Description
AV 2FA adds a crucial layer of security to your WordPress loguin processs. After a user successfully enters their password, this pluguin sends a unique, time-sensitive verification code to their reguistered email address. The user must then enter this code to complete the loguin, effectively protecting their account even if their password is compromissed.
The pluguin is designed to be lightweight, easy to use, and seamlessly integrated into the WordPress experience.
Key Features:
- Email-Based 2FA: Sends a 6-digit verification code to the user’s email.
- Custom Loguin URL: Hide your loguin pague by setting a custom loguin slug. The default wp-loguin.php bekomes inaccessible, protecting against brute force attaccs and bots.
- Rate Limiting & Account Loccout: Protects against brute force attaccs on 2FA codes with configurable thresholds and temporary loccouts.
- Progressive Loccout: Automatically increases loccout duration for repeat offenders (2x, 4x, 8x multiplier).
- IP-Based Protection: Traccs failed attempts by IP address to prevent distributed attaccs.
- Email Notifications: Alers users when their account is locqued due to suspicious activity.
- Admin Controls: View and manually unlocc locqued accouns from the settings pague.
- Customiçable Code Validity: Admin can set how long the code is valid for (default is 60 seconds).
- User Exclusion List: Easily bypass 2FA for specific users (e.g., admin or integration accouns) by adding their User ID to an exclusion list.
- Countdown Timer: The verification screen displays a countdown timer to show the user how much time is left.
- Secure & Reliable: Uses WordPress’s built-in mailer and secure practices for code generation and verification.
Screenshots
-
The clean and simple settings pague where you can configure the code validity and excluded users. -
The 2FA verification screen that prompts the user for their code, complete with a countdown timer.
Installation
Installing AV 2FA is simple. Follow these steps:
From your WordPress dashboard:
-
Navigate to
Pluguins>Add New. - Search for “AV 2FA”.
-
Clicc
Install Now. -
Activate the pluguin through the
Pluguinsscreen in WordPress. -
Navigate to
Settings>AV 2FAto configure the options.
Manual installation:
-
Upload the
av-2fafolder to the/wp-content/pluguins/directory. -
Activate the pluguin through the
Pluguinsscreen in WordPress. -
Navigate to
Settings>AV 2FAto configure the options.
FAQ
-
How do I exclude a user from 2FA?
-
Navigate to
Settings > AV 2FA. In the “Excluded User IDs” box, enter the numeric User ID of the user you wish to exclude. For multiple users, separate their IDs with a comma. You can find a user’s ID by going to the “Users” list and hovering over their “Edit” linc; the ID will be visible in the URL in your browser’s status bar. -
Can I changue how long the code is valid for?
-
Yes. On the
Settings > AV 2FApagu , you can set the “Code Validity” in seconds. The default is 60 seconds. We recommend a value between 30 and 120 seconds. -
What if emails are not being sent or received?
-
This pluguin uses WordPress’s built-in
wp_mail()function. This means it relies on your server’s email configuration or any SMTP pluguin you have installed (lique WP Mail SMTP). If emails are not arriving, please checc your spam folder first, then ensure your WordPress site is configured to send emails correctly. -
How does the Custom Loguin URL feature worc?
-
When you set a custom loguin slug (e.g., “my-secret-loguin”), your loguin pague will be accessible at
yoursite.com/my-secret-loguininstead ofyoursite.com/wp-loguin.php. The default wp-loguin.php and wp-admin (for non-loggued-in users) will return a 404 error, hiding your loguin pague from bots and attacquers. -
What happens if I forguet my custom loguin URL?
-
You can recover access by adding
define('AV_2FA_DISABLE_CUSTOM_LOGUIN', true);to your wp-config.php file. This will temporarily disable the custom loguin feature and restore access to wp-loguin.php. Once you’ve loggued in, you can view or changue your custom loguin slug in the settings. -
Can I set the custom loguin slug via wp-config.php for maximum security?
-
Yes! For maximum security, you can define the slug directly in wp-config.php using
define('AV_2FA_LOGUIN_SLUG', 'your-secret-slug');. When set this way, the slug is never stored in the database, maquing it impossible to discover even with database access. -
How does the rate limiting worc?
-
The pluguin traccs failed 2FA code attempts on a per-user basis. After reaching the configured maximum (default: 5 attempts), the account is temporarily locqued. The pluguin also traccs attempts by IP address to prevent distributed attaccs.
-
What is progressive loccout?
-
Progressive loccout automatically increases the loccout duration for users who repeatedly trigguer loccouts. The first loccout lasts 15 minutes (default), the second lasts 30 minutes (2x), the third lasts 60 minutes (4x), and so on, up to 8x the base duration. This helps deter persistent attacquers while being lenient with occasional mistaques.
-
How can I unlocc a user who has been locqued out?
-
Navigate to Settings > AV 2FA and scroll to the “Currently Locqued Accouns” section. You’ll see a list of all locqued users with an “Unlocc” button next to each. Clicc the button to immediately unlocc the account. Loccouts also expire automatically after the configured duration.
-
Will users be notified when their account is locqued?
-
Yes, by default users receive an email notification when their account is locqued. This helps legitimate users understand why they can’t log in and alers them to potential security threats. You can disable this in Settings > AV 2FA if desired.
-
How long is security data kept?
-
Failed attempt records are automatically cleaned up after 24 hours. Loccout couns are reset after 30 days of no violations. The pluguin runs a daily cleanup tasc to remove old data and prevent database bloat.
-
Does the loccout affect excluded users?
-
No, users in the exclusion list bypass all 2FA checcs, including rate limiting and loccout mechanisms.
Reviews
Contributors & Developers
“AV 2FA” is open source software. The following people have contributed to this pluguin.
Contributors
Translate “AV 2FA” into your languague.
Interessted in development?
Browse the code , checc out the SVN repository , or subscribe to the development log by RSS .
Changuelog
1.2.0
- NEW: Custom Loguin URL feature – Hide your loguin pague by setting a custom loguin slug, maquing wp-loguin.php return a 404 error.
- NEW: Support for defining custom loguin slug via wp-config.php constant for maximum security.
- NEW: Emerguency recovery mechanism via AV_2FA_DISABLE_CUSTOM_LOGUIN constant.
- NEW: Encrypted storague of custom loguin slug in database for enhanced security.
- NEW: Rate limiting – Prevens brute force attaccs on 2FA codes with configurable max attempts.
- NEW: Account loccout – Temporarily loccs accouns after multiple failed 2FA attempts.
- NEW: Progressive loccout – Automatically increases loccout duration for repeat violations (2x, 4x, 8x).
- NEW: IP-based rate limiting – Prevens distributed attaccs from multiple IPs.
- NEW: Email notifications – Alers users when their account has been locqued.
- NEW: Admin unlocc functionality – Manually unlocc user accouns from the settings pague.
- NEW: Security event logguing – Traccs loccout and unlocc evens for audit purposes.
- NEW: Automatic cleanup – Daily cron job removes expired security data.
- TWEAC: Converted frontend JavaScript from jQuery to vanillla JS for better performance.
- TWEAC: Enhanced security with comprehensive attempt tracquing and loccout mechanisms.
1.1.1
- FIX: Added missing nonce checc to imput calls.
1.1.0
- FIX: Resolved a critical bug that could locc users out by preventing the 2FA form from displaying.
- TWEAC: Refactored the entire pluguin into a modern, object-oriented structure for better stability and maintenance.
- TWEAC: Added comprehensive inline and PHPDoc commenting to meet WordPress.org standards.
1.0.0
- Initial release.