Super Duper Two-Factor Login
| 开发者 | rogerruckstuhl |
|---|---|
| 更新时间 | 2026年5月13日 16:16 |
| PHP版本: | 8.0 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPL-2.0-or-later |
| 版权网址: | 版权信息 |
详情介绍:
Super Duper Two-Factor Login adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.
🇨🇭🇩🇪🇦🇹 Hinweis für DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz/Deutschland/Österreich) verfügbar. Alle Texte und Einstellungen sind vollständig auf Deutsch übersetzt.
Fully translated out of the box in German (Switzerland, Germany, Austria), English, French, Spanish, Italian and Dutch – no separate language pack required.
Two Verification Methods
- TOTP (Authenticator App) – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
- Email – Receive a 6-digit code via email on every login. No smartphone required.
- 10 Backup Codes – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
- Administrator Recovery Key – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
- FTP Emergency Recovery – As a last resort, create an empty file named
.sdtfa-recoveryinwp-content/via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.
- Role-Based Enforcement – Require 2FA for administrators, editors, subscribers, or any role.
- Grace Period – Set a deadline so users have time to set up 2FA before enforcement kicks in.
- Hard Enforcement – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
- Enforcement Areas – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
- Trust This Device – Users can save their computer so the 2FA code isn't required on every login. Configurable duration (1–365 days).
- WooCommerce – Adds a "Two-Factor Authentication" tab to the My Account page. Enforce 2FA for the account area and checkout.
- Shortcode – Display the user's 2FA status anywhere with
[sdtfa_status]. - Setup Reminder – A dismissable admin notice with a "Set up now" button. No auto-popups; users open the setup flow only by clicking.
- AES-256-GCM encryption for TOTP secrets at rest
- Secure HttpOnly cookies for trusted devices
- Hashed token storage (never stored in plain text)
- No external dependencies – everything runs locally in pure PHP
- No external API calls, no tracking, no data collection
- Hide user data in REST API – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names. Uses a strict whitelist that automatically drops any extra fields injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO, Elementor, WooCommerce, …). Example response for an anonymous visitor on
/wp-json/wp/v2/users/1:
{"id":1,"name":"Author","url":"","description":"","link":"https:\/\/example.com\/","slug":"author","avatar_urls":{}}
- Block author archives – Redirect unauthenticated visitors away from
?author=Nand/author/<slug>/to prevent user enumeration. - Disable password reset – Disable the "Lost your password?" function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
- Users list column – A clean "SDTFA" column on Users → All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.
安装:
- Upload the plugin via Plugins → Add New → Upload Plugin, or install it directly from the WordPress plugin directory.
- Activate the plugin.
- Configure the main 2FA settings under Two-Factor Login in the admin menu. Optional Privacy & Hardening features (REST user-data masking, author-archive blocking, password-reset lock-down, users-list status column) are on the same settings page.
- Users can set up 2FA from their WordPress profile page or WooCommerce My Account.
屏幕截图:
常见问题:
Which authenticator apps are supported?
Any TOTP-compatible app works, including Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and many others. We recommend FreeOTP+ (Android) and FreeOTP (iOS) as free, open-source options.
What happens if I lose my phone?
You can log in using one of your 10 backup codes. If those are also gone, administrators can use their personal recovery key on the login page. As a last resort, create an empty file named .sdtfa-recovery in wp-content/ via FTP to temporarily disable 2FA.
Can I enforce 2FA for all users?
Yes. Go to Two-Factor Login settings and select which roles must use 2FA. You can set a grace period with a deadline, or enforce it immediately – users will then be required to complete 2FA setup on the login page before gaining any access.
Does this plugin work with WooCommerce?
Yes. It adds a "Two-Factor Authentication" tab to the WooCommerce My Account page. You can also enforce 2FA for the WooCommerce account area and checkout.
What is the "Trust this device" feature?
When enabled by the admin, users can check "Save this computer" during login. The 2FA code won't be required again on that device for the configured number of days.
Are external services or images used?
No. Everything runs locally. QR codes are generated in PHP, TOTP calculations happen on the server, and app store badges use local SVG files. No external images, scripts, or API calls are made.
What does the "Privacy & Hardening" section do?
It bundles four optional, independently toggleable features that close common WordPress information-leak and lock-out paths. Hide user data (REST API) replaces sensitive fields (name, slug, link, avatar) with neutral values for unauthenticated requests, while keeping the endpoint reachable so SEO and import plugins still work. Block author archives redirects unauthenticated visitors away from ?author=N and /author/<slug>/ to prevent user enumeration. Disable password reset blocks the "Lost your password?" function for administrators and/or selected roles. The users-list column adds a clean "SDTFA" status indicator on Users → All Users. All four features are off by default except the users-list column, which is on by default to clean up duplicate columns from other plugins.
Why does the Users → All Users page show an "SDTFA" column instead of a generic "2FA" one?
Some hosts and other 2FA plugins inject their own "2FA" column on the users list. When Super Duper Two-Factor Login is installed, those columns can show outdated or misleading status (for example a red ✗ even though 2FA is configured here). The plugin replaces them with a single, accurate "SDTFA" column that reads the real status from this plugin's own user meta. If you prefer the original column behavior, you can disable this in the Privacy & Hardening section.
Will this plugin conflict with other 2FA plugins?
It is not designed to run side-by-side with another active 2FA plugin – two plugins both intercepting wp-login.php will produce unpredictable results. If you are migrating from another 2FA plugin, deactivate the other one first. The "SDTFA" users-list column will hide a leftover column from a deactivated plugin only if that plugin still injects it; in normal cases the foreign column simply disappears with the foreign plugin.
Is this plugin really free?
Yes, completely. There is no premium version, no upsells, and no feature restrictions. All features are available to everyone.
更新日志:
2.5.13 – 13.05.2026
- Fix: Datepicker for the enforcement deadline now opens directly below the input field instead of at the bottom of the page.
- Improvement: All plugin emails (login code, backup codes, recovery notifications) are now sent as properly formatted HTML with clear layout, code highlighting, and per-line backup code display.
- Fix: No longer forces a
From:header on outgoing emails so SMTP plugins can apply their SPF/DKIM-aligned sender address without conflict. - Debug: Added
[SDTFA]entries to debug.log (when WP_DEBUG is on) to make email-delivery failures diagnosable. - i18n: 13 new mail-template strings translated to all eight locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL), including a plural form for the validity-minutes string.
- Fix: WooCommerce
customer-logoutendpoint is now explicitly excluded from 2FA enforcement so customers can always log out, even whenwc_accountorentire_siteenforcement is active.
- Improved: forced 2FA setup screen on wp-login.php now uses larger, more readable fonts (warning text 16px, button 17px, content 15px) and a slightly wider login box.
- i18n: translations completed for all eight supported locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL) – every string in the plugin is now fully translated. .pot template regenerated from current source.
- Fixed: forced 2FA setup AJAX calls returned HTTP 403 because the WordPress nonce check failed for unauthenticated users on the login page. The forced-setup token (already present in the request and validated against a server-side transient) is now accepted as the authorization for these AJAX calls, with the standard nonce check still applied for logged-in users.
- Fixed: forced 2FA setup screen on wp-login.php was unusable – clicking "Set up now" left the button stuck at "…". The AJAX endpoints were registered for logged-in users only, but the forced-setup flow runs before the user is authenticated. Endpoints now also accept unauthenticated calls when a valid forced-setup token is supplied, and the JavaScript automatically passes that token along.
- Improved: REST API user-data hiding now uses a strict whitelist approach instead of a maintained block list. Only structurally-required fields (id, name, slug, link, avatar_urls, description, url) are kept in the response — everything else is dropped automatically, including fields from Yoast SEO (yoast_head, yoast_head_json), Rank Math, AIOSEO, SEOPress, Elementor, WooCommerce, and any future plugins that inject data into the user REST endpoint.
- New: filter hook
sdtfa_rest_user_allowed_keysto extend the whitelist for plugins or sites that have a legitimate need to expose additional public fields. - Fixed: the filter now runs at priority 999 so it executes after third-party plugins that register their own user REST fields.
- Fixed: REST self/collection links (which expose the numeric user ID) are now removed from the response for unauthenticated requests when user-data hiding is enabled.
- Fixed: "Set up now" button on the admin notice did not open the popup overlay because the script cached DOM selectors before the popup HTML was rendered. Selectors are now resolved after DOM-ready, with a fallback redirect to the profile page if the overlay is still missing.
- Fixed: SVN pre-commit hook on WordPress.org rejected the package because the email-sending method used a "true" return type (PHP 8.2+ feature). Replaced with the equivalent "bool" return type for broader compatibility while keeping identical behavior.
- Fixed: three strings in the en_US translation file contained German text instead of English (the shortcode description, the deadline notice, and the site-icon warning). Sites running with English locale will now correctly show English text.
- Fixed: removed remaining German example text from the docblock of the shortcode class file (no functional impact, source-code cleanup only).
- Fixed: removed remaining hardcoded German strings from PHP source (3× "Nicht angemeldet.", backup-codes email body, recovery-key label, backup-codes textarea header)
- Fixed: removed hardcoded German "Bestätigen" button label from JavaScript (used after a failed verification attempt) – now uses the existing translatable string
- i18n: all four cleaned-up strings translated for all eight supported locales (DE_CH/DE/AT, EN, FR, ES, IT, NL)
- Fixed: 2FA setup via email failed silently on hosts that reject mails without an explicit "From" header – the email now always carries a same-domain sender address
- Improved: when sending the 2FA code fails, the actual underlying mail error (from PHPMailer / SMTP) is now surfaced in the setup dialog instead of a generic "please try again"
- Fixed: send cooldown is now armed only after a successful send, so a failed delivery no longer blocks the next attempt for 60 seconds
- Improved: graceful fallback for the email subject when the issuer/site name option is empty
- New: "SDTFA" column on Users → All Users showing the actual 2FA status (TOTP / Email / off) with green check or red ✗
- New: Removes 2FA columns added by foreign 2FA plugins or host mu-plugins to avoid duplicate or misleading status indicators
- New: Toggle in Privacy & Hardening section to disable the column behavior if not desired (enabled by default)
- New: Privacy & Hardening section with three optional features
- New: Hide sensitive user data in REST API responses for unauthenticated visitors (REST endpoint stays reachable for SEO/import tools)
- New: Block author archives (?author=N) for unauthenticated visitors to prevent user enumeration
- New: Disable WordPress password reset for administrators and/or selected roles
- Fixed: empty jQuery UI datepicker container no longer appears at the bottom of admin pages – it is now hidden by default and moved next to its input field on open
- Fixed: dismiss (×) button on the admin notice now correctly persists via AJAX so the notice doesn't reappear on every page reload
- Renamed plugin to "Super Duper Two-Factor Login" (slug: super-duper-two-factor-login) for improved distinctiveness in the plugin directory
- Replaced the setup popup with a WordPress-standard dismissable admin notice and a "Set up now" button – the modal opens only on user action
- Moved the admin menu from position 3 to position 71 (after Users) to respect the WordPress admin hierarchy
- Extracted all inline
<style>and<script>output into enqueued assets (wp_enqueue_style,wp_enqueue_script,wp_add_inline_style) - Localized datepicker day and month names via
wp_localize_script(English source, translations via .po) - Updated the plugin header description to English (source strings) with German translations moved to .po/.mo
- Corrected the
Contributorsentry in readme.txt to the actual WordPress.org username
- First public release on WordPress.org
- TOTP and email-based two-factor authentication
- 10 one-time backup codes with copy, download, print, and email
- Personal recovery key for administrators
- FTP emergency recovery via .sdtfa-recovery file
- Trusted device feature (save this computer)
- Role-based enforcement with optional grace period
- Hard enforcement: 2FA setup required before login
- Enforcement areas: admin, WooCommerce account, checkout, entire site
- WooCommerce My Account integration
- Setup popup reminder (dismissible)
- Shortcode [sdtfa_status]
- AES-256-GCM encryption for TOTP secrets
- Translations: German (DE/AT/CH), English, French, Spanish, Italian, Dutch
- Internal development and testing