=== miniOrange 2FA – Two Factor Authentication for WordPress (OTP, SMS, Email, Google Authenticator) ===
Contributors: twofactor, twofactorauthentication, hsn97, cyberlord92
Tags: 2fa, two-factor-authentication, mfa, google-authenticator, wordpress-2fa
Requires at least: 3.0.1
Tested up to: 7.0
Requires PHP: 5.3.0
Stable tag: 6.2.5
License: Expat
License URI: https://plugins.miniorange.com/mit-license

Add 2FA to WordPress login with OTP, SMS, Email, and authenticator apps. Free plan supports setup for up to 5 users.

== Description ==

### Two Factor Authentication (2FA) for WordPress

Secure your WordPress login with powerful **Two Factor Authentication (2FA)**.

miniOrange 2FA plugin protects your website from brute-force attacks, password leaks, and unauthorized access using OTP, SMS, Email, and Authenticator apps like Google Authenticator.

Improve your **WordPress login security** with **multi-factor authentication (MFA)** by adding a second verification step after password login. The **free** plan allows **up to 5 users** to complete 2FA setup on your site; **premium** removes that cap and adds advanced enforcement (trusted devices, multisite, branding, and more).

Set up **2FA for WordPress** in minutes for admins, editors, and customers where you enable it.

Enable **2FA** on standard **wp-login**, **WooCommerce** login, and **custom login forms**—each login can require a second factor for users who have completed setup (subject to your role and user limits on free).

- Easy setup wizard
- Multiple 2FA methods including OTP, SMS, Email, and authenticator apps
- Works with WordPress login, WooCommerce login, and many custom login forms
- Suitable for blogs, business sites, WooCommerce stores, and enterprise sites

Quick Links:
[Setup Guide](https://plugins.miniorange.com/step-by-step-guide-for-wordpress-2-factor-authentication) |
[Features](https://plugins.miniorange.com/2-factor-authentication-for-wordpress-wp-2fa) |
[Support](https://faq.miniorange.com/)

---

### WordPress 2FA Login Security

Widely used on WordPress sites to strengthen login authentication and help prevent unauthorized access.

---

### Why Use Two Factor Authentication (2FA)?

Passwords alone are not secure anymore.

Adding **2FA to WordPress login**:
- Prevents brute-force attacks  
- Protects against password leaks  
- Secures admin & user accounts  
- Adds an extra verification layer  
- Strengthens overall WordPress login security  

---

### Key Features of miniOrange WordPress 2FA Plugin

- **Free 2FA for up to 5 users** (complete setup per user; premium for unlimited)
- **Multiple 2FA methods** – OTP, SMS, Email, Authenticator Apps  
- **Google Authenticator & TOTP support**
- **Backup login methods (backup codes, email links)**
- **Role-based 2FA enforcement**
- **Step-by-step setup wizard**
- **Custom login form support**
- **WooCommerce & popular plugin compatibility**
- **Login reports & IP alerts**
- **Custom redirects after login**
- **Passwordless login support (OTP login without password)**

---

### Supported 2FA Authentication Methods

#### Authenticator Apps (TOTP-based 2FA)
- Google Authenticator  
- Microsoft Authenticator  
- Authy Authenticator  
- Duo Authenticator  
- LastPass Authenticator  

#### OTP-Based Authentication
- OTP via Email  
- OTP via SMS  
- OTP via WhatsApp *(Premium)*  
- OTP via Telegram  
- Email verification link  
- Security questions  

---

### 2FA for WordPress Websites

Ideal for:

- WordPress admins securing wp-login  
- WooCommerce stores protecting customer accounts  
- Membership websites  
- LMS / eLearning platforms  
- Agencies managing client websites  
- Corporate & enterprise WordPress security  

---

### Advanced 2FA Features (Premium)

- Enforce 2FA for all users  
- Trusted devices (remember user devices)  
- Passwordless login (OTP login)  
- Role-based policies  
- Custom branding & white labeling  
- Multisite support  
- Custom SMS gateway integration  
- Session & access control  
- Force 2FA setup on login  

---

### Easy 2FA Setup

1. Install & activate plugin  
2. Choose users/roles for 2FA  
3. Select authentication method  
4. Done! Your WordPress login is secured  

---

### Works with Popular WordPress Plugins

Compatible with:
- WooCommerce  
- Elementor  
- Ultimate Member  
- BuddyPress  
- Theme My Login  
- LoginPress  
- Custom login forms  

---

### Why Choose miniOrange 2FA

miniOrange 2FA provides several authentication methods in one plugin, including OTP, authenticator apps, email verification, SMS, WhatsApp, and Telegram options. It also supports WooCommerce and many custom login forms, helping site owners add 2FA login security across common WordPress login flows.

---

### External Services

Some 2FA methods require communication with miniOrange services to send or verify OTP, SMS, email, push, or account-related requests. These services are used only when you configure or use the related 2FA method.

Service links:
[miniOrange Terms](https://www.miniorange.com/usecases/miniOrange_User_Agreement.pdf) |
[miniOrange Privacy Policy](https://www.miniorange.com/privacypolicy)

### Video Guide

[youtube https://youtu.be/rE-awZZt13Q]

---

== Installation ==

1. Go to Plugins → Add New  
2. Search for **miniOrange 2FA**  
3. Install & activate  
4. Configure from plugin dashboard  

---

== Frequently Asked Questions ==

### What is 2FA in WordPress?
Two Factor Authentication (2FA) adds an extra login step (OTP or approval) to secure WordPress accounts.

### Does this plugin support Google Authenticator?
Yes, it fully supports Google Authenticator and all TOTP-based apps.

### Can I enforce 2FA for all users?
You choose which **roles** should use 2FA and which accounts complete setup. On the **free** plan, only **up to 5 users** can finish 2FA setup on your site at a time—enough for many small teams. **Premium** removes that user limit so you can scale 2FA to large memberships, stores, and organizations, with extras like trusted devices, stronger enforcement options, and multisite support.

### How do I add 2FA to WordPress?
Install and activate this plugin, open the miniOrange 2FA dashboard, choose which users or roles should use **2FA**, and pick a method (Authenticator app, email OTP, SMS, and more). The built-in setup wizard walks you through configuration step by step.

### Is WordPress 2FA free with this plugin?
Yes. The free plan includes **2FA** for **up to 5 users** (each user who completes setup counts toward the limit). **Premium** unlocks **unlimited users** plus trusted devices, custom branding, multisite, and other advanced options.

### Does this plugin support WooCommerce 2FA?
Yes. You can protect **WooCommerce** login and related flows so customers and shop staff use **2FA** wherever you enable it.

### What if I get locked out?
You can use backup codes, email verification, or disable the plugin via FTP.

---

== Screenshots ==

1. 2FA setup for Admins
2. Google Authenticator Setup as Two-Step Authentication
3. miniOrange User Account Details
4. 2-Factor Authentication plugin: Quick Settings
5. Reset Users 2FA from the plugin
6. Custom Email Templates - Whitelabelling with your Brand
7. Two-factor setup for SMS Verification with OTP

== Changelog ==

= 6.2.5 =
* Increased the free 2FA setup limit so up to **5 users** can complete two-factor authentication configuration.
* Updated account recovery email behavior so the recovery link can be sent without checking remaining email transactions.
* UI Improvements.
* Readme changes.
* Compatibility with WordPress 7.0

= 6.2.4 =
* Bug fixes
* Readme Updates

= 6.2.3 =
* Readme Updates

= 6.2.2 =
* Readme Updates

= 6.2.1 =
* Security Fixes
* Readme Updates

= 6.2.0 =
* UI Updates - 2FA Settings

= 6.1.7 =
* Minor Fixes - 2FA User Profile 

= 6.1.5 =
* Security Fixes 
* Code Optimization Changes

= 6.1.4 =
* Bug Fixes - 2FA Login flow
* Code Optimization Changes

= 6.1.3 =
* Vulnerability Fixes - Admin XSS/MITM risk via IP Lookup

= 6.1.2 =
* Vulnerability Fixes - Broken Access Control

= 6.1.1 =
* Vulnerability Fixes - Session Hijacking & Replay Attack (Google Authentication)

= 6.1.0 =
* UI/UX Improvements - 2FA popups
* Vulnerability Fixes - 2FA Bypass and Weak Question & Answer Validation (KBA)
* Bug Fixes - Low Transactions Notice
* Added Debug Log Feature 
* Setup Guides Links added in Forms tab
* Code Optimization 

= 6.0.9 =
* Bug Fixes - 2FA Backup Code Validation

= 6.0.8 =
* Compatibility with WordPress 6.8
* Bug Fixes - 2FA Login Transaction Report

= 6.0.7 =
* UI/UX Improvements - miniOrange user Login & Registration form | Sync Transactions button
* Bug Fixes - Login Report feature
* Updates - Users' 2FA Status table | .pot file

= 6.0.6 =
* Improvements - 2FA admin dashboard UI/UX
* Auto file inclusion added
* Added Separate tab for 2FA reports
* Updated Email Verification popup

= 6.0.5 =
* Updated Button CSS
* Updated Custom Logo Branding on 2FA Popup Settings UI
* General CSS Improvements
* 2FA Pricing Page Removed

= 6.0.4 =
* Improvement - Updated Login Transaction Report UX
* 2FA Pricing Plan updates

= 6.0.3 =
* Bug Fixes - Google Authentication CSS-JS loading issue in login

= 6.0.2 =
* Setup Wizard flow changes.
* Bug Fix in Setup Wizard flow.

= 6.0.1 =
* Bug fixes for UI/UX plugin release

= 6.0.0 =
* Updated UI/UX of the plugin
* Added configuration for customizations of all email templates
* Added 2FA reconfiguration link via email as backup method
* Added Custom Redirect URL after login
* Extended grace period functionality
* Removed miniOrange and DUO Authenticator 2FA methods

= 5.8.4 =
* Updated jquery jquery.dataTables.min.js version to the latest version
* Bug fixes- Getting error on user account creation on WooCommerce

= 5.8.3 =
* Compatibility with WordPress 6.5
* Fixed redirection issue on activation with WordPress 6.5
* Changed refund Policy link
* Updated miniOrange portal links

= 5.8.2 =
* Bug Fix- Log out the users when the grace period is enabled
* Improvement- Added SMTP checks for email verification 
* Improvement- Updated UX for Email Verification method
* Fixed- Warnings in the error logs

= 5.8.1 =
* Bug Fix- Show backup codes to users after configuring Email Verification
* Updated UI for Google Authenticator user configuration screens
* Updated UI of Setup Wizard

= 5.8 =
* Bug fix- 2FA method was getting updated when updating a user on the user-edit page
* Updated UI for OTP over SMS, OTP over Email and OTP over Telegram configuration screens
* Added Email Verification method

= 5.7.5 =
* Compatibility with WordPress 6.4

= 5.7.4 =
* Bug fix- Keep end users' 2FA configuration when the plugin is deactivated
* Bug fix- Attempts left for the OTP-based methods
* Bug fix- Display App Key for Google authenticator in 2FA inline registration

= 5.7.3 =
* Bug fixes for registration forms
* Compatibility with WordPress 6.3

= 5.7.2 =
* Updated flow of 2FA on registration form
* Minor bug fixes

= 5.7.1 =
* Fixes:User can configure/reconfigure/reset cloud method,SMS transactions credited on registration,fixed email sync issue
* Added:Resend OTP button-SMS,Telegram,Email OTP method
* Improvement:Forced reconfiguration after backup code login,2FA prompt if TOTP is unset for admins

= 5.7.0 =
* Code Improvements according to WPCS
* Feature Improvement - Added role-based checks for login through new IP
* Improvement - Error handling for account creation

= 5.6.6 =
* Fixes:Redirection issue for users in Multisite environment
* Improvements-Removed External links from Google Authenticator,Mobile responsiveness of setup wizard,SMS/Email verification on PaidMembership Proform
* Updated Pricing plan,Add SMS notification/button check,feedback form
* Advertised OTP over WhatsApp

= 5.6.5 =
* Google Authenticator - Two-Factor Authentication - 2FA, OTP :
* Bug fix - Save template for notifications on email
* Bug fix - Error in SMS authentication setup through plugin dashboard
* Updated Network Security removal notice message

= 5.6.4 =
* Google Authenticator - Two-Factor Authentication - 2FA, OTP :
* Bug fix - headers already sent in messages.php

= 5.6.3 =
* Google Authenticator - Two-Factor Authentication - 2FA, OTP :
* Skip-2 factor option removed from the inline setup
* Backup code button will always be shown
* Added login form and theme fields in the trial request form
* CSS-JS version added for all scripts and styles respectively
* Autofocus for many input fields and submit the form when Enter is hit

= 5.6.2 =
* Google Authenticator - Two-Factor Authentication - 2FA, OTP :
* Vulnerability fixes
* Removed Network Security for new users
* Updated Pricing page UI

= 5.6.1 =
* Google Authenticator - Two-Factor Authentication 2FA, OTP :
* Bug fix- Headers already sent
* Added SMTP check for sending backup codes on 2fa prompt

For older changelog entries, please see the [additional changelog.txt file](https://plugins.svn.wordpress.org/miniorange-2-factor-authentication/trunk/changelog.txt) provided with the plugin.

== Upgrade Notice ==

= 6.2.5 =
* Increased the free 2FA setup limit so up to **5 users** can complete two-factor authentication configuration.
* Updated account recovery email behavior so the recovery link can be sent without checking remaining email transactions.
* UI Improvements.
* Readme changes.
* Compatibility with WordPress 7.0

= 6.2.4 =
* Bug fixes
* Readme Updates

= 6.2.3 =
* Readme Updates

= 6.2.2 =
* Readme Updates

= 6.2.1 =
* Security Fixes
* Readme Updates

= 6.2.0 =
* UI Updates - 2FA Settings

= 6.1.7 =
* Minor Fixes - 2FA User Profile

= 6.1.5 =
* Security Fixes 
* Code Optimization Changes

= 6.1.4 =
* Bug Fixes - 2FA Login flow
* Code Optimization Changes

= 6.1.3 =
* Vulnerability Fixes - Admin XSS/MITM risk via IP Lookup

= 6.1.2 =
* Vulnerability Fixes - Broken Access Control

= 6.1.1 =
* Vulnerability Fixes - Session Hijacking & Replay Attack (Google Authentication)

= 6.1.0 =
* UI/UX Improvements - 2FA popups
* Vulnerability Fixes - 2FA Bypass and Weak Question & Answer Validation (KBA)
* Bug Fixes - Low Transactions Notice
* Added Debug Log Feature 
* Setup Guides Links added in Forms tab
* Code Optimization

= 6.0.9 =
* Bug Fixes - 2FA Backup Code Validation

= 6.0.8 =
* Compatibility with WordPress 6.8
* Bug Fixes - 2FA Login Transaction Report

= 6.0.7 =
* UI/UX Improvements - miniOrange user Login & Registration form | Sync Transactions button
* Bug Fixes - Login Report feature
* Updates - Users' 2FA Status table | .pot file

= 6.0.6 =
* Improvements - 2FA admin dashboard UI/UX
* Auto file inclusion added
* Added Separate tab for 2FA reports
* Updated Email Verification popup

= 6.0.5 =
* Updated Button CSS
* Updated Custom Logo Branding on 2FA Popup Settings UI
* General CSS Improvements
* 2FA Pricing Page Removed

= 6.0.4 =
* Improvement - Updated Login Transaction Report UX
* 2FA Pricing Plan updates

= 6.0.3 =
* Bug Fixes - Google Authentication CSS-JS loading issue in login

= 6.0.2 =
* Setup Wizard flow changes.
* Bug Fix in Setup Wizard flow.

= 6.0.1 =
* Bug fixes for UI/UX plugin release

= 6.0.0 =
* Updated UI/UX of the plugin
* Added configuration for customizations of all email templates
* Added 2FA reconfiguration link via email as backup method
* Added Custom Redirect URL after login
* Extended grace period functionality
* Removed miniOrange and DUO Authenticator 2FA methods

= 5.8.4 =
* Updated jquery jquery.dataTables.min.js version to the latest version
* Bug fixes- Getting error on user account creation on WooCommerce

= 5.8.3 =
* Compatibility with WordPress 6.5
* Fixed redirection issue on activation with WordPress 6.5
* Changed refund Policy link
* Updated miniOrange portal links

= 5.8.2 =
* Bug Fix- Log out the users when the grace period is enabled
* Improvement- Added SMTP checks for email verification authentication
* Improvement- Updated UX for Email Verification method
* Fixed- Warnings in the error logs

= 5.8.1 =
* Bug Fix- Show backup codes to users after configuring Email Verification
* Updated UI for Google Authenticator user configuration screens
* Updated UI of Setup Wizard

= 5.8 =
* Bug fix- 2FA method was getting updated when updating a user on the user-edit page
* Updated UI for OTP over SMS, OTP over Email and OTP over Telegram configuration screens
* Added Email Verification authentication method

= 5.7.5 =
* Compatibility with WordPress 6.4

= 5.7.4 =
* Bug fix- Keep end users' 2FA configuration when the plugin is deactivated
* Bug fix- Attempts left for the OTP-based methods
* Bug fix- Display App Key for Google authenticator in 2FA inline registration

= 5.7.3 =
* Bug fixes for registration forms
* Compatibility with WordPress 6.3

= 5.7.2 =
* Updated flow of 2FA on registration form
* Minor bug fixes

= 5.7.1 =
* Fixes:User can configure/reconfigure/reset cloud method,SMS transactions credited on registration,fixed email sync issue
* Added:Resend OTP button-SMS,Telegram,Email OTP method
* Improvement:Forced reconfiguration after backup code login,2FA prompt if TOTP is unset for admins