=== Configify 2FA ===
Contributors: configify, bhumiitpath
Tags: two-factor authentication, 2fa, security, login, woocommerce
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Flexible Two-Factor Authentication for WordPress. Choose Google Authenticator (TOTP), Math CAPTCHA, or Google reCAPTCHA — with a security audit log.

== Description ==

Configify 2FA adds Two-Factor Authentication to every important action on your WordPress site, all configurable from a single settings page.

Choose the method that fits your audience:

* **Google Authenticator (TOTP)** — RFC 6238 compliant. Works with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and any TOTP app.
* **Math CAPTCHA** — Server-side arithmetic challenge. No external dependencies. Works offline.
* **Google reCAPTCHA** — v2 (checkbox) or v3 (invisible, score-based).

Protect any combination of:

* **Login** — wp-login.php and WooCommerce login form.
* **Registration** — Default WordPress and WooCommerce sign-up.
* **Forgot Password** — Password reset request form.
* **Change / Reset Password** — Profile page and WooCommerce account update.
* **Comment Submission** — WordPress comment form (logged-in and guest).

= What Makes Configify 2FA Different =

* **Security Audit Dashboard** — Every 2FA event (success, failure, lockout, setup, method change) is recorded with username, IP address, user agent, and timestamp. Filter, search, and export to CSV directly from your admin panel.
* **Trusted Device Memory** — After verifying, users can choose to trust their current device for a set number of days. Subsequent logins from that device skip the 2FA step. Tokens are cryptographically random and bound to the user agent. Admins can revoke trusted devices per user from the profile screen.
* **Backup Codes** — Generate 8 one-time emergency codes so a lost phone never means a locked account. Copy or print them directly from the settings page.
* **Brute-Force Lockout** — Repeated 2FA failures trigger a configurable lockout by user and IP address to stop automated attacks.
* **Email OTP Fallback** — When TOTP is active but a user has not yet set up their authenticator app, a 6-digit one-time code is sent to their email address as a fallback.
* **Per-Role Enforcement** — Require 2FA only for Administrators, Editors, or any custom role. Leave all unchecked to apply to every role.
* **WooCommerce Support** — Hooks into WooCommerce login, registration, lost password, and account password change, not just the default WordPress forms.
* **Users List 2FA Status Column** — See at a glance which users have 2FA configured directly from the Users list in wp-admin.

= Security Details =

* **Pure PHP TOTP** — No third-party library dependency. Secrets are stored in WordPress user-meta and never exposed in plain text.
* **Server-side Math CAPTCHA** — Answers stored in transients with a 10-minute TTL and consumed on first use.
* **Expiring Sessions** — Pending login sessions are stored in a custom database table, expire after 10 minutes, and are purged daily via WP-Cron.
* **Hashed Device Tokens** — Trusted device tokens are cryptographically random (48 characters), hashed with wp_hash() before storage, and bound to the user agent string.
* **Nonce Protection** — All form submissions require a WordPress nonce in addition to the 2FA challenge.
* **Clock-Skew Tolerance** — TOTP verification includes a tolerance of plus or minus two 30-second windows to account for imprecise device clocks.

== External Services ==

This plugin connects to the following external services. No data is ever sent to Configify servers.

= Google reCAPTCHA =

This plugin can use Google reCAPTCHA to protect forms. It is only active when the admin selects reCAPTCHA as the 2FA method.

It sends the user's IP address and a browser interaction token to Google's servers each time a protected form is submitted.

This service is provided by Google LLC: [Terms of Service](https://policies.google.com/terms), [Privacy Policy](https://policies.google.com/privacy).

= goQR.me QR Code API =

This plugin uses the goQR.me API (api.qrserver.com) to generate QR code images for Google Authenticator setup. It is only used when a user clicks "Generate QR Code" on the Settings page while TOTP is the active method.

It sends the TOTP URI — which contains the site name, the user's email address, and the TOTP secret — to api.qrserver.com to generate the QR code image. The service does not store or log QR code contents. The generated image is cached for approximately 30 seconds and then deleted.

This service is provided by goQR.me: [Terms of Service](https://goqr.me/legal/tos-api.html), [Privacy Policy](https://goqr.me/privacy-safety-security/).

== WooCommerce Compatibility ==

Configify 2FA integrates with WooCommerce out of the box with no additional configuration. It hooks into:

* woocommerce_process_login_errors
* woocommerce_process_registration_errors
* woocommerce_lostpassword_form
* woocommerce_edit_account_form
* woocommerce_save_account_details_errors

== Privacy ==

Configify 2FA stores the following data locally on your server:

* **TOTP secret and confirmation flag** — stored in wp_usermeta.
* **Trusted device token hashes and expiry timestamps** — stored in wp_usermeta.
* **Pending session tokens** — stored in a custom table (wp_c2fa_sessions), deleted automatically after 10 minutes.
* **Security audit log entries** — stored in a custom table (wp_c2fa_audit_log), pruned automatically after the configured retention period (default 90 days).

All data is removed when the plugin is deleted (via uninstall.php).

== Installation ==

1. Upload the configify-2fa folder to /wp-content/plugins/, or install via the WordPress admin plugin uploader.
2. Activate the plugin via Plugins > Installed Plugins.
3. Go to Settings > Configify 2FA and choose your 2FA method.
4. Enable the actions you want to protect and click Save Settings.

= Google Authenticator Setup =

1. Select Google Authenticator (TOTP) as the active method.
2. Click Generate QR Code on the Settings page — no save required first.
3. Scan the QR code with any TOTP app and enter the first 6-digit code to confirm.
4. Future logins will require the 6-digit code from the app.

= Google reCAPTCHA Setup =

1. Obtain a free site key and secret key at https://www.google.com/recaptcha/admin/create
2. Select Google reCAPTCHA as the active method.
3. Enter your keys under the Google reCAPTCHA Options section and save.

== Frequently Asked Questions ==

= Can I use multiple 2FA methods at once? =

No. One method is active site-wide. This keeps the user experience consistent. Different methods per role may be considered for a future release.

= What happens if a user loses their phone or authenticator app? =

They can use one of their backup codes to log in. An admin can also go to Users > Edit User > Two-Factor Authentication and reset their TOTP. The user will then receive an email one-time code on their next login if the email fallback option is enabled.

= Does TOTP work offline? =

Yes. TOTP codes are generated locally in the authenticator app using a shared secret and the current time. No internet connection is needed after the initial setup scan.

= Does it work with WooCommerce? =

Yes. All five protected actions (login, registration, forgot password, change password, comment submission) hook into WooCommerce equivalents automatically.

= Is it compatible with caching plugins? =

Yes. The 2FA verification pages are handled dynamically and are not cached. Math CAPTCHA tokens are stored server-side, not in the page output.

= Will activating this plugin lock me out? =

No. The plugin only activates 2FA on the specific actions you enable. If you accidentally lock yourself out with TOTP, use a backup code or have another administrator reset your TOTP from Users > Edit User.

= Is Google reCAPTCHA GDPR compliant? =

Google reCAPTCHA sends the user's IP address and browser data to Google. You may need to disclose this in your site's privacy policy. The Math CAPTCHA method involves no external data transfers.

= Does the plugin send data to Configify servers? =

No. No data of any kind is sent to Configify servers. See the External Services section above for full details on what external connections the plugin can make.

== Screenshots ==

1. Settings page — choose your 2FA method
2. Protected actions and role restrictions
3. Google Authenticator setup with QR code
4. Backup codes — generate, copy, or print
5. Security audit log with search and CSV export
6. Smarter Security, Less Friction — Trusted Device and Brute-Force Lockout settings
7. 2FA verification screen on wp-login.php

== Changelog ==

= 1.0.0 =
* Initial release.
* Google Authenticator (TOTP), Math CAPTCHA, and Google reCAPTCHA v2/v3 methods.
* Protects login, registration, forgot password, change password, and comment submission.
* WooCommerce integration for all protected actions.
* Security audit log with CSV export.
* Trusted device memory — remember a verified device for a configurable number of days.
* Backup codes — 8 one-time emergency codes per user.
* Brute-force lockout after configurable failed attempts.
* Email OTP fallback for TOTP when app not yet configured.
* Per-role enforcement.
* Users list 2FA status column.
* Full uninstall cleanup.

== Upgrade Notice ==

= 1.0.0 =
Initial release.