=== Digipacket Login Security with Two-Factor Authentication ===
Contributors: digipacket
Tags: two-factor-authentication, 2fa, totp, login-security, brute-force
Requires at least: 6.0
Tested up to: 7.0
Requires PHP: 8.2
Stable tag: 1.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Standards-based two-factor authentication (TOTP & e-mail), brute-force lockout, login alerts and an audit log — with no external service.

== Description ==

Digipacket Login Security adds strong, standards-based two-factor authentication to any WordPress site. It uses the TOTP algorithm (RFC 6238), so it works with Google Authenticator, Authy, Microsoft Authenticator, FreeOTP and any standard authenticator app — with **no external service or cloud dependency**. Everything runs on your own server.

= Key features =

* **TOTP** compatible with Google Authenticator and all standard apps.
* **Choice of method** — each user picks an authenticator app (TOTP) or a one-time code sent by e-mail at login.
* **QR Code enrolment** rendered locally on the user profile screen (no external image service).
* **Mandatory code verification** after every login.
* **Single-use backup codes** for account recovery if the device is lost.
* **Brute-force protection** — lock an account after a configurable number of failed attempts, for a configurable duration. Blocks further sign-ins even with the correct password during the lockout window.
* **Security e-mail alerts** — notify the account owner when repeated wrong-password attempts or too many incorrect 2FA codes are detected.
* **Login notifications** — e-mail the user and/or the administrator (per selected roles) with sign-in details (user, date, IP, browser).
* **Login screen warning** — optional full-screen security notice that visitors must accept before signing in.
* **Enforce 2FA by role** with a configurable grace period.
* **Admin reset** of a user's 2FA from the Users list, plus a 2FA status column.
* **Audit log** of all security events with filtering by role or user.
* **Modern admin interface** — dashboard, focused settings tabs and an About page.
* **Translatable** — ships with French (fr_FR) and English.

= Privacy & external services =

By default, Digipacket Login Security does not send any data to external services. All secrets, codes and logs are stored in your own WordPress database, and e-mails are sent through your site's standard `wp_mail()` function.

Optional Telegram notifications (disabled by default): if you enable them and provide your own bot token and chat ID, the plugin sends security-event details (event type, username, IP address, date) to the Telegram Bot API at https://api.telegram.org so the message can be delivered to your chosen Telegram chat. This only happens while the feature is enabled and configured.

* Telegram Bot API: https://core.telegram.org/bots/api
* Telegram Privacy Policy: https://telegram.org/privacy

== Installation ==

1. In WordPress, go to **Plugins → Add New → Upload Plugin**.
2. Select `digipacket-login-security.zip`, click **Install Now**, then **Activate**.
3. Go to **Users → Profile** and enable 2FA on your own account first.
4. Configure site-wide options under **Digipacket Login Security** in the admin menu.

Manual installation: copy the `digipacket-login-security` folder into `wp-content/plugins/` and activate it from the Plugins screen.

== Frequently Asked Questions ==

= Which authenticator apps are supported? =

Any standard TOTP (RFC 6238) app: Google Authenticator, Authy, Microsoft Authenticator, FreeOTP, 1Password, and more.

= Does it work without sending data to a third party? =

Yes. Core 2FA has no external service or cloud dependency — the QR code is generated locally and all data stays on your server. The only optional exception is Telegram notifications, which are disabled by default and only contact api.telegram.org when you enable them with your own bot token (see Privacy & external services).

= A user is locked out. How do I help them? =

Administrators can reset a user's 2FA from the Users list (the "Reset 2FA" row action), allowing them to enrol again.

= My notification e-mails land in spam. =

This is a mail-deliverability matter, not a plugin issue. Configure an SMTP plugin and set up SPF/DKIM/DMARC for your domain so messages are authenticated.

= Does 2FA apply to REST API / XML-RPC / Application Passwords? =

The interactive second factor applies to the browser login form. Non-interactive API authentication intentionally bypasses it — use Application Passwords for programmatic access.

== Screenshots ==

1. Security dashboard with 2FA adoption statistics.
2. Access Policy settings — enforce 2FA by role and configure brute-force lockout.
3. Notifications settings — security alerts and login notifications.
4. Audit log with filtering by role or user.
5. Two-factor enrolment on the user profile screen.

== Changelog ==

= 1.0.1 =
* Fix: on a fresh install, the very first time the settings were saved the values were silently discarded (roles, brute-force options, Telegram token, etc.). Settings now save correctly from the first save.

= 1.0.0 =
* Initial public release.
* TOTP two-factor authentication (RFC 6238) compatible with Google Authenticator and all standard apps, plus an e-mail one-time-code method.
* Local QR-code enrolment and single-use backup codes.
* Enforce 2FA by role with a configurable grace period.
* Configurable brute-force lockout (number of attempts and duration) with real sign-in enforcement.
* Security e-mail alerts for repeated wrong-password attempts and 2FA lockouts.
* Login notifications with sign-in details (user, date, IP, browser), scoped by role, to the user and/or administrator.
* Optional login-screen security warning popup with a customizable message.
* Audit log of security events with filtering by role or user.
* Admin Dashboard "Security Overview" widget.
* Reset 2FA and Ban / Unban actions from the Users list, with status badges.
* Optional Telegram notifications for audit-log events, scoped by role/user, with one-click logout/ban response links.

== Upgrade Notice ==

= 1.0.1 =
Fixes settings not saving on the first save after a fresh install. Recommended for all users.

= 1.0.0 =
First public release of Digipacket Login Security with Two-Factor Authentication.
