How can we help?

Search for answers or browse our knowledge base.

Table of Contents

WP 2FA plugin changelog

This is the plugin’s changelog, which is mainly a detailed list of all the plugin changes and bug fixes introduced in every version update. Refer to the plugin release notes for a high level overview of what is new and improved with every plugin version update.

2.5.0 (2023-07-20)

Release notes: 2FA for password resets, more branding options for the 2FA code page & much more

New features

  • Require 2FA on user reset password.
  • CSS editor for the 2FA code page, allowing users to also apply their CSS to the 2FA login page.
  • Front-end 2FA support for multisite network – the plugin creates a front-end 2FA page for every subsite on the network.
  • User licensing tab in the plugin settings, allowing admins to see the number of users and websites using user-activations.

Improvements

  • Disabled auto complete in the 2FA code placeholder.
  • User private key is regenerated each time they start the 2FA setup process and they do not finish it.
  • Backup code email template added to editable email templates.
  • Email tags are populated even test emails.
  • Updated the “user count” licensing logic on multisite networks – now the plugin counts the users on the network (more accurate).
  • Full compatability with Flywheel’s and WP Engine’s seamless sign-on (no sign on is required).
  • Revised and improved the text used in the 2FA SMS login process.
  • Added all SMS 2FA text (used in wizards, login pages etc) to the whitelabelling options.
  • Removed the 2FA plugin menu completely when access to the plugin is restricted to certain website admins.
  • Added more strings to the Whitelabelling options.
  • Removed a number of font files from the QR library since no text is used and it makes the plugin size smaller.
  • Select2 library is now shipped directly with the plugin instead of it being downloaded from a CDN.
  • Applied a number of performance improvements to the plugin – the loading mechanism is more efficient and determining when the plugin is needed and when not.
  • Plugin no longer loads on the front-end part of the website – only on the shortcode page.
  • Removed a number of JS and CSS scripts that were loading on the frontend and were made redundand.
  • Full support for multsite networks using different domains for subsites – users are no longer required to access the network dashboad to set up 2FA.
  • Improved the CSS in the whitelabelling settings so all the text in the 2FA code page can be edited, recoloured etc.
  • Removed some code that was left in the plugin for backward compatability (no longer required at this stage).
  • Removed all third party’s admin notices from the plugin settings pages.
  • The 2FA usage reports have also been improved so they report accurate numbers on a multsite network.
  • Improved a number of error and users messages in the plugin.
  • Updated the CSS of the backup codes wizard page to have the buttons all in one line.
  • Plugin now automatically removes the extra space at the end of the one-time code if entered in the 2FA code prompt.
  • Updated the CSS of the plugin’s own admin notices so they fit better within the plugin’s UI.
  • Improved the text used in the wizards, especially the text used when setting up alternative 2FA methods.
  • All plugin strings are now available on WPML.
  • Plugin now displays the Twilio service error directly in the wizard when there are issues with the Twilio setup.

Bug fixes

  • Fixed: Cannot change the users phone number on Twilio unless you reset the 2FA configuration.
  • Fixed: In some edge cases admins were unable to access the plugin settings, instead they were shown the policies page.
  • Fixed: WP 2FA disconnects ManageWP sessions.
  • Fixed: Rest 2FA configuration button in user profile missing when the license quota is reached.
  • Fixed: Premium plugin ads still showing when Premium edition is activated on a multisite network.
  • Fixed: The 2FA code page styling was not being saved when only changing the 2FA button colour.
  • Fixed: Number of PHP warnings are triggered when WP 2FA is installed alongside Melapress Login Security.
  • Fixed: Expired license on multisite network leads to a blockage of logins.
  • Fixed: “Remember this device for 0 days” string shows up on the login page after rebranding the page (whitelabelling).
  • Fixed: On some cases the users were not prompted for 2FA in the /my-account page on WooCommerce.
  • Fixed: Plugin’s private key not stored in wp-config.php file after permissions are updated.
  • Fixed: Subscribers are not asked to set up 2FA even when 2FA is enforced when registering on a multisite network without subsites.
  • Fixed a number of PHP notices when running the plugin on a multisite network with a specific PHP version (older versions).
  • Fixed: Users can’t set up SMS 2FA (over Twilio) after the grace period expires.

2.4.2 (2023-07-05)

Bug fixes

  • Fixed issue which could cause setting up 2FA via SMS to fail once grace period has passed.
  • Fixes issue which could cause a fatal error upon login.

Other improvements

  • Updated Freemius SDK to the latest version (addressing a security issue).

2.4.1 (2023-02-15)

Release notes URL: https://melapress.com/wordpress-2fa/releases/

New features

  • New option to send newly generated backup codes via email with just a click.

Improvements

  • Added instructions on how to manually copy the private key to the wp-config.php file in the dashboard notification.
  • Applied several changes to the licensing / quota check mechanism to ensure no user activity is blocked even when the quotas are reached or exceeded.
  • Added additional checks for private key in wp-config.php file.
  • Reviewed & improved the first-time install wizard’s text and layout.
  • Updated the text of the plugin feature matrix.
  • Improved the build script to automatically remove all files not required by the plugin when installed.
  • “Remove 2FA” button in user profile page is removed when 2FA is enforced on a user.
  • Updated the CSS of the 2FA notification in the WooCommerce portal.

Bug fixes

  • Fixed: users were not advised of plugin update and forced update was failing.
  • Fixed: broken “Contact us” link in the support page.
  • Fixed: “Settings saved” banner shown twice when changing WordPress settings
  • Fixed: a number of strings were missing in the translation file.
  • Fixed: dropdown Menu Arrow is misplaced when the dropdown menu is opened.

2.4.0 (2023-02-02)

Release notes: 2FA SMS via Twilio & one-click WooCommerce integration

New features

  • SMS 2FA via Twilio integration.
  • One-click 2FA integration with WooCommerce customers portal.
  • Setting to choose between locking a user or forcing the user to configure 2FA when the grace period is over.
  • New option to reset list of 2FA trusted devices per user.

Improvements

  • Several improvements to the whitelabelling settings, e.g. added an option to not display the default wizard help text.
  • Licensing mechanism now fully supports non-production websites such as staging and dev environments; no license is required for these websites.
  • Redirect user to sub-site on a multisite network after completing the 2FA setup.
  • Made alternative 2FA backup methods available in first-install wizard to give them more prominance so users can use them.
  • Improved the UI (looks and feel) of the admin 2FA wizard.
  • Plugin creates its own salts in the wp-config.php file to avoid conflicts with other plugins.
  • Applied several improvements to the 2FA user wizard for better UX.
  • Removed redundant cron job wp_2fa_check_grace_period_status.
  • Better handling of users with no role on a multisite network (improved exception handling).
  • Disable wizard styling button now also applies to front-end wizards.
  • Added notifications in user profile page and admin pages when no more licenses are available.
  • Added more help text in the 2FA install setup wizard to better assist administrators setting up the plugin.
  • Improved licensing-related messages shown to website administrators.
  • Better UX when the license limit is reached.
  • Better interoperability with post-login redirect plugins.
  • Removed redundant code (it was no longer needed due to change and improvement in functionality).

Bug fixes

  • Fixed: edge case issue that caused the cron job that checks for grace periods to be inactive.
  • Fixed: plugin sends two emails when clicking the “Resend code” button.
  • Fixed: unable to change the account phone number after configuring Authy as primary 2FA method.
  • Added additional checks toensure that all the “No 2FA method selected” scenarios are handled.
  • Fixed a number of spelling mistakes in the plugin UI.
  • Fixed: fatal error when plugin usind alongside the Events Calendar plugin.
  • Addressed a number of PHP warnings in free edition.
  • Fixed: not possible to configure backup 2FA methods when the primary method is Authy.
  • Fixed: Plugin sends two emails when requesting a backup code over email.

2.3.0 (2022-09-01)

Release notes: More white labelling options & better licensing.

New features

  • Fully responsive and fully customizable user 2FA wizards – refer to 2FA white labelling on WordPress for more information.
  • Added an optional Welcome Slide website owners can add to the user 2FA wizards to add own notes and business information, T&C etc.
  • Added a new plugin setting so admins can disable the 2FA wizards styling.
  • CSS importer in the plugin settings to allow administrators to import and apply their own CSS styling to the 2FA user wizards.

Improvements

  • Several UI and styling improvements in the plugin’s settings pages.
  • User’s 2FA configuration is removed when user is excluded.
  • Licensing now only counts users that are using 2FA instead of users which can use 2FA – advantageous to the user.
  • Applied improved and responsive styling to the user 2FA wizards.
  • Better out-of-the-box support for websites on which access to wp-login.php & wp-admin is blocked.
  • Super administrators can now log in and use 2FA even if they do not have any role on any sub sites.
  • Added support for websites hosted on Godaddy that also have the Sucuri plugin enabled (Sucuri plugin was breaking the 2FA code page).
  • Better UX for when creating the front-end 2FA page settings.
  • Updated the Freemius SDK to version 2.4.5 to support PHP 8.1.
  • Applied several updates to the “user 2FA status check” code for more reliable status reporting.
  • Applied several maintenance and WP coding standards checks.
  • Plugin bails out early instead of trying to process users with ID 0.
  • Addressed a number of licensing PHP notices and reduced memory usage and impact.
  • Placeholders in plugin settings have been replaced by onces which allow you to see all the content without scrolling.
  • Improved the process that extracts the user role on multisite networks resulting in improvement of how the plugin handles users with multiple roles.
  • Removed the words “Google Authenticator” from all the wizards and using “2FA app” instead – plugin supports multiple 2FA apps.
  • Fixed the “focus” in the user 2FA wizard so the cursor is always in the expected location – user does not have to click to select where to enter the verification code.
  • Updated the plugin logo in the license activation screen.

Security Improvement

  • Plugin now uses the WordPress salts to store and encrypt 2FA data in the database.
  • Improved the comparison of authentication codes – ensuring the plugin is not vulnerable to time-based side-channel attacks.

Bug fixes

  • Fixed: error when logging in by using one-time code over email as a secondary 2FA method.
  • Fixed: broken licensing notification in WordPress plugins’ page.
  • Fixed: secondary 2FA email cannot be removed.
  • Fixed: QR code not loading in user 2FA wizard in some edge cases on a multisite network.
  • Fixed: the setting “Hide Remove 2FA button” was not properly reflecting the status on multisite networks.
  • Fixed: grace period check cron called the wrong settings.
  • Fixed: two emails are sent when a backup code over email is requested.
  • Fixed: incorrect 2FA methods count was showing in the user wizard.

2.2.1 (2022-05-02)

Security fix

  • Fixed a reflected cross-site scripting issue in plugin’s admin page – reported by Utkarsh Agrawal.

Plugin improvements

  • Beefed up the escaping and filtering of all user input in the plugin’s admin pages.

2.2.0 (2022-04-30)

Release notes: WP 2FA 2.2: 2FA over SMS, Push notification, WhatsApp & more

New features

  • 2FA login with push notification, SMS, WhatsApp and incoming call via integration with Authy.
  • New setting to configure how to handle logins if an external 2FA service is unavailable during login.

Plugin improvements

  • Added the functionality to exclude users and roles from 2FA, regardless of the type of 2FA enforcement policy you have configured.
  • Improved the function that checks which policies apply to the user logging in based on the user role (to address some inconsistencies when users’ roles are changed).
  • Applied several styling tweaks to the user 2FA setup wizard and plugin settings.
  • Improved the text used in the white labelling settings.
  • Removed the word “WordPress” from all 2FA user wizards.
  • Added more validation checks to some of the plugin settings that accept user input.
  • Incorrect licenses notice now is refreshed upon activating new license.
  • Improved the text in several notifications to better explain the issue to the user.
  • Changed the functionality that hashes some of the configuration files to avoid inconsistencies due to different web server / OS setup.
  • Redirects after first-time install wizard improved to better guide administrators.

Security fix

  • Fixed: Insecure direct object reference issue that allows users to disable other users’ 2FA settings through a specific request. Issue reported by Maycon Vitali.

Bug fixes

  • Fixed: Plugin sends two different codes when requesting a new backup code over email.
  • Fixed: Fatal error caused in some edge causes, which was caused from the removal of premium code during the build process.
  • Fixed: Plugin only redirecting user to a custom “after 2FA setup URL” if they generate the backup codes.
  • Fixed: Addressed a PHP warning triggered during logging in when there is are no set policies.
  • Fixed: JavaScript responsible for storing the email backup code was removed from the admin part.

2.1.0 (2022-01-12)

New features

  • Added a new default user status – user has not logged in yet.

Improvements

  • Update a number of links used in the plugin.
  • Updated the redirects and logic that are triggered after the install wizard (improved UX).
  • “Link valid for” sub setting is grayed out when the option is disabled (improved UX).
  • Better handling of users without user role.

Bug fixes

  • Fixed: User 2FA state is permanently cached when using Redis object caching.
  • Fixed an edge case in which the admin might be locked out of the plugin’s settings during an upgrade.
  • Professional premium plan was not activating properly.
  • Fixed a PHP warning triggered during login on some websites.

2.0.1 (2021-12-09)

Improvements

  • Improved the spacing of several network specific policy options (UI).
  • Moved setting inline JS to wp_footer to improve theme compatibility.
  • Prefixed all Select2 styling to avoid conflicts.

Bug fix

  • Fixed: Close ‘X’ icon not closing modal wizard.

2.0.0 (2021-12-03)

Release notes: Announcing WP 2FA 2.0 Premium

New features

  • Trusted devices: allow trusted devices, so users do not have to specify 2FA code.
  • Out of band 2FA method: click link sent over email to log in to the website.
  • Whitelabeling module: change the 2FA pages colours, text, logos etc. as per your branding requirements.
  • User role 2FA policies: configure different 2FA policies for different user roles.
  • Backup 2FA method: users can have a backup 2FA method in case 2FA app is unavailable.
  • 2FA reports: easily get an overview of who and how many users have configured 2FA and which methods they are using.
  • New setting to allow/disallow users from using other email addresses when configuring 2FA over email.
  • New setting to specify for how long is the 2FA code sent over email valid for.
  • New setting to select between locking users or forcing users to configure 2FA when grace period is over.
  • Users can be sorted by 2FA user status in the WordPress dashboard user view.
  • QR code generator: QR codes are generated by the plugin without requiring third party services (such as Google and Cloudflare).

Improvements

  • TOTP code is encrypted in the database (security improvement).
  • 2FA code bruteforce protection: user is redirected to the login page and session is reset if the wrong 2FA code is used for 3 times in a row.
  • Full support for PHP 8.
  • Plugin settings moved to their own page.
  • Users are now redirected back to the page from where they launched the 2FA wizard when they configure 2FA.
  • Generic UI and UX improvements.

Bug fixes

  • CSS fix: CSS now restricted to plugin’s own pages to avoid UI/CSS conflicts with other plugins.
  • User ID no longer shared with client when requesting backup codes (security improvement).

1.7.0 (2021-07-15)

Release notes: WP 2FA refactored for better performance, design, and reliability

Improvements

  • Refactored the plugin (major improvements in terms of product design, performance, & reliability).
  • Refactored the way the plugin saves and retrieves user 2FA properties.
  • Moved plugin and 2FA settings in separate menu (no longer under the Settings section).
  • Added a number of new tags that can be used in the plugin’s email templates.
  • Improved the way and logic of how the plugin works on a multisite network.
  • Improved the handling of users with super admin privileges in the 2FA policies.
  • Implemented a new check, so administrators cannot deselect all of the available 2FA methods.
  • Excluded users/roles setting now only available when 2FA policies are set to “All users” (simplified model)
  • Improved the first-time install wizard (both UX and UI)
  • Improved the user 2FA wizard (both UX and UI)
  • When a user completes the first-time install wizard, the user is redirected to plugin settings.
  • Added the new plugin logo in the wizards etc.

Bug fixes

  • User roles that contain a space can now be excluded.
  • Custom redirection is now honored even after the backup codes setup.

1.6.2 (2021-05-31)

Improvements

  • Several improvements applied in how plugin settings are saved and checked (during user login).
  • All data placeholders in the plugin settings now have the same format.
  • Better resolution used for user-entered data in wizard.
  • Users are now notified to reconfigure 2FA if the 2FA method they are using is no longer allowed.

Bug fixes

  • 2FA methods were not shown when administrator skips the first-time install wizard.
  • Users were being redirected to custom redirect before finishing the backup codes.
  • Buttons were not clickable when using the front-end 2FA setup page.
  • Fixed a number of browser compatibility issues (mostly better support for Safari).
  • User was still asked for 2FA code even if excluded.
  • Settings were not properly populated in some cases, resulting in error on admin pages (Support ticket).
  • PHP error when enforcing 2FA policies on a sub-site in a multisite network.

1.6.1 (2021-05-17)

Bug fixes

  • Issue in logic caused users to be unable to configure 2FA unless specifically enforced.
  • Missing blog_id from custom SQL query caused some network users to not be “instantly enforced” (redirected to the WP 2FA setup area) upon login.

1.6.0 (2021-05-13)

Release notes: New user 2FA status column, custom redirects and many other new features & improvements

New features

Improvements

  • Backup codes are now optional: administrators can disable them, so the plugin does not suggest users to create them.
  • Removed reference to “WordPress” in the 2FA wizard.
  • Optimized the code that retrieves the list of users, roles and sites on a multisite network.
  • User 2FA settings are now saved as an array in the database instead of a comma separated list.
  • Added an alert to notify users that all the changes will be lost if they terminate the wizard without setting up 2FA.
  • Improved the wizard and the user input sanitization.
  • Converted a number of database settings to filters.
  • Standardized the text and button labels on the 2FA code page.
  • Hidden the wizard’s holding page.
  • Plugin now uses the Site name and site email address as from email address.
  • 2FA apps logos in wizard now link directly to the application’s specific instructions.

Bug fixes

  • In some cases the plugin was sending multiple emails when settings were changed.
  • Image URLs in modal wizard contain an extra slash.
  • Some sections of the wizard were not displayed properly on the Safari browser.
  • In some edge cases users selected the 2FA email method, but they were prompted to scan a QR code when using the front-end wizard.

1.5.2 (2021-01-20)

Improvement

  • New improved “2FA code page” prompt text.

Bug fixes

  • Fixed an issue that was locking administrators out of the plugin’s configuration – incorrect user ID stored the plugin settings where saved.
  • Fixed a CSS compatibility issue caused by non-targeted “.disabled” styling.

1.5.1 (2020-12-10)

Big fix

  • Configured 2FA profile for user was reset after first-time install wizard / possibly settings changes.

1.5.0 (2020-12-08)

Release notes: Fully responsive 2FA wizards & more efficient code

New feature

  • All the 2FA wizards in the plugin are now fully responsive and mobile friendly.

Improvements

  • Removed duplicate code and improved the plugin’s efficiency in general (plugin can scale much better now as well on bigger websites).
  • Improved and optimized the creation and handling of user data when saving the 2FA policies and settings.
  • Reduced the overall memory usage when processing settings by switching to direct wpdb queries.
  • Switched to a single validation function when processing settings.
  • Split each background task into smaller individual classes to reduce the load on the website when saving settings / applying policies.
  • New settings overwrite currently queued settings instead of being enqueued when the administrator changes the settings.
  • Added a confirmation step in the wizard for when 2FA setup is completed.
  • Optimized the code that retrieves the email template settings.
  • Unified all email sending functions into one (less code, more efficient, easier to troubleshoot).
  • 2FA method is now separate from backup codes – user does not need to regenerate new backup codes when 2FA config is reset.
  • Users are logged out from session if 2FA is required and administrator resets the 2FA profile.

Bug fixes

  • Users were not being redirected to reconfigure 2FA when 2FA was enforced and the admin resets their 2FA profile.
  • Users were unable to reconfigure TOTP 2FA via front-end form in some edge cases.
  • Pressing Enter when a modal is open was sometimes closing it.
  • Awaiting jobs were not being deleted on plugin uninstall.
  • Number of errors were generated when a website visitor visited the shortcode page.
  • In some edge cases, users could still login to website.
  • Addressed a conflict with the session lockout feature of All in One Security plugin.
  • Backup codes were not generated at the end of the wizard in some edge cases.

1.4.2 (2020-09-02)

Release notes: WP 2FA 1.4.2: Improved 2FA policies & multisite network support

New features

Improvements

  • Users can setup 2FA via their smart device without the need to scan the QR code.
  • When instant 2FA setup is required, existing user sessions are not terminated. Instead they are redirected to the 2FA wizard.
  • The dates and times used in emails and notifications have the same format as that configured in WordPress.
  • The dates and times strings used in the plugin and emails are fully translatable.
  • Added a subject to the login confirmation code email.
  • Better error reporting when required settings are missing.
  • Removed all reference to the Google Authenticator app. Now all messages are generic for all 2FA apps.
  • Standardized the order of placeholders in 2FA wizard.

Bug fixes

  • Users were unable to setup 2FA in some edge cases because of a HTTP 400 error response during the wizard.
  • Grace period settings hid unexpectedly upon changing the settings.
  • The wrong grace period was being added to the user emails.
  • Wrong grace period was shown in user email when users are required to instantly setup 2FA.
  • Users were able to disable 2FA after setting it up, even when 2FA is enforced.

1.4.1 (2020-07-31)

This is a followup maintenance release of version 1.4.0.

Improvements

  • Updated the plugin settings text and wizards’ text to reflect the new changes (support for multiple 2FA apps).
  • Redirect users to the user profile page if they exit the 2FA setup wizard.

Bug fixes

  • Reset 2FA app method button not working in wizard.
  • When a 2FA method is disabled, all enabled user configured 2FA methods are cleared in the usermeta, falsely flagging the user to reconfigure 2FA.
  • Fixed a minor UI compatability issue with Jetpack CRM.

1.4.0 (2020-07-22)

Release notes: WP 2FA 1.4: Support for Authy, FreeOTP & other 2FA apps

New features

  • Support for the following 2FA apps: Authy, Duo Security, FreeOTP (open source) Microsoft Authenticator, LastPass.
  • Optional policy to enforce instant 2FA – users have to configure 2FA otherwise they can’t login to the website.
  • Admins now have the option to choose when the plugin sends emails to users who have not configured 2FA yet (emails to setup 2FA).
  • New slide in the setup wizard to allow admins to disable initial 2FA setup emails.
  • New option to disallow users from disabling 2FA in their profile.

Improvements

  • Plugin no longer changes the email templates when the front-end 2FA page is enabled / disabled.
  • Grace period slide in setup wizard updated so admins can require 2FA straight after login.
  • Improved the intructions and help text of the front-end 2FA page.
  • Applied several minor UI and UX improvements to the wizard.

Bug fixes

  • Super admin not shown the notification to configure 2FA when policies applied to them.
  • Compatibility issue with WordFence (Support ticket).
  • Grace period changes in wizard are properly reflected in initial 2FA setup email sent to users.
  • Reset button in wizard not working when 2FA is already configured with 2FA app.
  • Minor CSS issue with a dashboard widget from Mailster.

1.3.0 (2020-06-04)

Release notes: WP 2FA 1.3: Front-end 2FA setup & improved 2FA policies

New features

  • 2FA setup website page for users who do not have access the dashboard and want to setup 2FA.
  • Front-end 2FA setup page email tag so the link to setup 2FA can be included in the user emails.
  • A number of shortcodes to setup your own 2FA configuration page.
  • Setting to enable/disable every individual email notification.

Improvements

  • 2FA Policies can now be enforced both by role and to specific users at the same time.
  • Administrators are redirected to the 2FA settings after completing the wizard.
  • Standardized the handling and error notifications for the custom from email address and display name placeholders.

Bug fixes

  • Addressed a number of minor UI issues in the plugin wizard.
  • Sites excluded in the wizard on multisite networks not excluded in config.
  • Username was not properly retrieved and shown in the backup code print export.
  • Users’ grace period database entry was not deleted when admin removed the policies.

1.2.0 (2020-05-06)

Release notes: WP 2FA 1.2: Multisite network support & configurable email templates

New features

  • Multisite network support.
  • Configurable email templates.
  • New setting to also configure the “from email address and display name” for all plugin emails.
  • Support for redirect after login plugins.

Improvements

  • Support for custom login pages; user is correctly redirected to enter 2FA code when using one.
  • Added a “Send another code” button in the email 2FA wizard (in case first email is not received).
  • If they apply, policies are automatically enforced on newly created user (user is sent an email notification).
  • 2FA policies are enforced if they apply when a user’s role is changed.

Bug fixes

  • Locked user is sent an email every time there is a login attempt on the account.
  • Backup codes not generated in some specific scenarios.
  • Incorrect META title of plugin wizard (Support ticket).

1.0.1 (20200427)

Bug fix

  • Plugin does not generate backup codes in certain circumstances.

1.0.0 (20200401)

  • Initial release