ROBOTSTXT/robotstxt-2fa
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions
6 releases 6 tags
  • 0.2.0 f936aeb807

    v0.2.0 Pre-release

    javier released this 2026-06-05 14:05:44 +00:00 | 6 commits to main since this release

    [0.2.0] - 2026-06-05

    Added

    • Per-role 2FA method matrix in admin settings: administrators can now choose exactly which verification methods (email, authenticator app, recovery codes) are required for each WordPress role, with select-all row and column controls.
    • Authenticator app (TOTP) support: stored secrets, QR code provisioning via bacon/bacon-qr-code, manual setup key display, and one-time activation confirmation.
    • Recovery codes: 10 single-use 8-digit codes with profile management, one-time display grid, copy-to-clipboard, and mandatory confirmation before activation.
    • Email-based verification codes with throttled delivery (60 s resend cooldown) and 10-minute expiry.
    • Configurable verification frequency (every login, daily, weekly, or every 28 days) remembered per device fingerprint; administrators can lock the global schedule.
    • Dedicated verification stage token (WP nonce) securing the 2FA screen between password validation and code submission.
    • Secure method-switch links on the verification screen letting users change between OTP, email, and recovery-code challenges without restarting the login.
    • Network-wide multisite support: network administrators can set and lock enforcement settings across all sites (Network: true header).
    • Uninstall routine removing all plugin options and user meta.
    • Admin settings page as a top-level menu with manage_options capability guard.

    Changed

    • Settings page now uses the per-role method matrix instead of a flat forced-roles list; old force_roles + default_method data is automatically migrated on first read.
    • Profile method checkboxes require explicit confirmation: OTP demands a valid 6-digit code, recovery codes demand entering one of the displayed codes before the method activates.
    • Profile screen regenerates the OTP secret when the authenticator method is disabled and provides a "Generate new secret" button.
    • Recovery code batch exhaustion now auto-generates a fresh batch and surfaces a confirmation prompt rather than locking the user out.
    • Login screen hides the username/password fields, removes the Remember Me checkbox, and focuses the verification code input during the 2FA stage.
    • Login form auto-submits once the input reaches the method's expected digit count.

    Fixed

    • Hardened authenticator QR generation by catching library errors and guiding administrators to the required dependency.
    • Recovery-code preview persists via transient until explicitly acknowledged; fixes cases where codes disappeared before confirmation.

    [0.1.0] - 2024-04-08

    Added

    • Initial skeleton for the 2FA (by ROBOTSTXT) plugin.
    • Initial documentation files (readme.txt, AGENTS.md, changelog.txt).
    • Placeholder classes for login handling, user profile integration, and admin settings.
    Downloads