Extends the WordPress Two Factor plugin with advanced role-based controls, forced 2FA methods, and enhanced administrative features for single-site and Multisite installations.
https://git.robotstxt.es/ROBOTSTXT/two-factor-extended
| assets | ||
| includes | ||
| languages | ||
| changelog.txt | ||
| install-wp-tests.sh | ||
| LICENSE | ||
| readme.txt | ||
| robotstxt-updater.php | ||
| two-factor-extended.php | ||
| uninstall.php | ||
| update.json | ||
=== Two-Factor Extended ===
Contributors: javiercasares, robotstxt
Tags: two-factor, 2fa, authentication, security
Requires at least: 6.8
Tested up to: 7.0
Stable tag: 1.1.1
Requires PHP: 8.2
Version: 1.1.1
License: GPL-3.0-or-later
License URI: https://www.gnu.org/licenses/gpl-3.0.txt
Extends the WordPress Two Factor plugin with advanced role-based controls and enhanced administrative features.
== Description ==
Two-Factor Extended is a comprehensive extension for the WordPress Two Factor plugin that provides administrators with enterprise-level controls over two-factor authentication across their site.
**Core Features:**
* **Role-Based 2FA Requirements** - Require specific 2FA methods for each user role (administrators need Email + TOTP, editors need Email only, etc.)
* **Provider Visibility Control** - Show or hide specific 2FA methods based on user role to simplify options for non-technical users
* **Grace Period Enforcement** - Give users a configurable number of days (0-365) to configure required 2FA methods before enforcement
* **WordPress Multisite Support** - Network-wide enforcement with super admin requirements and site-level override controls
* **Compliance Reporting** - Real-time compliance dashboards showing which users meet 2FA requirements
* **Audit Logging** - Comprehensive logging of all 2FA configuration changes and enforcement actions
* **Bulk Operations** - Bulk require 2FA or reset grace periods for multiple users at once
* **Import/Export Settings** - Backup and restore your 2FA configuration with JSON export/import
**Advanced Features:**
* **WP-CLI Commands** - Manage 2FA requirements via command line (status, enforce, report, reset)
* **REST API** - Programmatic access to compliance data and enforcement actions
* **Security Hardening** - Built following WordPress and OWASP security best practices (Security Grade A)
* **Accessibility** - WCAG 2.1 Level AA compliant for inclusive administration
* **Performance Optimized** - Efficient database queries and caching for large user bases
**Requirements:**
This plugin requires the [Two Factor](https://wordpress.org/plugins/two-factor/) plugin (version 0.15.0 tested) to be installed and activated.
== Installation ==
= Automatic Installation =
1. Visit the Plugins section in your WordPress admin
2. Search for "Two-Factor Extended"
3. Click "Install Now" and then "Activate"
**Important:** Make sure the [Two Factor](https://wordpress.org/plugins/two-factor/) plugin is installed and activated first.
= Manual Installation =
1. Download the plugin ZIP file
2. Extract the contents and upload the `two-factor-extended` directory to `/wp-content/plugins/`
3. Activate the plugin through the 'Plugins' menu in WordPress
= After Installation =
1. Go to Settings → Two-Factor Extended
2. Configure your role-based 2FA requirements
3. Set which 2FA methods are available to different user roles
== Frequently Asked Questions ==
= Does this plugin replace the Two Factor plugin? =
No, Two-Factor Extended is an extension that works alongside the Two Factor plugin. Both plugins must be installed and activated.
= Is this compatible with WordPress Multisite? =
Yes! Two-Factor Extended fully supports WordPress Multisite with network-wide settings and site-level overrides.
= Which PHP versions are supported? =
Two-Factor Extended requires PHP 8.2 or higher.
= Can users bypass the 2FA requirements? =
No. When a 2FA method is marked as required for a user's role, they cannot disable or remove it.
== Compatibility ==
* WordPress: 6.7 - 6.9
* PHP: 8.2 - 8.5
* Database: MariaDB 10.6 or newer
* Two Factor Plugin: 0.15.0 (tested)
== Security ==
Two-Factor Extended follows WordPress security best practices:
= Security Features =
* **Capability Checks**: All admin functions require `manage_options` or `manage_network_options` capability
* **CSRF Protection**: All forms use WordPress nonces to prevent cross-site request forgery
* **Input Validation**: All user inputs are validated and sanitized before processing
* **Output Escaping**: All outputs are properly escaped to prevent XSS attacks
* **SQL Injection Protection**: Uses WordPress database APIs exclusively (no direct SQL queries)
* **Audit Logging**: All configuration changes and enforcement actions are logged
* **REST API Security**: All API endpoints require authentication and authorization
* **File Upload Validation**: Import files are validated for type, size, and content
= Security Best Practices =
1. **Keep WordPress Updated**: Always use the latest WordPress version
2. **Use Strong Passwords**: Enforce strong passwords for all user accounts
3. **Enable 2FA for All Admins**: Require 2FA for administrator and editor roles
4. **Regular Backups**: Export your 2FA settings regularly
5. **Monitor Audit Logs**: Review the audit log for suspicious activity
6. **Review Compliance Reports**: Check compliance reports regularly
= Reporting Security Issues =
If you discover a security vulnerability, please email the plugin authors directly. Do not create public GitHub issues for security vulnerabilities.
We take security seriously and will respond promptly to all security reports.
== Changelog ==
= 1.1.1 =
_Release date: 2026-03-28_
**Fixed**
* Version constant mismatch: `TWO_FACTOR_EXTENDED_VERSION` was `1.0.2` instead of `1.1.0`.
* Replaced `current_time('timestamp')` with `time()` in audit log and settings export to ensure UTC-correct timestamps.
* Added `wp_unslash()` before sanitizing `$_GET['tab']` in the settings page renderer.
**Compatibility**
* WordPress: 6.8, 6.9, 7.0
* PHP: 8.2, 8.3, 8.4, 8.5
* MariaDB: 10.6 or newer
* Multisite: Supported
* Two-Factor plugin: 0.16 or newer
* Tested on WordPress 7.0, PHP 8.5.3; PHPUnit 9.6.34 — 28 unit tests, 64 assertions, all passing
= 1.1.0 =
_Release date: 2026-03-28_
**Changed**
* Code quality: phpcbf auto-fixed 112 formatting issues across 12 files (operator alignment, array double arrows, pre-increment style).
**Compatibility**
* WordPress: 6.7, 6.8, 6.9
* PHP: 8.2, 8.3, 8.4, 8.5
* MariaDB: 10.6 or newer
* Multisite: Supported
* Two-Factor plugin: 0.16 or newer
= 1.0.2 =
_Release date: 2026-03-28_
**Changed**
* Plugin renamed from "Two Factor Extended" to "Two-Factor Extended".
* Enforcement now respects Two-Factor's globally-disabled providers (`two_factor_enabled_providers` option, Two-Factor 0.16+). Users will no longer be blocked by providers disabled site-wide.
* Added Catalan (ca) translation — 145 strings, 100% coverage.
* Updated Spanish (es_ES) translation to reflect the new plugin name.
**Compatibility**
* WordPress: 6.7, 6.8, 6.9
* PHP: 8.2, 8.3, 8.4, 8.5
* MariaDB: 10.6 or newer
* Multisite: Supported
* Two-Factor plugin: 0.16 or newer
= 1.0.1 =
_Release date: 2026-03-28_
**Changed**
* Settings menu now registered at `admin_menu` priority 20 to always appear after Two Factor plugin's Settings page (Two Factor 0.16+).
* PHPUnit downgraded from 10.x to 9.6 for compatibility with the WordPress test library.
**Fixed**
* PHPCS: spacing and docblock type hint fixes across multiple files.
* PHPStan level 9: all errors resolved.
**Compatibility**
* WordPress: 6.7, 6.8, 6.9
* PHP: 8.2, 8.3, 8.4, 8.5
* MariaDB: 10.6 or newer
* Multisite: Supported
* Two-Factor plugin: 0.16 or newer
= 1.0.0 =
_Release date: 2026-02-17_
**Initial Production Release**
This is the first comprehensive release of Two-Factor Extended, implementing enterprise-level two-factor authentication management for WordPress.
**Core Features**
* **Role-Based 2FA Requirements** - Require specific 2FA methods for each user role with multiple methods support per role
* **Provider Visibility Control** - Control which 2FA methods are visible to each role (hide complex methods from non-technical users)
* **Grace Period Enforcement** - Configurable grace period (0-365 days) with automatic tracking and login blocking after expiration
* **WordPress Multisite Support** - Network-wide enforcement, super admin requirements, site override control, inheritance notices
* **Consolidated Admin Interface** - Single settings page with tabs for Settings, Audit Log, and Compliance
* **Reset Plugin Functionality** - Complete settings reset with user grace period cleanup and audit logging
**Advanced Features**
* **Audit Logging** - Comprehensive event logging with filtering by action, user, and date; CSV export; automatic cleanup
* **Compliance Reporting** - Real-time compliance statistics, by-role breakdown, non-compliant user identification, CSV export
* **Bulk Operations** - Bulk "Require 2FA Setup" and "Reset Grace Period" actions on Users page
* **WP-CLI Commands** - Complete CLI interface: status, enforce, report, reset (with table, JSON, CSV output formats)
* **REST API Endpoints** - Full API access to compliance data, enforcement actions, and reporting
* **Import/Export Settings** - Backup and restore configuration with JSON export/import, validation, and audit logging
**Security & Quality**
* **Grade A Security Audit** - Comprehensive security hardening, complete nonce verification, input validation, output escaping
* **28 Unit Tests** - PHPUnit test coverage for core classes
* **WCAG 2.1 Level AA Compliant** - Fully accessible administration interface
* **WordPress Coding Standards** - 100% PHPCS compliant
* **Performance Optimized** - Efficient queries and caching for large user bases
**Bug Fixes**
* Fixed provider visibility filter applying globally (now only applies on user profile pages)
* Fixed compliance report data structure access for user and email columns
* Fixed cache issues in role requirements and provider visibility fields
**Compatibility**
* WordPress: 6.7, 6.8, 6.9
* PHP: 8.2, 8.3, 8.4, 8.5
* MariaDB: 10.6 or newer
* Multisite: Supported
* Two-Factor plugin: 0.15 or newer
= Previous versions =
This is the initial release. For detailed development progress, visit the [CHANGELOG.md](https://git.robotstxt.es/ROBOTSTXT/two-factor-extended/src/branch/main/CHANGELOG.md) file.
== Compliance ==
This plugin adheres to the following security measures and review protocols for each version:
* [WordPress Plugin Handbook](https://developer.wordpress.org/plugins/)
* [WordPress Plugin Security](https://developer.wordpress.org/plugins/wordpress-org/plugin-security/)
* [WordPress APIs Security](https://developer.wordpress.org/apis/security/)
* [WordPress Coding Standards](https://github.com/WordPress/WordPress-Coding-Standards)
* [Plugin Check (PCP)](https://wordpress.org/plugins/plugin-check/)