ROBOTSTXT/robotstxt-2fa
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions
6 releases 6 tags
  • 1.4.0 467560d420

    v1.4.0 Stable

    javier released this 2026-06-05 19:46:02 +00:00 | 0 commits to main since this release

    1.4.0

    Release date: 2026-06-05

    Added

    • Audit Dashboard — top-level admin page with summary cards (total users, 2FA-enabled, recent failed attempts), failed attempts table, and 2FA status column in Users list.
    • Failed attempts log — robotstxt_2fa_failed_log ring buffer (max 100 entries) populated on every failed verification; IPs anonymized.
    • Email notifications (each independently configurable):
      • Admin-enabled 2FA: user is notified when an administrator activates 2FA for them.
      • New location login: user is notified on first successful login from an unrecognised context.
      • Recovery code used: user (and optionally site admin) notified when a recovery code is consumed.
      • Activity digest: WP-Cron weekly or monthly summary sent to administrators.
    • Application Passwords exemption: REST API clients skip the 2FA browser challenge by default.
    • IP allow list: IPs/CIDR ranges that bypass 2FA (via robotstxt_2fa_skip_challenge).
    • IP deny list: IPs/CIDR ranges blocked from login entirely (via authenticate at priority 1).
    • IPv4 + IPv6 CIDR matching (pure PHP, no external dependency).

    Compatibility

    • WordPress: 6.4 – 7.1
    • PHP: 8.0 – 8.5

    Tests

    • PHP Coding Standards: PHP_CodeSniffer 3.13.5 / WPCS 3.3.0
    • PHPStan: level 9 — 0 errors
    • PHPCompatibility: 8.0–8.5 — 0 issues
    • PHPUnit: 9.6.34 — 42 tests, 109 assertions
    Downloads
  • 1.3.0 8e9c6bc472

    v1.3.0 Stable

    javier released this 2026-06-05 18:40:00 +00:00 | 1 commits to main since this release

    1.3.0

    Release date: 2026-06-05

    Security

    • TOTP replay prevention: accepted counter step stored in a 90-second transient; same code rejected on second submission within the ±1 window.
    • Login username removed from 2FA redirect URLs: robotstxt-2fa-login query parameter replaced with an opaque 32-character token resolved server-side. Username never appears in browser history, logs, or referrer headers.

    Added

    • WP-CLI command family wp 2fa (loaded only when WP_CLI is defined):
      • wp 2fa status <user_id> — show 2FA configuration.
      • wp 2fa enable <user_id> [--method=<method>] — enable 2FA.
      • wp 2fa disable <user_id> — disable 2FA, preserving secrets and codes.
      • wp 2fa reset-recovery <user_id> — regenerate and display recovery codes.
      • wp 2fa list [--role=<role>] [--without-2fa] [--format=table|csv|json] — list users with 2FA status.
      • wp 2fa force-setup [<user_id>] [--role=<role>] [--method=<method>] — enforce 2FA.
      • wp 2fa bypass <user_id> [--days=<n>] — grant temporary bypass (max 30 days).

    Compatibility

    • WordPress: 6.4 – 7.1
    • PHP: 8.0 – 8.5

    Tests

    • PHP Coding Standards: PHP_CodeSniffer 3.13.5 / WPCS 3.3.0
    • PHPStan: level 9 — 0 errors
    • PHPCompatibility: 8.0–8.5 — 0 issues
    • PHPUnit: 9.6.34 — 42 tests, 109 assertions
    Downloads
  • 1.2.1 17078a91bd

    v1.2.1 Stable

    javier released this 2026-06-05 16:41:53 +00:00 | 2 commits to main since this release

    1.2.1

    Release date: 2026-06-05

    Fixed

    • Recovery code confirmation without the method checkbox now correctly activates the method.
    • Fatal error on admin profile pages (add_settings_error not available at init in multisite).
    • OTP and recovery text inputs no longer disabled by JS when Enable toggle is off.
    • Regenerate codes now requires re-confirmation before the method reactivates.
    • Entering a valid OTP or recovery code activates the method even without checking the checkbox.
    • Recovery regeneration field validated with strict value check.

    Compatibility

    • WordPress: 6.4 – 7.1
    • PHP: 8.0 – 8.5

    Tests

    • PHP Coding Standards: PHP_CodeSniffer 3.13.5 / WPCS 3.3.0
    • PHPStan: level 9 — 0 errors
    • PHPCompatibility: 8.0–8.5 — 0 issues
    • PHPUnit: 9.6.34 — 42 tests, 109 assertions
    Downloads
  • 1.0.0 d405d8587d

    v1.0.0 Stable

    javier released this 2026-06-05 14:07:45 +00:00 | 4 commits to main since this release

    [1.0.0] - 2026-06-05

    Fixed

    • Enable 2FA checkbox now defaults to email and pre-checks it in the UI on first activation.
    • QR code for authenticator apps now displays correctly in the user profile.
    • "Send the code again" link is disabled for 60 seconds after delivery with a live countdown.

    Changed

    • Recovery codes section redesigned: plain list with code chips, no coloured notification box.
    • 2FA login screen links now in a vertical list for better readability.

    Removed

    • "Generate new secret" button from the OTP section.

    Compatibility

    • WordPress: 6.4 – 7.1
    • PHP: 8.2 – 8.5

    Tests

    • PHP Coding Standards: PHP_CodeSniffer 3.13.5 / WPCS 3.3.0
    • PHPStan: level 9 — 0 errors
    • PHPCompatibility: 8.2–8.5 — 0 issues
    • PHPUnit: 9.6.34 — 42 tests, 109 assertions
    Downloads
  • 0.3.0 968211baad

    v0.3.0 Pre-release

    javier released this 2026-06-05 14:06:43 +00:00 | 5 commits to main since this release

    [0.3.0] - 2026-06-05

    Added

    • Delete-on-uninstall option (disabled by default — all plugin data is preserved on removal).

    Security

    • Email verification codes now use random_int() (CSPRNG) for cryptographically secure code generation.
    • Recovery code preview transient TTL reduced from indefinite to 5 minutes.

    Fixed

    • Network admin settings now save correctly via a dedicated handler writing to wp_sitemeta.
    • Settings option registered with autoload=false to avoid loading on every page request.
    • update.json corrected to reference the 2FA plugin instead of the SMTP plugin.

    Compatibility

    • WordPress: 6.4 – 7.1
    • PHP: 8.2 – 8.5

    Tests

    • PHP Coding Standards: PHP_CodeSniffer 3.13.5 / WPCS 3.3.0
    • PHPStan: level 9 — 0 errors
    • PHPCompatibility: 8.2–8.5 — 0 issues
    • PHPUnit: 9.6.34 — 42 tests, 109 assertions
    Downloads
  • 0.2.0 f936aeb807

    v0.2.0 Pre-release

    javier released this 2026-06-05 14:05:44 +00:00 | 6 commits to main since this release

    [0.2.0] - 2026-06-05

    Added

    • Per-role 2FA method matrix in admin settings: administrators can now choose exactly which verification methods (email, authenticator app, recovery codes) are required for each WordPress role, with select-all row and column controls.
    • Authenticator app (TOTP) support: stored secrets, QR code provisioning via bacon/bacon-qr-code, manual setup key display, and one-time activation confirmation.
    • Recovery codes: 10 single-use 8-digit codes with profile management, one-time display grid, copy-to-clipboard, and mandatory confirmation before activation.
    • Email-based verification codes with throttled delivery (60 s resend cooldown) and 10-minute expiry.
    • Configurable verification frequency (every login, daily, weekly, or every 28 days) remembered per device fingerprint; administrators can lock the global schedule.
    • Dedicated verification stage token (WP nonce) securing the 2FA screen between password validation and code submission.
    • Secure method-switch links on the verification screen letting users change between OTP, email, and recovery-code challenges without restarting the login.
    • Network-wide multisite support: network administrators can set and lock enforcement settings across all sites (Network: true header).
    • Uninstall routine removing all plugin options and user meta.
    • Admin settings page as a top-level menu with manage_options capability guard.

    Changed

    • Settings page now uses the per-role method matrix instead of a flat forced-roles list; old force_roles + default_method data is automatically migrated on first read.
    • Profile method checkboxes require explicit confirmation: OTP demands a valid 6-digit code, recovery codes demand entering one of the displayed codes before the method activates.
    • Profile screen regenerates the OTP secret when the authenticator method is disabled and provides a "Generate new secret" button.
    • Recovery code batch exhaustion now auto-generates a fresh batch and surfaces a confirmation prompt rather than locking the user out.
    • Login screen hides the username/password fields, removes the Remember Me checkbox, and focuses the verification code input during the 2FA stage.
    • Login form auto-submits once the input reaches the method's expected digit count.

    Fixed

    • Hardened authenticator QR generation by catching library errors and guiding administrators to the required dependency.
    • Recovery-code preview persists via transient until explicitly acknowledged; fixes cases where codes disappeared before confirmation.

    [0.1.0] - 2024-04-08

    Added

    • Initial skeleton for the 2FA (by ROBOTSTXT) plugin.
    • Initial documentation files (readme.txt, AGENTS.md, changelog.txt).
    • Placeholder classes for login handling, user profile integration, and admin settings.
    Downloads