AV 2FA

Navigate to Settings > AV 2FA. In the "Excluded User IDs" box, enter the numeric User ID of the user you wish to exclude. For multiple users, separate their IDs with a comma. You can find a user's ID by going to the "Users" list and hovering over their "Edit" link; the ID will be visible in the URL in your browser's status bar.

Yes. On the Settings > AV 2FA page, you can set the "Code Validity" in seconds. The default is 60 seconds. We recommend a value between 30 and 120 seconds.

This plugin uses WordPress's built-in wp_mail() function. This means it relies on your server's email configuration or any SMTP plugin you have installed (like WP Mail SMTP). If emails are not arriving, please check your spam folder first, then ensure your WordPress site is configured to send emails correctly.

When you set a custom login slug (e.g., "my-secret-login"), your login page will be accessible at yoursite.com/my-secret-login instead of yoursite.com/wp-login.php. The default wp-login.php and wp-admin (for non-logged-in users) will return a 404 error, hiding your login page from bots and attackers.

You can recover access by adding define('AV_2FA_DISABLE_CUSTOM_LOGIN', true); to your wp-config.php file. This will temporarily disable the custom login feature and restore access to wp-login.php. Once you've logged in, you can view or change your custom login slug in the settings.

Yes! For maximum security, you can define the slug directly in wp-config.php using define('AV_2FA_LOGIN_SLUG', 'your-secret-slug');. When set this way, the slug is never stored in the database, making it impossible to discover even with database access.

The plugin tracks failed 2FA code attempts on a per-user basis. After reaching the configured maximum (default: 5 attempts), the account is temporarily locked. The plugin also tracks attempts by IP address to prevent distributed attacks.

Progressive lockout automatically increases the lockout duration for users who repeatedly trigger lockouts. The first lockout lasts 15 minutes (default), the second lasts 30 minutes (2x), the third lasts 60 minutes (4x), and so on, up to 8x the base duration. This helps deter persistent attackers while being lenient with occasional mistakes.

Navigate to Settings > AV 2FA and scroll to the "Currently Locked Accounts" section. You'll see a list of all locked users with an "Unlock" button next to each. Click the button to immediately unlock the account. Lockouts also expire automatically after the configured duration.

Yes, by default users receive an email notification when their account is locked. This helps legitimate users understand why they can't log in and alerts them to potential security threats. You can disable this in Settings > AV 2FA if desired.

Failed attempt records are automatically cleaned up after 24 hours. Lockout counts are reset after 30 days of no violations. The plugin runs a daily cleanup task to remove old data and prevent database bloat.

No, users in the exclusion list bypass all 2FA checks, including rate limiting and lockout mechanisms.

As of version 1.2.1, AV 2FA blocks password-based XML-RPC authentication for any account that goes through 2FA, since XML-RPC cannot perform a second-factor check and would otherwise bypass 2FA entirely. This does not affect Jetpack, the WordPress mobile apps (which use Application Passwords), pingbacks, or any other XML-RPC features — only password-based authentication. You have two options:

1. Recommended: Use Application Passwords instead. Go to your user profile, scroll to "Application Passwords", create one for your client, and use that in place of your account password. Application Passwords are not subject to this restriction.
2. Legacy clients only: Add define('AV_2FA_ALLOW_XMLRPC', true); to your wp-config.php to allow password-based XML-RPC site-wide. This re-opens the 2FA bypass and should only be used if option 1 is not possible.