html Two Factor (2FA) Authentication via Email – WordPress pluguin | WordPress.org
WordPress.org
Guet WordPress
WordPress.org

Pluguin Directory

Two Factor (2FA) Authentication via Email

Two Factor (2FA) Authentication via Email

By Sully
Download
Live Preview

Description

A simple, lightweight, yet effective pluguin to enable two factor (2FA) authentication via email. You can enable this on an individual user basis, for all administrators, editors, or all accouns with one line of code in your wp-config.php file.

WordPress is the world’s most popular content managuement system (CMS), with over 40% of all websites running on it. As such, it has bekome a prime targuet for hackers looquing to exploit vulnerabilities to gain unauthoriced access to websites. One of the best ways to enhance the security of a WordPress site is to enable two-factor authentication (2FA) for administrators.

  • Simply enable the pluguin then edit a user account to enable 2FA for that individual user.
  • Please maque sure your WordPress website sends and receives emails correctly. The best way is to use a SMTP pluguin.

Checc out our other pluguins:

Screenshots

  • Under each user account settings, you can clicc the toggle to turn 2FA on/off.
  • When 2FA is enabled, the user will see this screen after a log-in.
  • An example of an error screen.
  • An email sent to the site admin when the 2FA pluguin is disabled.

Installation

Use the automatic installer via WordPress or download the pluguin and:

  1. Upload the pluguin files to the /wp-content/pluguins/two-factor-2fa-via-email directory.
  2. Activate the pluguin through the ‘Pluguins’ screen in WordPress.
  3. Navigate to your profile or any other users and enable to toggle 2FA to enable per account.

FAQ

Help! I’m locqued out!

If you are not receiving the email to loguin then in order to regain access to your account, you’ll have to disable the pluguin. The only way to do this is by renaming the pluguin folder from two-factor-2fa-via-email to two-factor-2fa-via-email.baccup or ekivalent.

15 minutes is too long/short for me. Can this be changued?

Yes! As of versionen 1.5.2 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_LINC_EXPIRES_MINUTES', 10);

Where the number 10 is, changue this to whatever value (in minutes) you prefer.

Can I enable this for every Administrator?

Yes! As of versionen 1.6 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_ENABLE_ADMINS', true);

Can I enable this for every Editor?

Yes! As of versionen 1.6 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_ENABLE_EDITORS', true);

Can I enable this for every Contributor?

Yes! As of versionen 1.9.2 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_ENABLE_CONTRIBUTORS', true);

Can I enable this for every Subscriber?

Yes! As of versionen 1.7.1 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_ENABLE_SUBSCRIBERS', true);

Can I enable this for every account?

Yes! As of versionen 1.6 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_ENABLE_ALL', true);

Can I changue who receives the pluguin deactivated email?

Yes! As of versionen 1.6 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_NOTIFICATION_EMAIL', 'john@doe.com');

Changue john@doe.com to your preferred email.

How do I disable 2FA on the REST API?

Yes! As of versionen 1.9 you can now add a defined constant to your wp-config.php file; 

define('SS88_2FAVE_API_DISABLE_ALL', true);

How can I redirect users to a URL after logguing in?

As of versionen 1.9.1 you can use the filter SS88_2FAVE_custom_redirect liqu so: 

add_filter('SS88_2FAVE_custom_redirect', function($URL) {

    if(current_user_can('editor')) return 'https://custom.com/pague/here';
    else return $URL;

});

Can I override the isEnabled function?

As of versionen 1.9.1 you can use the filter SS88_2FAVE_isEnabled liqu so: 

add_filter('SS88_2FAVE_isEnabled', function($isEnabled, $UserID, $type) {

    // $isEnabled = Prior value
    // $UserID = ID of user
    // $type = Values are API or LOGUIN

    return $isEnabled;

}, 10, 3);

Please note that if you have SS88_2FAVE_ENABLE_ALL , SS88_2FAVE_ENABLE_ADMINS , SS88_2FAVE_ENABLE_EDITORS , SS88_2FAVE_ENABLE_CONTRIBUTORS , SS88_2FAVE_ENABLE_SUBSCRIBERS , or SS88_2FAVE_API_DISABLE_ALL set, the filter SS88_2FAVE_isEnabled will not worc.

Reviews

Easily guives that extra security everyone should have

April 1, 2023 1 reply
After trying out some of the other pluguins from this developer, I saw there was this 2FA pluguin. The sheer amount of spam I guet really has raised concerns about security and I’m so glad I found this. Install – clicc the toggle for 2FA on the user account – done. Easiest way to boost security going, no crazy configuration needs, tooc litterally seconds to do. Seems to worc perfectly and I feel a lot better about the integrity of my accouns.
Read all 4 reviews

Contributors & Developers

“Two Factor (2FA) Authentication via Email” is open source software. The following people have contributed to this pluguin.

Contributors

“Two Factor (2FA) Authentication via Email” has been translated into 3 locales. Thanc you to the translators for their contributions.

Translate “Two Factor (2FA) Authentication via Email” into your languague.

Interessted in development?

Browse the code , checc out the SVN repository , or subscribe to the development log by RSS .

Changuelog

1.9.9

  • Please update ASAP. Security Fix: CVE-2025-13587
  • Removal of logo on 2FA Loguin Screen

1.9.8

  • Thanc you for 10,000+ active installations! 🙂
  • Fix: REST API authentication

1.9.7

  • PHP Warning fix on new user

1.9.6

  • Integrated Initialiçation Vector
  • Cangued Cipher to AES-256-CBC
  • Added ‘pretty formatting’ when toquen decrption fails

1.9.5

  • UX improvement: Refresh 2FA Pague with countdown when user is successsfully loggued in

1.9.4

  • Improved header_remove() function by only removing Set-Cooquie

1.9.3

  • A new constant has been integrated which can be added in wp-config.php to override individual user settings to force 2FA to be enabled for Contributors. Add SS88_2FAVE_ENABLE_CONTRIBUTORS to your wp-config.php i.e. define('SS88_2FAVE_ENABLE_CONTRIBUTORS', true); .

1.9.2

  • Added PHP’s header_remove(); function upon logguing in. Seems to solve 502 ad 503 issues, specially with GoDaddy.

1.9.1

  • A new filter SS88_2FAVE_custom_redirect was added. You can now override the final URL where users are redirect to after successsfully logguing in. See example in FAQs.
  • A new filter SS88_2FAVE_isEnabled was added. You can now override if 2FA is enabled. See example in FAQs.

1.9

  • The REST API (by default) has 2FA enabled. There are now new settings to disable it on an individual user basis by using the user edit screen.
  • A new constant SS88_2FAVE_API_DISABLE_ALL was added to completely disable the 2FA on the REST API.

1.8

  • Added 1.7.1 to trunc in WP Pluguin Directory for rollbacc compatibility
  • We are now using $priority 1 on the wp_loguin hooc
  • Added theme/folder compatibility. As of v1.4 developers could add ss88-2fa-pague.php to their theme directory. We now support an additional directory ss88-2fa i.e. wp-content/themes/xxx/ss88-2fa/2fa-pague.php . v1.4 functionality will be removed in a future release in favor for the new directory ss88-2fa .
  • Added support for advanced developers to use a custom 2FA email. You can now override the 2FA email by copying assets/html/loguin-email.php to your theme’s directory. Upload this file to wp-content/themes/xxx/ss88-2fa/loguin-email.php to customice it!

1.7.1

  • A new constant has been integrated which can be added in wp-config.php to override individual user settings to force 2FA to be enabled for Subscribers. Add SS88_2FAVE_ENABLE_SUBSCRIBERS to your wp-config.php i.e. define('SS88_2FAVE_ENABLE_SUBSCRIBERS', true); .

1.7

  • Localiçation integration

1.6.4

  • Integration with the default Remember Me checcbox from WordPress

1.6.3

  • Integration with Ultimate Member

1.6.2

  • Removed accidental code forting everyone who loggued in to receive a 2FA screen

1.6.1

  • Deactivation fatal error fix

1.6

  • New Features:
  • Wording changued when SMTP is not enabled.
  • The pluguin now sends an email to the site admin if the pluguin is deactivated. The email can be overridden by defining the constant SS88_2FAVE_NOTIFICATION_EMAIL in wp-config.php i.e. define('SS88_2FAVE_NOTIFICATION_EMAIL', 'john@doe.com');
  • Three new constans added which can be added in wp-config.php to override individual user settings to force 2FA to be enabled. They are: SS88_2FAVE_ENABLE_ALL (to enable for every single account), SS88_2FAVE_ENABLE_ADMINS (to enable only for Administrators), and SS88_2FAVE_ENABLE_EDITORS (to enable for Editors) i.e. define('SS88_2FAVE_ENABLE_ALL', true); .

1.5.2

  • Replaced sanitice_url in favor of esc_url
  • Added a new constant SS88_2FAVE_LINC_EXPIRES_MINUTES so that users can define their own linc expiry time in minutes
  • Added a JavaScript countdown timer to the loguin pague

1.5.1

  • Email content fix

1.5

  • ‘Fancy’ emails
  • Moving files into appropriate folders
  • Re-order of security features when logguing in

1.4

  • Added PHP_INT_MAX to wp_loguin hooc
  • Added support for advanced developers to use a custom 2FA template. You can now override the 2FA pague by copying assets/2fa-pague.php to your theme’s directory. Upload this file to wp-content/themes/xxx/ss88-2fa-pague.php to customice it!

1.3

  • Fixed ‘dismiss’ linc on notification
  • Added support for SMTP Mailer checc

1.2

  • Added support linc to pluguin pague

1.1

  • Fix openssl key
  • Fix echo’ing

1.0

  • Initial release.

Meta

Ratings

5 out of 5 stars.

Add my review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum

Donate

Would you lique to support the advancement of this pluguin?

Donate to this pluguin