Digipacket Login Security with Two-Factor Authentication
| 开发者 | digipacket |
|---|---|
| 更新时间 | 2026年6月21日 06:05 |
| PHP版本: | 8.2 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Digipacket Login Security adds strong, standards-based two-factor authentication to any WordPress site. It uses the TOTP algorithm (RFC 6238), so it works with Google Authenticator, Authy, Microsoft Authenticator, FreeOTP and any standard authenticator app — with no external service or cloud dependency. Everything runs on your own server.
Key features
- TOTP compatible with Google Authenticator and all standard apps.
- Choice of method — each user picks an authenticator app (TOTP) or a one-time code sent by e-mail at login.
- QR Code enrolment rendered locally on the user profile screen (no external image service).
- Mandatory code verification after every login.
- Single-use backup codes for account recovery if the device is lost.
- Brute-force protection — lock an account after a configurable number of failed attempts, for a configurable duration. Blocks further sign-ins even with the correct password during the lockout window.
- Security e-mail alerts — notify the account owner when repeated wrong-password attempts or too many incorrect 2FA codes are detected.
- Login notifications — e-mail the user and/or the administrator (per selected roles) with sign-in details (user, date, IP, browser).
- Login screen warning — optional full-screen security notice that visitors must accept before signing in.
- Enforce 2FA by role with a configurable grace period.
- Admin reset of a user's 2FA from the Users list, plus a 2FA status column.
- Audit log of all security events with filtering by role or user.
- Modern admin interface — dashboard, focused settings tabs and an About page.
- Translatable — ships with French (fr_FR) and English.
wp_mail() function.
Optional Telegram notifications (disabled by default): if you enable them and provide your own bot token and chat ID, the plugin sends security-event details (event type, username, IP address, date) to the Telegram Bot API at https://api.telegram.org so the message can be delivered to your chosen Telegram chat. This only happens while the feature is enabled and configured.
- Telegram Bot API: https://core.telegram.org/bots/api
- Telegram Privacy Policy: https://telegram.org/privacy
安装:
- In WordPress, go to Plugins → Add New → Upload Plugin.
- Select
digipacket-login-security.zip, click Install Now, then Activate. - Go to Users → Profile and enable 2FA on your own account first.
- Configure site-wide options under Digipacket Login Security in the admin menu.
digipacket-login-security folder into wp-content/plugins/ and activate it from the Plugins screen.屏幕截图:
常见问题:
Which authenticator apps are supported?
Any standard TOTP (RFC 6238) app: Google Authenticator, Authy, Microsoft Authenticator, FreeOTP, 1Password, and more.
Does it work without sending data to a third party?
Yes. Core 2FA has no external service or cloud dependency — the QR code is generated locally and all data stays on your server. The only optional exception is Telegram notifications, which are disabled by default and only contact api.telegram.org when you enable them with your own bot token (see Privacy & external services).
A user is locked out. How do I help them?
Administrators can reset a user's 2FA from the Users list (the "Reset 2FA" row action), allowing them to enrol again.
My notification e-mails land in spam.
This is a mail-deliverability matter, not a plugin issue. Configure an SMTP plugin and set up SPF/DKIM/DMARC for your domain so messages are authenticated.
Does 2FA apply to REST API / XML-RPC / Application Passwords?
The interactive second factor applies to the browser login form. Non-interactive API authentication intentionally bypasses it — use Application Passwords for programmatic access.
更新日志:
1.0.1
- Fix: on a fresh install, the very first time the settings were saved the values were silently discarded (roles, brute-force options, Telegram token, etc.). Settings now save correctly from the first save.
- Initial public release.
- TOTP two-factor authentication (RFC 6238) compatible with Google Authenticator and all standard apps, plus an e-mail one-time-code method.
- Local QR-code enrolment and single-use backup codes.
- Enforce 2FA by role with a configurable grace period.
- Configurable brute-force lockout (number of attempts and duration) with real sign-in enforcement.
- Security e-mail alerts for repeated wrong-password attempts and 2FA lockouts.
- Login notifications with sign-in details (user, date, IP, browser), scoped by role, to the user and/or administrator.
- Optional login-screen security warning popup with a customizable message.
- Audit log of security events with filtering by role or user.
- Admin Dashboard "Security Overview" widget.
- Reset 2FA and Ban / Unban actions from the Users list, with status badges.
- Optional Telegram notifications for audit-log events, scoped by role/user, with one-click logout/ban response links.