=== LoginBerry - 2FA, Passwordless & Email Verification ===
Contributors: berrypress
Tags: two-factor authentication, 2fa, passwordless login, email verification, login security, woocommerce, authentication, account security, multi-factor, otp, login logs, user verification
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 1.0.2
License: GNU General Public License version 3 or later
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Complete login security for WordPress & WooCommerce: LoginBerry adds email-based account verification, optional two-factor authentication (2FA), optional passwordless login, and login logging. Settings are under BerryPress → LoginBerry.

== Description ==

LoginBerry bundles **account verification**, **two-factor authentication (2FA)**, **passwordless login**, and **login logs**. Each feature can be enabled or disabled independently. Outgoing codes are delivered by **email**.

The plugin works for standard WordPress sites. When WooCommerce is active, additional customer- and order-related options are available (for example 2FA on the My Account login form and optional account activation tied to orders).

= User-facing behavior (when features are enabled) =

* **Account verification:** After registration, the user signs in and completes activation on the configured activation page using a six-digit code sent by email.
* **Two-factor authentication:** After a successful username and password, the user enters a second code sent by email. Per-role modes are Required, Optional, or Disabled.
* **Passwordless login:** On `wp-login.php`, eligible roles may request a one-time email code instead of entering a password.
* **Login logs:** Success and failure records are listed in the WordPress admin.

Authentication codes are email-based; end users do not install a separate authenticator app for the flows described here.

= Account verification =

* New accounts receive a six-digit activation code by email.
* After fifteen failed activation attempts, the account is locked until an administrator intervenes.
* Administrators can resend codes, activate accounts manually, and unlock accounts from **Users → All Users**.

= Two-factor authentication (2FA) =

* Per-role setting: Required, Optional, or Disabled.
* Optional mode allows users to enable 2FA from the profile when permitted by role.
* Supported on `wp-login.php` and on the WooCommerce **My Account** login form.

= Passwordless login =
Let users log in without a password - just enter a username or email and receive a one-time login code. Improves user experience while maintaining strong security through email verification.

* Toggle between password and passwordless login on wp-login.php
* One-time email codes on `wp-login.php`, controlled per role.
* When both passwordless login and 2FA are enabled for the same role, the passwordless flow does not require a separate 2FA step (email possession is already verified).


= WooCommerce =

* Optional automatic account activation when an WooCommerce order is created.
* Optional restriction so that only **paid** orders trigger activation.
* Integration points include classic checkout, block checkout (Store API), and paid-order completion hooks, as implemented in the plugin.

= Login logs =
Monitor all login activity on your site. Essential for detecting suspicious behavior and meeting security compliance requirements for e-commerce stores.

- Records successful and failed login attempts
- Logs username, email, IP address, and timestamp
- View all logs in a dedicated admin page with sortable columns
- Identify patterns of brute force attacks and suspicious login activity
- Audit trail for security compliance and fraud investigation

= Admin interface =

* Centralized settings under **BerryPress → LoginBerry**, with separate screens per feature.

= Email templates =

HTML email templates for activation, 2FA, and passwordless login ship in the plugin `templates/` directory. To override, copy the desired template into the active theme or child theme under `templates/loginberry/` (see each template file header for the exact path).

= Email delivery =

Reliable outbound email is required for codes to arrive. Typical setups use the hosting provider’s mail relay, a transactional email API (for example Brevo, Mailchimp Transactional / Mandrill, Postmark, SendGrid, Amazon SES), or a WordPress plugin that sends mail via SMTP or a provider API. Test delivery with a real signup or code request before relying on the feature in production.

= Typical use cases =

* Reducing unwanted or automated registrations and limiting abuse of disposable email addresses.
* Verifying that a customer or member controls the email address on file.
* Adding a second factor after password entry for selected roles.
* Reviewing login success and failure history in the admin.
* WooCommerce: applying optional post-order account activation, including a paid-order-only mode where configured.

= Roadmap =

LoginBerry is a brand new plugin and we are improving it quickly based on real user feedback. If you have ideas, feature requests, or run into a theme-specific styling issue, we would love to hear from you.

Planned work includes:

* Configurable failed-attempt limits (instead of the fixed fifteen for activation lockout)
* Track last login time for each user
* Custom activation page URL
* Custom redirect URL after successful verification
* Rate limiting on code verification attempts
* Social login options
* Improved styling flexibility and theme compatibility

Feedback and compatibility reports are welcome via the plugin support channels. New features are prioritized based on user feedback.

== Installation ==

1. Install LoginBerry from **Plugins → Add New** in WordPress, or upload the ZIP under **Plugins → Add New → Upload Plugin**.
2. Activate the plugin.
3. Open **BerryPress → LoginBerry** and enable the desired features (Account Verification, Two-Factor Auth, Passwordless Login, Login Logs).
4. For account verification, create a page with the slug `account-activate` and add the shortcode `[loginberry_account_activate]`. The Account Verification settings screen includes setup guidance.
5. Send a test code to an administrator account and confirm that email delivery works with your hosting or mail provider configuration.

== Frequently Asked Questions ==

= Do I have to enable every feature? =

No. Each feature is independent. You may enable only the components you need.

= What are the server requirements? =

WordPress 6.0 or newer, PHP 8.0 or newer, and reliable outbound email.

= Why are users not receiving emails? =

The site must be able to send email. Common approaches include the host’s SMTP relay, a transactional email provider, or a WordPress plugin that sends via SMTP or an HTTP API. Verify end-to-end delivery with a test message after any mail configuration change.

= How do I enable two-factor authentication? =

Go to **BerryPress → LoginBerry → Two Factor Auth**, enable the feature, and set each role to Required, Optional, or Disabled.

= How does passwordless login work? =

When enabled for a role, users on `wp-login.php` can request a six-digit code by email instead of entering a password.

= Can I use 2FA and passwordless login together? =

Yes. When both are enabled for the same role, the passwordless login flow skips the separate 2FA step because possession of the email inbox has already been verified.

= Where are the email templates? =

In the plugin `templates/` directory: `activation-email.php`, `2fa-email.php`, `passwordless-login-email.php`. Override by copying to the theme where supported.

= Does it work with all themes? =
The plugin uses clean WordPress markup. Layout may vary slightly depending on theme styles, so if you see any styling quirks, feel free to reach out.

= Does LoginBerry work with WooCommerce? =

Yes. WooCommerce is optional. Without WooCommerce, verification (if enabled), 2FA on `wp-login.php`, passwordless login (if enabled), and login logs remain available. With WooCommerce active, 2FA is also available on the **My Account** login form, and account verification may optionally be tied to order creation, including a **paid orders only** option.

= Does passwordless login work on WooCommerce checkout or arbitrary custom login forms? =

Passwordless login is implemented for the standard WordPress login screen (`wp-login.php`). WooCommerce My Account login supports two-factor authentication as described above; passwordless login on other forms is outside the current scope.

= Can admins activate a user manually? =
Yes. In Users → All Users you will see links to activate accounts, resend codes, or unlock accounts.

= Can administrators help users who cannot activate or who are locked? =

Yes. Under **Users → All Users**, administrators can view status, resend codes, activate accounts manually, and unlock locked accounts when applicable.

= What if an administrator is locked out or no other administrator can help? =

Another administrator can usually resolve the issue under **Users → All Users**. If the site cannot be accessed from wp-admin, deactivate the plugin using standard WordPress recovery methods (for example renaming the plugin directory via FTP or SFTP, using WP-CLI where available, editing the `active_plugins` option after a database backup, or WordPress Recovery Mode when applicable).

Deactivating plugins when wp-admin is unavailable: https://wordpress.org/documentation/article/how-to-deactivate-all-plugins-when-not-able-to-access-wp-admin/

== Screenshots ==

1. BerryPress → LoginBerry dashboard and feature overview.
2. Two-factor authentication settings with per-role modes.
3. Account verification settings including WooCommerce order options.
4. Login logs admin list.

== Changelog ==

= 1.0.2 - May 12, 2026 =

* Fixed: "Paid orders only" auto-activation now triggers on the WooCommerce block checkout (Store API), in addition to the classic checkout.

= 1.0.1 - April 17, 2026 =

**Added and changed**

* Two-factor authentication (2FA) via email codes; per-role Required, Optional, or Disabled; supported on `wp-login.php` and WooCommerce My Account login.
* Passwordless login with one-time email codes on `wp-login.php`; when both passwordless and 2FA apply to the same role, the extra 2FA step after passwordless is omitted.
* Login logging with user, email, IP, and timestamp.
* BerryPress → LoginBerry admin area with separate settings pages per feature.
* Optional 2FA enrollment from the user profile when the role uses Optional mode.
* HTML email templates for activation, 2FA, and passwordless login (theme overrides supported).
* WooCommerce: optional automatic customer activation on order creation; optional **paid orders only** mode; hooks for classic checkout, block (Store API) checkout, and paid-order flows.
* Locked activation screen messaging and a log out link after repeated failed activation attempts.
* Default verification behavior for new installs; existing sites retain prior behavior via configuration versioning where applicable.

= 1.0.0 =

* Initial email-based account verification before site access (activation page and shortcode).