 2FA refactored for better performance, design, and reliability

Improvements

  • Refactored the plugin (major improvements in terms of product design, performance, & reliability).
  • Refactored the way the plugin saves and retrieves user 2FA properties.
  • Moved plugin and 2FA settings in separate menu (no longer under the Settings section).
  • Added a number of new tags that can be used in the plugin’s email templates.
  • Improved the way and logic of how the plugin works on a multisite network.
  • Improved the handling of users with super admin privileges in the 2FA policies.
  • Implemented a new check, so administrators cannot deselect all of the available 2FA methods.
  • Excluded users/roles setting now only available when 2FA policies are set to “All users” (simplified model)
  • Improved the first-time install wizard (both UX and UI)
  • Improved the user 2FA wizard (both UX and UI)
  • When a user completes the first-time install wizard, the user is redirected to plugin settings.
  • Added the new plugin logo in the wizards etc.

Bug fixes

  • User roles that contain a space can now be excluded.
  • Custom redirection is now honored even after the backup codes setup.

1.6.2 (2021-05-31)

Improvements

  • Several improvements applied in how plugin settings are saved and checked (during user login).
  • All data placeholders in the plugin settings now have the same format.
  • Better resolution used for user-entered data in wizard.
  • Users are now notified to reconfigure 2FA if the 2FA method they are using is no longer allowed.

Bug fixes

  • 2FA methods were not shown when administrator skips the first-time install wizard.
  • Users were being redirected to custom redirect before finishing the backup codes.
  • Buttons were not clickable when using the front-end 2FA setup page.
  • Fixed a number of browser compatibility issues (mostly better support for Safari).
  • User was still asked for 2FA code even if excluded.
  • Settings were not properly populated in some cases, resulting in error on admin pages (Support ticket).
  • PHP error when enforcing 2FA policies on a sub-site in a multisite network.

1.6.1 (2021-05-17)

Bug fixes

  • Issue in logic caused users to be unable to configure 2FA unless specifically enforced.
  • Missing blog_id from custom SQL query caused some network users to not be “instantly enforced” (redirected to the WP 2FA setup area) upon login.

1.6.0 (2021-05-13)

Release notes: New user 2FA status column, custom redirects and many other new features & improvements

New features

Improvements

  • Backup codes are now optional: administrators can disable them, so the plugin does not suggest users to create them.
  • Removed reference to “WordPress” in the 2FA wizard.
  • Optimized the code that retrieves the list of users, roles and sites on a multisite network.
  • User 2FA settings are now saved as an array in the database instead of a comma separated list.
  • Added an alert to notify users that all the changes will be lost if they terminate the wizard without setting up 2FA.
  • Improved the wizard and the user input sanitization.
  • Converted a number of database settings to filters.
  • Standardized the text and button labels on the 2FA code page.
  • Hidden the wizard’s holding page.
  • Plugin now uses the Site name and site email address as from email address.
  • 2FA apps logos in wizard now link directly to the application’s specific instructions.

Bug fixes

  • In some cases the plugin was sending multiple emails when settings were changed.
  • Image URLs in modal wizard contain an extra slash.
  • Some sections of the wizard were not displayed properly on the Safari browser.
  • In some edge cases users selected the 2FA email method, but they were prompted to scan a QR code when using the front-end wizard.

1.5.2 (2021-01-20)

Improvement

  • New improved “2FA code page” prompt text.

Bug fixes

  • Fixed an issue that was locking administrators out of the plugin’s configuration – incorrect user ID stored the plugin settings where saved.
  • Fixed a CSS compatibility issue caused by non-targeted “.disabled” styling.

1.5.1 (2020-12-10)

Big fix

  • Configured 2FA profile for user was reset after first-time install wizard / possibly settings changes.

1.5.0 (2020-12-08)

Release notes: Fully responsive 2FA wizards & more efficient code

New feature

  • All the 2FA wizards in the plugin are now fully responsive and mobile friendly.

Improvements

  • Removed duplicate code and improved the plugin’s efficiency in general (plugin can scale much better now as well on bigger websites).
  • Improved and optimized the creation and handling of user data when saving the 2FA policies and settings.
  • Reduced the overall memory usage when processing settings by switching to direct wpdb queries.
  • Switched to a single validation function when processing settings.
  • Split each background task into smaller individual classes to reduce the load on the website when saving settings / applying policies.
  • New settings overwrite currently queued settings instead of being enqueued when the administrator changes the settings.
  • Added a confirmation step in the wizard for when 2FA setup is completed.
  • Optimized the code that retrieves the email template settings.
  • Unified all email sending functions into one (less code, more efficient, easier to troubleshoot).
  • 2FA method is now separate from backup codes – user does not need to regenerate new backup codes when 2FA config is reset.
  • Users are logged out from session if 2FA is required and administrator resets the 2FA profile.

Bug fixes

  • Users were not being redirected to reconfigure 2FA when 2FA was enforced and the admin resets their 2FA profile.
  • Users were unable to reconfigure TOTP 2FA via front-end form in some edge cases.
  • Pressing Enter when a modal is open was sometimes closing it.
  • Awaiting jobs were not being deleted on plugin uninstall.
  • Number of errors were generated when a website visitor visited the shortcode page.
  • In some edge cases, users could still login to website.
  • Addressed a conflict with the session lockout feature of All in One Security plugin.
  • Backup codes were not generated at the end of the wizard in some edge cases.

1.4.2 (2020-09-02)

Release notes: WP 2FA 1.4.2: Improved 2FA policies & multisite network support

New features

Improvements

  • Users can setup 2FA via their smart device without the need to scan the QR code.
  • When instant 2FA setup is required, existing user sessions are not terminated. Instead they are redirected to the 2FA wizard.
  • The dates and times used in emails and notifications have the same format as that configured in WordPress.
  • The dates and times strings used in the plugin and emails are fully translatable.
  • Added a subject to the login confirmation code email.
  • Better error reporting when required settings are missing.
  • Removed all reference to the Google Authenticator app. Now all messages are generic for all 2FA apps.
  • Standardized the order of placeholders in 2FA wizard.

Bug fixes

  • Users were unable to setup 2FA in some edge cases because of a HTTP 400 error response during the wizard.
  • Grace period settings hid unexpectedly upon changing the settings.
  • The wrong grace period was being added to the user emails.
  • Wrong grace period was shown in user email when users are required to instantly setup 2FA.
  • Users were able to disable 2FA after setting it up, even when 2FA is enforced.

1.4.1 (2020-07-31)

This is a followup maintenance release of version 1.4.0.

Improvements

  • Updated the plugin settings text and wizards’ text to reflect the new changes (support for multiple 2FA apps).
  • Redirect users to the user profile page if they exit the 2FA setup wizard.

Bug fixes

  • Reset 2FA app method button not working in wizard.
  • When a 2FA method is disabled, all enabled user configured 2FA methods are cleared in the usermeta, falsely flagging the user to reconfigure 2FA.
  • Fixed a minor UI compatability issue with Jetpack CRM.

1.4.0 (2020-07-22)

Release notes: WP 2FA 1.4: Support for Authy, FreeOTP & other 2FA apps

New features

  • Support for the following 2FA apps: Authy, Duo Security, FreeOTP (open source) Microsoft Authenticator, LastPass.
  • Optional policy to enforce instant 2FA – users have to configure 2FA otherwise they can’t login to the website.
  • Admins now have the option to choose when the plugin sends emails to users who have not configured 2FA yet (emails to setup 2FA).
  • New slide in the setup wizard to allow admins to disable initial 2FA setup emails.
  • New option to disallow users from disabling 2FA in their profile.

Improvements

  • Plugin no longer changes the email templates when the front-end 2FA page is enabled / disabled.
  • Grace period slide in setup wizard updated so admins can require 2FA straight after login.
  • Improved the intructions and help text of the front-end 2FA page.
  • Applied several minor UI and UX improvements to the wizard.

Bug fixes

  • Super admin not shown the notification to configure 2FA when policies applied to them.
  • Compatibility issue with WordFence (Support ticket).
  • Grace period changes in wizard are properly reflected in initial 2FA setup email sent to users.
  • Reset button in wizard not working when 2FA is already configured with 2FA app.
  • Minor CSS issue with a dashboard widget from Mailster.

1.3.0 (2020-06-04)

Release notes: WP 2FA 1.3: Front-end 2FA setup & improved 2FA policies

New features

  • 2FA setup website page for users who do not have access the dashboard and want to setup 2FA.
  • Front-end 2FA setup page email tag so the link to setup 2FA can be included in the user emails.
  • A number of shortcodes to setup your own 2FA configuration page.
  • Setting to enable/disable every individual email notification.

Improvements

  • 2FA Policies can now be enforced both by role and to specific users at the same time.
  • Administrators are redirected to the 2FA settings after completing the wizard.
  • Standardized the handling and error notifications for the custom from email address and display name placeholders.

Bug fixes

  • Addressed a number of minor UI issues in the plugin wizard.
  • Sites excluded in the wizard on multisite networks not excluded in config.
  • Username was not properly retrieved and shown in the backup code print export.
  • Users’ grace period database entry was not deleted when admin removed the policies.

1.2.0 (2020-05-06)

Release notes: WP 2FA 1.2: Multisite network support & configurable email templates

New features

  • Multisite network support.
  • Configurable email templates.
  • New setting to also configure the “from email address and display name” for all plugin emails.
  • Support for redirect after login plugins.

Improvements

  • Support for custom login pages; user is correctly redirected to enter 2FA code when using one.
  • Added a “Send another code” button in the email 2FA wizard (in case first email is not received).
  • If they apply, policies are automatically enforced on newly created user (user is sent an email notification).
  • 2FA policies are enforced if they apply when a user’s role is changed.

Bug fixes

  • Locked user is sent an email every time there is a login attempt on the account.
  • Backup codes not generated in some specific scenarios.
  • Incorrect META title of plugin wizard (Support ticket).

1.0.1 (20200427)

Bug fix

  • Plugin does not generate backup codes in certain circumstances.

1.0.0 (20200401)

  • Initial release