ROBOTSTXT/robotstxt-2fa
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions
6 releases 6 tags
  • 1.3.0 8e9c6bc472

    v1.3.0 Stable

    javier released this 2026-06-05 18:40:00 +00:00 | 1 commits to main since this release

    1.3.0

    Release date: 2026-06-05

    Security

    • TOTP replay prevention: accepted counter step stored in a 90-second transient; same code rejected on second submission within the ±1 window.
    • Login username removed from 2FA redirect URLs: robotstxt-2fa-login query parameter replaced with an opaque 32-character token resolved server-side. Username never appears in browser history, logs, or referrer headers.

    Added

    • WP-CLI command family wp 2fa (loaded only when WP_CLI is defined):
      • wp 2fa status <user_id> — show 2FA configuration.
      • wp 2fa enable <user_id> [--method=<method>] — enable 2FA.
      • wp 2fa disable <user_id> — disable 2FA, preserving secrets and codes.
      • wp 2fa reset-recovery <user_id> — regenerate and display recovery codes.
      • wp 2fa list [--role=<role>] [--without-2fa] [--format=table|csv|json] — list users with 2FA status.
      • wp 2fa force-setup [<user_id>] [--role=<role>] [--method=<method>] — enforce 2FA.
      • wp 2fa bypass <user_id> [--days=<n>] — grant temporary bypass (max 30 days).

    Compatibility

    • WordPress: 6.4 – 7.1
    • PHP: 8.0 – 8.5

    Tests

    • PHP Coding Standards: PHP_CodeSniffer 3.13.5 / WPCS 3.3.0
    • PHPStan: level 9 — 0 errors
    • PHPCompatibility: 8.0–8.5 — 0 issues
    • PHPUnit: 9.6.34 — 42 tests, 109 assertions
    Downloads