WP 2FA plugin changelog

Updated3 October, 2023

This is the plugin’s changelog, which is mainly a detailed list of all the plugin changes and bug fixes introduced in every version update. Refer to the plugin release notes for a high level overview of what is new and improved with every plugin version update.

2.5.0 (2023-07-20)

Release notes: 2FA for password resets, more branding options for the 2FA code page & much more

New features

Require 2FA on user reset password.
CSS editor for the 2FA code page, allowing users to also apply their CSS to the 2FA login page.
Front-end 2FA support for multisite network – the plugin creates a front-end 2FA page for every subsite on the network.
User licensing tab in the plugin settings, allowing admins to see the number of users and websites using user-activations.

Improvements

Disabled auto complete in the 2FA code placeholder.
User private key is regenerated each time they start the 2FA setup process and they do not finish it.
Backup code email template added to editable email templates.
Email tags are populated even test emails.
Updated the “user count” licensing logic on multisite networks – now the plugin counts the users on the network (more accurate).
Full compatability with Flywheel’s and WP Engine’s seamless sign-on (no sign on is required).
Revised and improved the text used in the 2FA SMS login process.
Added all SMS 2FA text (used in wizards, login pages etc) to the whitelabelling options.
Removed the 2FA plugin menu completely when access to the plugin is restricted to certain website admins.
Added more strings to the Whitelabelling options.
Removed a number of font files from the QR library since no text is used and it makes the plugin size smaller.
Select2 library is now shipped directly with the plugin instead of it being downloaded from a CDN.
Applied a number of performance improvements to the plugin – the loading mechanism is more efficient and determining when the plugin is needed and when not.
Plugin no longer loads on the front-end part of the website – only on the shortcode page.
Removed a number of JS and CSS scripts that were loading on the frontend and were made redundand.
Full support for multsite networks using different domains for subsites – users are no longer required to access the network dashboad to set up 2FA.
Improved the CSS in the whitelabelling settings so all the text in the 2FA code page can be edited, recoloured etc.
Removed some code that was left in the plugin for backward compatability (no longer required at this stage).
Removed all third party’s admin notices from the plugin settings pages.
The 2FA usage reports have also been improved so they report accurate numbers on a multsite network.
Improved a number of error and users messages in the plugin.
Updated the CSS of the backup codes wizard page to have the buttons all in one line.
Plugin now automatically removes the extra space at the end of the one-time code if entered in the 2FA code prompt.
Updated the CSS of the plugin’s own admin notices so they fit better within the plugin’s UI.
Improved the text used in the wizards, especially the text used when setting up alternative 2FA methods.
All plugin strings are now available on WPML.
Plugin now displays the Twilio service error directly in the wizard when there are issues with the Twilio setup.

Bug fixes

Fixed: Cannot change the users phone number on Twilio unless you reset the 2FA configuration.
Fixed: In some edge cases admins were unable to access the plugin settings, instead they were shown the policies page.
Fixed: WP 2FA disconnects ManageWP sessions.
Fixed: Rest 2FA configuration button in user profile missing when the license quota is reached.
Fixed: Premium plugin ads still showing when Premium edition is activated on a multisite network.
Fixed: The 2FA code page styling was not being saved when only changing the 2FA button colour.
Fixed: Number of PHP warnings are triggered when WP 2FA is installed alongside Melapress Login Security.
Fixed: Expired license on multisite network leads to a blockage of logins.
Fixed: “Remember this device for 0 days” string shows up on the login page after rebranding the page (whitelabelling).
Fixed: On some cases the users were not prompted for 2FA in the /my-account page on WooCommerce.
Fixed: Plugin’s private key not stored in wp-config.php file after permissions are updated.
Fixed: Subscribers are not asked to set up 2FA even when 2FA is enforced when registering on a multisite network without subsites.
Fixed a number of PHP notices when running the plugin on a multisite network with a specific PHP version (older versions).
Fixed: Users can’t set up SMS 2FA (over Twilio) after the grace period expires.

2.4.2 (2023-07-05)

Bug fixes

Fixed issue which could cause setting up 2FA via SMS to fail once grace period has passed.
Fixes issue which could cause a fatal error upon login.

Other improvements

Updated Freemius SDK to the latest version (addressing a security issue).

2.4.1 (2023-02-15)

Release notes URL: https://melapress.com/wordpress-2fa/releases/

New features

New option to send newly generated backup codes via email with just a click.

Improvements

Added instructions on how to manually copy the private key to the wp-config.php file in the dashboard notification.
Applied several changes to the licensing / quota check mechanism to ensure no user activity is blocked even when the quotas are reached or exceeded.
Added additional checks for private key in wp-config.php file.
Reviewed & improved the first-time install wizard’s text and layout.
Updated the text of the plugin feature matrix.
Improved the build script to automatically remove all files not required by the plugin when installed.
“Remove 2FA” button in user profile page is removed when 2FA is enforced on a user.
Updated the CSS of the 2FA notification in the WooCommerce portal.

Bug fixes

Fixed: users were not advised of plugin update and forced update was failing.
Fixed: broken “Contact us” link in the support page.
Fixed: “Settings saved” banner shown twice when changing WordPress settings
Fixed: a number of strings were missing in the translation file.
Fixed: dropdown Menu Arrow is misplaced when the dropdown menu is opened.

2.4.0 (2023-02-02)

Release notes: 2FA SMS via Twilio & one-click WooCommerce integration

New features

SMS 2FA via Twilio integration.
One-click 2FA integration with WooCommerce customers portal.
Setting to choose between locking a user or forcing the user to configure 2FA when the grace period is over.
New option to reset list of 2FA trusted devices per user.

Improvements

Several improvements to the whitelabelling settings, e.g. added an option to not display the default wizard help text.
Licensing mechanism now fully supports non-production websites such as staging and dev environments; no license is required for these websites.
Redirect user to sub-site on a multisite network after completing the 2FA setup.
Made alternative 2FA backup methods available in first-install wizard to give them more prominance so users can use them.
Improved the UI (looks and feel) of the admin 2FA wizard.
Plugin creates its own salts in the wp-config.php file to avoid conflicts with other plugins.
Applied several improvements to the 2FA user wizard for better UX.
Removed redundant cron job wp_2fa_check_grace_period_status.
Better handling of users with no role on a multisite network (improved exception handling).
Disable wizard styling button now also applies to front-end wizards.
Added notifications in user profile page and admin pages when no more licenses are available.
Added more help text in the 2FA install setup wizard to better assist administrators setting up the plugin.
Improved licensing-related messages shown to website administrators.
Better UX when the license limit is reached.
Better interoperability with post-login redirect plugins.
Removed redundant code (it was no longer needed due to change and improvement in functionality).

Bug fixes

Fixed: edge case issue that caused the cron job that checks for grace periods to be inactive.
Fixed: plugin sends two emails when clicking the “Resend code” button.
Fixed: unable to change the account phone number after configuring Authy as primary 2FA method.
Added additional checks toensure that all the “No 2FA method selected” scenarios are handled.
Fixed a number of spelling mistakes in the plugin UI.
Fixed: fatal error when plugin usind alongside the Events Calendar plugin.
Addressed a number of PHP warnings in free edition.
Fixed: not possible to configure backup 2FA methods when the primary method is Authy.
Fixed: Plugin sends two emails when requesting a backup code over email.

2.3.0 (2022-09-01)

Release notes: More white labelling options & better licensing.

New features

Fully responsive and fully customizable user 2FA wizards – refer to 2FA white labelling on WordPress for more information.
Added an optional Welcome Slide website owners can add to the user 2FA wizards to add own notes and business information, T&C etc.
Added a new plugin setting so admins can disable the 2FA wizards styling.
CSS importer in the plugin settings to allow administrators to import and apply their own CSS styling to the 2FA user wizards.

Improvements

Several UI and styling improvements in the plugin’s settings pages.
User’s 2FA configuration is removed when user is excluded.
Licensing now only counts users that are using 2FA instead of users which can use 2FA – advantageous to the user.
Applied improved and responsive styling to the user 2FA wizards.
Better out-of-the-box support for websites on which access to wp-login.php & wp-admin is blocked.
Super administrators can now log in and use 2FA even if they do not have any role on any sub sites.
Added support for websites hosted on Godaddy that also have the Sucuri plugin enabled (Sucuri plugin was breaking the 2FA code page).
Better UX for when creating the front-end 2FA page settings.
Updated the Freemius SDK to version 2.4.5 to support PHP 8.1.
Applied several updates to the “user 2FA status check” code for more reliable status reporting.
Applied several maintenance and WP coding standards checks.
Plugin bails out early instead of trying to process users with ID 0.
Addressed a number of licensing PHP notices and reduced memory usage and impact.
Placeholders in plugin settings have been replaced by onces which allow you to see all the content without scrolling.
Improved the process that extracts the user role on multisite networks resulting in improvement of how the plugin handles users with multiple roles.
Removed the words “Google Authenticator” from all the wizards and using “2FA app” instead – plugin supports multiple 2FA apps.
Fixed the “focus” in the user 2FA wizard so the cursor is always in the expected location – user does not have to click to select where to enter the verification code.
Updated the plugin logo in the license activation screen.

Security Improvement

Plugin now uses the WordPress salts to store and encrypt 2FA data in the database.
Improved the comparison of authentication codes – ensuring the plugin is not vulnerable to time-based side-channel attacks.

Bug fixes

Fixed: error when logging in by using one-time code over email as a secondary 2FA method.
Fixed: broken licensing notification in WordPress plugins’ page.
Fixed: secondary 2FA email cannot be removed.
Fixed: QR code not loading in user 2FA wizard in some edge cases on a multisite network.
Fixed: the setting “Hide Remove 2FA button” was not properly reflecting the status on multisite networks.
Fixed: grace period check cron called the wrong settings.
Fixed: two emails are sent when a backup code over email is requested.
Fixed: incorrect 2FA methods count was showing in the user wizard.

2.2.1 (2022-05-02)

Security fix

Fixed a reflected cross-site scripting issue in plugin’s admin page – reported by Utkarsh Agrawal.

Plugin improvements

Beefed up the escaping and filtering of all user input in the plugin’s admin pages.

2.2.0 (2022-04-30)

Release notes: WP 2FA 2.2: 2FA over SMS, Push notification, WhatsApp & more

New features

2FA login with push notification, SMS, WhatsApp and incoming call via integration with Authy.
New setting to configure how to handle logins if an external 2FA service is unavailable during login.

Plugin improvements

Added the functionality to exclude users and roles from 2FA, regardless of the type of 2FA enforcement policy you have configured.
Improved the function that checks which policies apply to the user logging in based on the user role (to address some inconsistencies when users’ roles are changed).
Applied several styling tweaks to the user 2FA setup wizard and plugin settings.
Improved the text used in the white labelling settings.
Removed the word “WordPress” from all 2FA user wizards.
Added more validation checks to some of the plugin settings that accept user input.
Incorrect licenses notice now is refreshed upon activating new license.
Improved the text in several notifications to better explain the issue to the user.
Changed the functionality that hashes some of the configuration files to avoid inconsistencies due to different web server / OS setup.
Redirects after first-time install wizard improved to better guide administrators.

Security fix

Fixed: Insecure direct object reference issue that allows users to disable other users’ 2FA settings through a specific request. Issue reported by Maycon Vitali.

Bug fixes

Fixed: Plugin sends two different codes when requesting a new backup code over email.
Fixed: Fatal error caused in some edge causes, which was caused from the removal of premium code during the build process.
Fixed: Plugin only redirecting user to a custom “after 2FA setup URL” if they generate the backup codes.
Fixed: Addressed a PHP warning triggered during logging in when there is are no set policies.
Fixed: JavaScript responsible for storing the email backup code was removed from the admin part.

2.1.0 (2022-01-12)

New features

Added a new default user status – user has not logged in yet.

Improvements

Update a number of links used in the plugin.
Updated the redirects and logic that are triggered after the install wizard (improved UX).
“Link valid for” sub setting is grayed out when the option is disabled (improved UX).
Better handling of users without user role.

Bug fixes

Fixed: User 2FA state is permanently cached when using Redis object caching.
Fixed an edge case in which the admin might be locked out of the plugin’s settings during an upgrade.
Professional premium plan was not activating properly.
Fixed a PHP warning triggered during login on some websites.

2.0.1 (2021-12-09)

Improvements

Improved the spacing of several network specific policy options (UI).
Moved setting inline JS to wp_footer to improve theme compatibility.
Prefixed all Select2 styling to avoid conflicts.

Bug fix

Fixed: Close ‘X’ icon not closing modal wizard.

2.0.0 (2021-12-03)

Release notes: Announcing WP 2FA 2.0 Premium

New features

Trusted devices: allow trusted devices, so users do not have to specify 2FA code.
Out of band 2FA method: click link sent over email to log in to the website.
Whitelabeling module: change the 2FA pages colours, text, logos etc. as per your branding requirements.
User role 2FA policies: configure different 2FA policies for different user roles.
Backup 2FA method: users can have a backup 2FA method in case 2FA app is unavailable.
2FA reports: easily get an overview of who and how many users have configured 2FA and which methods they are using.
New setting to allow/disallow users from using other email addresses when configuring 2FA over email.
New setting to specify for how long is the 2FA code sent over email valid for.
New setting to select between locking users or forcing users to configure 2FA when grace period is over.
Users can be sorted by 2FA user status in the WordPress dashboard user view.
QR code generator: QR codes are generated by the plugin without requiring third party services (such as Google and Cloudflare).

Improvements

TOTP code is encrypted in the database (security improvement).
2FA code bruteforce protection: user is redirected to the login page and session is reset if the wrong 2FA code is used for 3 times in a row.
Full support for PHP 8.
Plugin settings moved to their own page.
Users are now redirected back to the page from where they launched the 2FA wizard when they configure 2FA.
Generic UI and UX improvements.

Bug fixes

CSS fix: CSS now restricted to plugin’s own pages to avoid UI/CSS conflicts with other plugins.
User ID no longer shared with client when requesting backup codes (security improvement).

1.7.0 (2021-07-15)

Release notes: WP 2FA refactored for better performance, design, and reliability

Improvements

Refactored the plugin (major improvements in terms of product design, performance, & reliability).
Refactored the way the plugin saves and retrieves user 2FA properties.
Moved plugin and 2FA settings in separate menu (no longer under the Settings section).
Added a number of new tags that can be used in the plugin’s email templates.
Improved the way and logic of how the plugin works on a multisite network.
Improved the handling of users with super admin privileges in the 2FA policies.
Implemented a new check, so administrators cannot deselect all of the available 2FA methods.
Excluded users/roles setting now only available when 2FA policies are set to “All users” (simplified model)
Improved the first-time install wizard (both UX and UI)
Improved the user 2FA wizard (both UX and UI)
When a user completes the first-time install wizard, the user is redirected to plugin settings.
Added the new plugin logo in the wizards etc.

Bug fixes

User roles that contain a space can now be excluded.
Custom redirection is now honored even after the backup codes setup.

1.6.2 (2021-05-31)

Improvements

Several improvements applied in how plugin settings are saved and checked (during user login).
All data placeholders in the plugin settings now have the same format.
Better resolution used for user-entered data in wizard.
Users are now notified to reconfigure 2FA if the 2FA method they are using is no longer allowed.

Bug fixes

2FA methods were not shown when administrator skips the first-time install wizard.
Users were being redirected to custom redirect before finishing the backup codes.
Buttons were not clickable when using the front-end 2FA setup page.
Fixed a number of browser compatibility issues (mostly better support for Safari).
User was still asked for 2FA code even if excluded.
Settings were not properly populated in some cases, resulting in error on admin pages (Support ticket).
PHP error when enforcing 2FA policies on a sub-site in a multisite network.

1.6.1 (2021-05-17)

Bug fixes

Issue in logic caused users to be unable to configure 2FA unless specifically enforced.
Missing blog_id from custom SQL query caused some network users to not be “instantly enforced” (redirected to the WP 2FA setup area) upon login.

1.6.0 (2021-05-13)

Release notes: New user 2FA status column, custom redirects and many other new features & improvements

New features

Setting to redirect users to a custom URL after they complete the 2FA setup.
User’s 2FA status column in the WordPress users page.
Setting to restrict plugin’s settings to a specific site administrator.
New 2FA policies for multisite networks (require 2FA for all users of an individual site on the network).
Setting to change the text of the 2FA code page.

Improvements

Backup codes are now optional: administrators can disable them, so the plugin does not suggest users to create them.
Removed reference to “WordPress” in the 2FA wizard.
Optimized the code that retrieves the list of users, roles and sites on a multisite network.
User 2FA settings are now saved as an array in the database instead of a comma separated list.
Added an alert to notify users that all the changes will be lost if they terminate the wizard without setting up 2FA.
Improved the wizard and the user input sanitization.
Converted a number of database settings to filters.
Standardized the text and button labels on the 2FA code page.
Hidden the wizard’s holding page.
Plugin now uses the Site name and site email address as from email address.
2FA apps logos in wizard now link directly to the application’s specific instructions.

Bug fixes

In some cases the plugin was sending multiple emails when settings were changed.
Image URLs in modal wizard contain an extra slash.
Some sections of the wizard were not displayed properly on the Safari browser.
In some edge cases users selected the 2FA email method, but they were prompted to scan a QR code when using the front-end wizard.

1.5.2 (2021-01-20)

Improvement

New improved “2FA code page” prompt text.

Bug fixes

Fixed an issue that was locking administrators out of the plugin’s configuration – incorrect user ID stored the plugin settings where saved.
Fixed a CSS compatibility issue caused by non-targeted “.disabled” styling.

1.5.1 (2020-12-10)

Big fix

Configured 2FA profile for user was reset after first-time install wizard / possibly settings changes.

1.5.0 (2020-12-08)

Release notes: Fully responsive 2FA wizards & more efficient code

New feature

All the 2FA wizards in the plugin are now fully responsive and mobile friendly.

Improvements

Removed duplicate code and improved the plugin’s efficiency in general (plugin can scale much better now as well on bigger websites).
Improved and optimized the creation and handling of user data when saving the 2FA policies and settings.
Reduced the overall memory usage when processing settings by switching to direct wpdb queries.
Switched to a single validation function when processing settings.
Split each background task into smaller individual classes to reduce the load on the website when saving settings / applying policies.
New settings overwrite currently queued settings instead of being enqueued when the administrator changes the settings.
Added a confirmation step in the wizard for when 2FA setup is completed.
Optimized the code that retrieves the email template settings.
Unified all email sending functions into one (less code, more efficient, easier to troubleshoot).
2FA method is now separate from backup codes – user does not need to regenerate new backup codes when 2FA config is reset.
Users are logged out from session if 2FA is required and administrator resets the 2FA profile.

Bug fixes

Users were not being redirected to reconfigure 2FA when 2FA was enforced and the admin resets their 2FA profile.
Users were unable to reconfigure TOTP 2FA via front-end form in some edge cases.
Pressing Enter when a modal is open was sometimes closing it.
Awaiting jobs were not being deleted on plugin uninstall.
Number of errors were generated when a website visitor visited the shortcode page.
In some edge cases, users could still login to website.
Addressed a conflict with the session lockout feature of All in One Security plugin.
Backup codes were not generated at the end of the wizard in some edge cases.

1.4.2 (2020-09-02)

Release notes: WP 2FA 1.4.2: Improved 2FA policies & multisite network support

New features

Policy to enforce 2FA policies on superadmins only on a multisite network.
Setting to restrict other site admins from accessing the 2FA settings and policies.
Support for Okta Verify 2FA app.
Added new test buttons to test the email delivery system and also to test individual templates.
Support for custom user roles with multiple words (such as “shop manager”).

Improvements

Users can setup 2FA via their smart device without the need to scan the QR code.
When instant 2FA setup is required, existing user sessions are not terminated. Instead they are redirected to the 2FA wizard.
The dates and times used in emails and notifications have the same format as that configured in WordPress.
The dates and times strings used in the plugin and emails are fully translatable.
Added a subject to the login confirmation code email.
Better error reporting when required settings are missing.
Removed all reference to the Google Authenticator app. Now all messages are generic for all 2FA apps.
Standardized the order of placeholders in 2FA wizard.

Bug fixes

Users were unable to setup 2FA in some edge cases because of a HTTP 400 error response during the wizard.
Grace period settings hid unexpectedly upon changing the settings.
The wrong grace period was being added to the user emails.
Wrong grace period was shown in user email when users are required to instantly setup 2FA.
Users were able to disable 2FA after setting it up, even when 2FA is enforced.

1.4.1 (2020-07-31)

This is a followup maintenance release of version 1.4.0.

Improvements

Updated the plugin settings text and wizards’ text to reflect the new changes (support for multiple 2FA apps).
Redirect users to the user profile page if they exit the 2FA setup wizard.

Bug fixes

Reset 2FA app method button not working in wizard.
When a 2FA method is disabled, all enabled user configured 2FA methods are cleared in the usermeta, falsely flagging the user to reconfigure 2FA.
Fixed a minor UI compatability issue with Jetpack CRM.

1.4.0 (2020-07-22)

Release notes: WP 2FA 1.4: Support for Authy, FreeOTP & other 2FA apps

New features

Support for the following 2FA apps: Authy, Duo Security, FreeOTP (open source) Microsoft Authenticator, LastPass.
Optional policy to enforce instant 2FA – users have to configure 2FA otherwise they can’t login to the website.
Admins now have the option to choose when the plugin sends emails to users who have not configured 2FA yet (emails to setup 2FA).
New slide in the setup wizard to allow admins to disable initial 2FA setup emails.
New option to disallow users from disabling 2FA in their profile.

Improvements

Plugin no longer changes the email templates when the front-end 2FA page is enabled / disabled.
Grace period slide in setup wizard updated so admins can require 2FA straight after login.
Improved the intructions and help text of the front-end 2FA page.
Applied several minor UI and UX improvements to the wizard.

Bug fixes

Super admin not shown the notification to configure 2FA when policies applied to them.
Compatibility issue with WordFence (Support ticket).
Grace period changes in wizard are properly reflected in initial 2FA setup email sent to users.
Reset button in wizard not working when 2FA is already configured with 2FA app.
Minor CSS issue with a dashboard widget from Mailster.

1.3.0 (2020-06-04)

Release notes: WP 2FA 1.3: Front-end 2FA setup & improved 2FA policies

New features

2FA setup website page for users who do not have access the dashboard and want to setup 2FA.
Front-end 2FA setup page email tag so the link to setup 2FA can be included in the user emails.
A number of shortcodes to setup your own 2FA configuration page.
Setting to enable/disable every individual email notification.

Improvements

2FA Policies can now be enforced both by role and to specific users at the same time.
Administrators are redirected to the 2FA settings after completing the wizard.
Standardized the handling and error notifications for the custom from email address and display name placeholders.

Bug fixes

Addressed a number of minor UI issues in the plugin wizard.
Sites excluded in the wizard on multisite networks not excluded in config.
Username was not properly retrieved and shown in the backup code print export.
Users’ grace period database entry was not deleted when admin removed the policies.

1.2.0 (2020-05-06)

Release notes: WP 2FA 1.2: Multisite network support & configurable email templates

New features

Multisite network support.
Configurable email templates.
New setting to also configure the “from email address and display name” for all plugin emails.
Support for redirect after login plugins.

Improvements

Support for custom login pages; user is correctly redirected to enter 2FA code when using one.
Added a “Send another code” button in the email 2FA wizard (in case first email is not received).
If they apply, policies are automatically enforced on newly created user (user is sent an email notification).
2FA policies are enforced if they apply when a user’s role is changed.

Bug fixes

Locked user is sent an email every time there is a login attempt on the account.
Backup codes not generated in some specific scenarios.
Incorrect META title of plugin wizard (Support ticket).

1.0.1 (20200427)

Bug fix

Plugin does not generate backup codes in certain circumstances.

1.0.0 (20200401)

Initial release