=== Two Factor Extended ===
Contributors: javiercasares, robotstxt
Tags: two-factor, 2fa, authentication, security
Requires at least: 6.7
Tested up to: 6.9
Stable tag: 1.0.0
Requires PHP: 8.2
Version: 1.0.0
License: GPL-3.0-or-later
License URI: https://www.gnu.org/licenses/gpl-3.0.txt

Extends the WordPress Two Factor plugin with advanced role-based controls and enhanced administrative features.

== Description ==

Two Factor Extended is a comprehensive extension for the WordPress Two Factor plugin that provides administrators with enterprise-level controls over two-factor authentication across their site.

**Core Features:**

* **Role-Based 2FA Requirements** - Require specific 2FA methods for each user role (administrators need Email + TOTP, editors need Email only, etc.)
* **Provider Visibility Control** - Show or hide specific 2FA methods based on user role to simplify options for non-technical users
* **Grace Period Enforcement** - Give users a configurable number of days (0-365) to configure required 2FA methods before enforcement
* **WordPress Multisite Support** - Network-wide enforcement with super admin requirements and site-level override controls
* **Compliance Reporting** - Real-time compliance dashboards showing which users meet 2FA requirements
* **Audit Logging** - Comprehensive logging of all 2FA configuration changes and enforcement actions
* **Bulk Operations** - Bulk require 2FA or reset grace periods for multiple users at once
* **Import/Export Settings** - Backup and restore your 2FA configuration with JSON export/import

**Advanced Features:**

* **WP-CLI Commands** - Manage 2FA requirements via command line (status, enforce, report, reset)
* **REST API** - Programmatic access to compliance data and enforcement actions
* **Security Hardening** - Built following WordPress and OWASP security best practices (Security Grade A)
* **Accessibility** - WCAG 2.1 Level AA compliant for inclusive administration
* **Performance Optimized** - Efficient database queries and caching for large user bases

**Requirements:**

This plugin requires the [Two Factor](https://wordpress.org/plugins/two-factor/) plugin (version 0.15.0 tested) to be installed and activated.

== Installation ==

= Automatic Installation =

1. Visit the Plugins section in your WordPress admin
2. Search for "Two Factor Extended"
3. Click "Install Now" and then "Activate"

**Important:** Make sure the [Two Factor](https://wordpress.org/plugins/two-factor/) plugin is installed and activated first.

= Manual Installation =

1. Download the plugin ZIP file
2. Extract the contents and upload the `two-factor-extended` directory to `/wp-content/plugins/`
3. Activate the plugin through the 'Plugins' menu in WordPress

= After Installation =

1. Go to Settings → Two Factor Extended
2. Configure your role-based 2FA requirements
3. Set which 2FA methods are available to different user roles

== Frequently Asked Questions ==

= Does this plugin replace the Two Factor plugin? =

No, Two Factor Extended is an extension that works alongside the Two Factor plugin. Both plugins must be installed and activated.

= Is this compatible with WordPress Multisite? =

Yes! Two Factor Extended fully supports WordPress Multisite with network-wide settings and site-level overrides.

= Which PHP versions are supported? =

Two Factor Extended requires PHP 8.2 or higher.

= Can users bypass the 2FA requirements? =

No. When a 2FA method is marked as required for a user's role, they cannot disable or remove it.

== Compatibility ==

* WordPress: 6.7 - 6.9
* PHP: 8.2 - 8.5
* Database: MariaDB 10.6 or newer
* Two Factor Plugin: 0.15.0 (tested)

== Security ==

Two Factor Extended follows WordPress security best practices:

= Security Features =

* **Capability Checks**: All admin functions require `manage_options` or `manage_network_options` capability
* **CSRF Protection**: All forms use WordPress nonces to prevent cross-site request forgery
* **Input Validation**: All user inputs are validated and sanitized before processing
* **Output Escaping**: All outputs are properly escaped to prevent XSS attacks
* **SQL Injection Protection**: Uses WordPress database APIs exclusively (no direct SQL queries)
* **Audit Logging**: All configuration changes and enforcement actions are logged
* **REST API Security**: All API endpoints require authentication and authorization
* **File Upload Validation**: Import files are validated for type, size, and content

= Security Best Practices =

1. **Keep WordPress Updated**: Always use the latest WordPress version
2. **Use Strong Passwords**: Enforce strong passwords for all user accounts
3. **Enable 2FA for All Admins**: Require 2FA for administrator and editor roles
4. **Regular Backups**: Export your 2FA settings regularly
5. **Monitor Audit Logs**: Review the audit log for suspicious activity
6. **Review Compliance Reports**: Check compliance reports regularly

= Reporting Security Issues =

If you discover a security vulnerability, please email the plugin authors directly. Do not create public GitHub issues for security vulnerabilities.

We take security seriously and will respond promptly to all security reports.

== Changelog ==

= 1.0.0 =

_Release date: 2026-02-17_

**Initial Production Release**

This is the first comprehensive release of Two Factor Extended, implementing enterprise-level two-factor authentication management for WordPress.

**Core Features**

* **Role-Based 2FA Requirements** - Require specific 2FA methods for each user role with multiple methods support per role
* **Provider Visibility Control** - Control which 2FA methods are visible to each role (hide complex methods from non-technical users)
* **Grace Period Enforcement** - Configurable grace period (0-365 days) with automatic tracking and login blocking after expiration
* **WordPress Multisite Support** - Network-wide enforcement, super admin requirements, site override control, inheritance notices
* **Consolidated Admin Interface** - Single settings page with tabs for Settings, Audit Log, and Compliance
* **Reset Plugin Functionality** - Complete settings reset with user grace period cleanup and audit logging

**Advanced Features**

* **Audit Logging** - Comprehensive event logging with filtering by action, user, and date; CSV export; automatic cleanup
* **Compliance Reporting** - Real-time compliance statistics, by-role breakdown, non-compliant user identification, CSV export
* **Bulk Operations** - Bulk "Require 2FA Setup" and "Reset Grace Period" actions on Users page
* **WP-CLI Commands** - Complete CLI interface: status, enforce, report, reset (with table, JSON, CSV output formats)
* **REST API Endpoints** - Full API access to compliance data, enforcement actions, and reporting
* **Import/Export Settings** - Backup and restore configuration with JSON export/import, validation, and audit logging

**Security & Quality**

* **Grade A Security Audit** - Comprehensive security hardening, complete nonce verification, input validation, output escaping
* **28 Unit Tests** - PHPUnit test coverage for core classes
* **WCAG 2.1 Level AA Compliant** - Fully accessible administration interface
* **WordPress Coding Standards** - 100% PHPCS compliant
* **Performance Optimized** - Efficient queries and caching for large user bases

**Bug Fixes**

* Fixed provider visibility filter applying globally (now only applies on user profile pages)
* Fixed compliance report data structure access for user and email columns
* Fixed cache issues in role requirements and provider visibility fields

**Compatibility**

* WordPress: 6.7 - 6.9
* PHP: 8.2 - 8.5
* MariaDB: 10.6+
* Two Factor Plugin: 0.15.0 (tested)
* Multisite: Fully supported

= Previous versions =

This is the initial release. For detailed development progress, visit the [CHANGELOG.md](https://git.robotstxt.es/ROBOTSTXT/two-factor-extended/src/branch/main/CHANGELOG.md) file.

== Compliance ==

This plugin adheres to the following security measures and review protocols for each version:

* [WordPress Plugin Handbook](https://developer.wordpress.org/plugins/)
* [WordPress Plugin Security](https://developer.wordpress.org/plugins/wordpress-org/plugin-security/)
* [WordPress APIs Security](https://developer.wordpress.org/apis/security/)
* [WordPress Coding Standards](https://github.com/WordPress/WordPress-Coding-Standards)
* [Plugin Check (PCP)](https://wordpress.org/plugins/plugin-check/)