=== miniOrange 2FA – Two Factor Authentication for WordPress (OTP, SMS, Email, Google Authenticator) ===
Contributors: twofactor, twofactorauthentication, hsn97, cyberlord92
Tags: 2fa, two-factor-authentication, mfa, authentication, security, wp 2fa
Requires at least: 5.3.0
Tested up to: 7.0
Requires PHP: 5.3.0
Stable tag: 6.2.6
License: Expat
License URI: https://plugins.miniorange.com/mit-license

Protect WordPress logins with Two-Factor Authentication (2FA), MFA, Google Authenticator, Email OTP, SMS OTP, WooCommerce 2FA & passwordless login.

== Description ==

### WordPress Two-Factor Authentication (2FA)

WordPress websites are frequently targeted by brute force attacks, credential stuffing attacks, phishing attempts, and unauthorized login attempts. Passwords alone are no longer sufficient to protect administrator accounts, customer accounts, and sensitive website data.

The miniOrange **2-Factor Authentication** plugin adds an additional layer of security to WordPress logins by requiring users to verify their identity using a second authentication factor. Even if a password is compromised, unauthorized users cannot access accounts without completing the **2FA** verification process.

The plugin supports multiple **Two-Factor Authentication (2FA)** and **Multi-Factor Authentication (MFA)** methods, including **Google Authenticator**, **Microsoft Authenticator**, **Authy**, **Email OTP**, **SMS OTP**, **WhatsApp OTP**, **Telegram OTP**, backup codes, security questions, and hardware token authentication.

Whether you manage a **WooCommerce** store, membership website, LMS platform, enterprise portal, educational institution, government website, or agency-managed environment, **WordPress 2FA** helps secure user accounts and reduce the risk of account compromise.

The **free** plan supports **2FA setup for up to 5 users**. **Premium** removes the user cap and adds enforcement policies, trusted devices, multisite support, custom branding, and more.

---

### Why Use Two-Factor Authentication for WordPress?

**Protect Administrator Accounts**
Administrator accounts are the primary target of attackers. **WordPress Two-Factor Authentication** ensures that only verified users can access administrative dashboards.

**Prevent Unauthorized Access**
Even if passwords are stolen through phishing attacks or data breaches, additional **authentication** requirements help prevent unauthorized access.

**Improve WordPress Login Security**
**WordPress MFA** strengthens login security by combining passwords with additional verification methods.

**Reduce Account Takeover Risks**
**Multi-factor authentication** significantly reduces the likelihood of successful account takeover attempts.

**Secure WooCommerce Customer Accounts**
Protect customer profiles, order information, payment details, and store management accounts using **WooCommerce Two-Factor Authentication**.

Quick Links:
[Setup Guide](https://plugins.miniorange.com/step-by-step-guide-for-wordpress-2-factor-authentication) |
[Features](https://plugins.miniorange.com/2-factor-authentication-for-wordpress-wp-2fa) |
[Pricing Plans](https://plugins.miniorange.com/2-factor-authentication-for-wordpress-wp-2fa#pricing) |
[Support](https://faq.miniorange.com/)

### WordPress 2FA Plugin Explained in Minutes

[youtube https://youtu.be/rE-awZZt13Q]

---

### WordPress 2FA Core Features

miniOrange provides comprehensive **WordPress Two-Factor Authentication** and **Multi-Factor Authentication** capabilities for websites of all sizes.

---

### Google Authenticator and OTP Authentication for WordPress

Secure WordPress logins using multiple **2FA** authentication methods:

- **Google Authenticator** (TOTP-based 2FA)
- **Microsoft Authenticator**
- **Authy Authenticator**
- **Duo Authenticator**
- **LastPass Authenticator**
- **Email OTP** Verification
- **SMS OTP** Verification
- **WhatsApp OTP** Authentication *(Premium)*
- **Telegram OTP** Authentication
- Security Questions (KBA)
- Backup Codes
- Hardware Token Authentication

---

### WordPress MFA Policies and User Authentication

- Enforce **2FA** for all users
- Role-based **authentication** policies
- User-specific **MFA** settings
- Trusted device support
- Grace period configuration
- Backup authentication methods
- Force **2FA** setup on login

---

### WooCommerce Two-Factor Authentication

Protect WooCommerce stores with enhanced login **security** and customer account protection.

- Secure customer accounts with **WooCommerce 2FA**
- Protect store managers and administrators
- Improve customer **WooCommerce login security**
- Compatible with WooCommerce login and account pages

---

### Passwordless Login for WordPress

Allow users to securely access WordPress without traditional passwords.

- Magic Link Login
- OTP Login (without password)
- Email Verification Login

---

### Login Security and Account Protection

Improve overall **WordPress login security** using advanced authentication controls.

- Secure user verification
- Trusted device management
- Backup authentication options
- Account recovery methods
- Strong access control policies
- Login reports & IP alerts
- Custom redirects after login
- Custom SMS gateway integration *(Premium)*
- Custom branding & white labeling *(Premium)*
- Multisite support *(Premium)*

---

### Works with Popular WordPress Plugins

Compatible with:
- WooCommerce
- Elementor
- Ultimate Member
- BuddyPress
- Theme My Login
- LoginPress
- Custom login forms

---

### External Services

Some **2FA** methods require communication with miniOrange services to send or verify OTP, SMS, email, push, or account-related requests. These services are used only when you configure or use the related **2FA** method.

Service links:
[miniOrange Terms](https://www.miniorange.com/usecases/miniOrange_User_Agreement.pdf) |
[miniOrange Privacy Policy](https://www.miniorange.com/privacypolicy)

---

== Installation ==

= Install and Configure WordPress Two-Factor Authentication =

**Step 1: Install the WordPress 2FA Plugin**

1. Go to Plugins → Add New
2. Search for **miniOrange 2FA** or **Two Factor Authentication**
3. Click Install and then Activate the plugin
4. Navigate to the miniOrange **2FA** settings page from the WordPress dashboard

**Step 2: Configure Google Authenticator or OTP Authentication**

5. Select your preferred **2FA** method — **Google Authenticator**, **Microsoft Authenticator**, **Email OTP**, **SMS OTP**, **WhatsApp OTP**, or **Telegram OTP**
6. Complete the verification process and configure your **two-factor authentication** settings
7. Test your **WordPress Two-Factor Authentication** setup

**Step 3: Configure WordPress MFA Policies**

8. Enable **Multi-Factor Authentication** for administrators, editors, customers, or other WordPress user roles
9. Configure role-based **authentication** policies, trusted devices, and backup **2FA** methods
10. Enforce **WordPress 2FA** policies across your website

**Step 4: Configure WooCommerce Two-Factor Authentication** *(optional)*

11. Protect WooCommerce customers, store managers, and administrators with additional **2FA** verification
12. Enable **passwordless login** (Magic Link, Email Verification, or OTP Login) if needed

---

== Frequently Asked Questions ==

= What is Two-Factor Authentication (2FA) in WordPress? =
**Two-Factor Authentication (2FA)** adds a second verification step to the WordPress login process. After entering their password, users must verify their identity using a second factor such as a time-based OTP from **Google Authenticator**, an **Email OTP**, an **SMS OTP**, or another supported **authentication** method. This ensures accounts remain protected even if passwords are compromised.

= What is WordPress Two-Factor Authentication? =
**WordPress Two-Factor Authentication** is a login security mechanism that requires users to provide two forms of identity verification. The miniOrange **2FA** plugin integrates **multi-factor authentication** directly into the WordPress login process, supporting **Google Authenticator**, **Email OTP**, **SMS OTP**, **WhatsApp OTP**, **Telegram OTP**, and more.

= Does this plugin support Google Authenticator? =
Yes. The plugin fully supports **Google Authenticator** and all TOTP-based authenticator apps, including **Microsoft Authenticator**, **Authy**, **Duo**, and **LastPass Authenticator**.

= Does this 2FA plugin support Microsoft Authenticator? =
Yes. The plugin supports **Microsoft Authenticator** and any TOTP-compatible authenticator app for **WordPress two-factor authentication**.

= Can I enforce 2FA for all users? =
You can choose which roles should require **2FA** and which accounts must complete setup. On the **free** plan, up to **5 users** can finish **2FA** setup — enough for small teams and admins. **Premium** removes that limit so you can enforce **multi-factor authentication** across large memberships, stores, and organizations, with added features like trusted devices, stronger enforcement, and multisite support.

= Can I enable 2FA for administrators only? =
Yes. The plugin supports role-based **authentication** policies, allowing you to enforce **2FA** exclusively for administrators, editors, or any specific WordPress user role.

= How do I add 2FA to WordPress? =
Install and activate this plugin, open the miniOrange **2FA** dashboard, choose which users or roles should use **two-factor authentication**, and select a method (**Google Authenticator**, **Email OTP**, **SMS OTP**, and more). The built-in setup wizard walks you through each configuration step.

= Is WordPress 2FA free with this plugin? =
Yes. The free plan includes **2FA** for up to **5 users** (each user who completes setup counts toward the limit). **Premium** unlocks unlimited users plus trusted devices, custom branding, multisite support, and other advanced **authentication** options.

= Does this plugin support WooCommerce Two-Factor Authentication? =
Yes. You can protect **WooCommerce** login and related flows so customers and shop staff complete **2FA** verification wherever you enable it. Full **WooCommerce Two-Factor Authentication** is supported.

= Does this plugin support WhatsApp OTP Authentication? =
Yes. **WhatsApp OTP authentication** is available as a premium **2FA** method. Users receive a one-time password via WhatsApp to complete the **two-factor authentication** process.

= Does this 2FA plugin support Passwordless Login? =
Yes. The plugin supports **passwordless login** for WordPress, including Magic Link Login, **Email OTP** login, and other verification-based login flows that do not require a traditional password.

= What is the difference between Two-Factor Authentication and Multi-Factor Authentication? =
**Two-Factor Authentication (2FA)** uses exactly two verification factors: typically a password plus one additional factor. **Multi-Factor Authentication (MFA)** uses two or more factors and is a broader term. The miniOrange plugin supports both **2FA** and **MFA** configurations for WordPress.

= What if I get locked out? =
You can use backup codes, the email verification recovery option, or disable the plugin via FTP to regain access.

---

== Screenshots ==

1. WordPress Two-Factor (2FA) Authentication Dashboard
2. Google Authenticator setup as Two-step authentication (2FA)
3. miniOrange User Account Details
4. 2-Factor Authentication (2FA) Plugin – Quick Settings
5. Reset User 2FA configuration from the 2FA Plugin
6. Custom Email Templates – Whitelabelling with your Brand | WP 2FA
7. Two-Factor setup for SMS Verification with OTP (WP 2FA Plugin)
8. Test WP 2FA Plugin

== Changelog ==

= 6.2.6 =
* Readme changes.
* Security fixes.

= 6.2.5 =
* Increased the free 2FA setup limit so up to **5 users** can complete two-factor authentication configuration.
* Updated account recovery email behavior so the recovery link can be sent without checking remaining email transactions.
* UI Improvements in 2FA plugin.
* 2FA plugin readme changes.
* Compatibility with WordPress 7.0

= 6.2.4 =
* Bug fixes in WP 2FA plugin
* Readme updates in 2FA plugin

= 6.2.3 =
* Readme updates in 2FA plugin

= 6.2.2 =
* Readme updates in 2FA plugin

= 6.2.1 =
* Security fixes in 2FA plugin
* Readme updates in 2FA plugin

= 6.2.0 =
* UI Updates – 2FA Settings

= 6.1.7 =
* Minor Fixes – 2FA User Profile

= 6.1.5 =
* Security fixes in 2FA plugin
* Code optimization changes

= 6.1.4 =
* Bug fixes – 2FA login flow
* Code optimization changes in WP 2FA

= 6.1.3 =
* Vulnerability fixes – Admin XSS/MITM risk via IP Lookup

= 6.1.2 =
* Vulnerability fixes – Broken Access Control

= 6.1.1 =
* Vulnerability fixes – Session Hijacking & Replay Attack (Google Authentication)

= 6.1.0 =
* UI/UX Improvements – 2FA popups
* Vulnerability fixes – 2FA Bypass and Weak Question & Answer Validation (KBA)
* Bug fixes – Low Transactions Notice
* Added Debug Log Feature
* Setup Guides Links added in Forms tab
* Code optimization in 2FA plugin

= 6.0.9 =
* Bug fixes – 2FA Backup Code Validation

= 6.0.8 =
* Compatibility with WordPress 6.8
* Bug fixes – 2FA Login Transaction Report

= 6.0.7 =
* UI/UX Improvements – miniOrange user Login & Registration form | Sync Transactions button
* Bug fixes – Login Report feature
* Updates – Users' 2FA Status table | .pot file

= 6.0.6 =
* Improvements – 2FA admin dashboard UI/UX
* Auto file inclusion added
* Added separate tab for 2FA reports
* Updated Email Verification popup

= 6.0.5 =
* Updated Button CSS
* Updated Custom Logo Branding on 2FA Popup Settings UI
* General CSS Improvements
* 2FA Pricing Page Removed

= 6.0.4 =
* Improvement – Updated Login Transaction Report UX
* 2FA Pricing Plan updates

= 6.0.3 =
* Bug fixes – Google Authentication CSS-JS loading issue in login

= 6.0.2 =
* Setup Wizard flow changes
* Bug fix in Setup Wizard flow

= 6.0.1 =
* Bug fixes for UI/UX 2FA plugin release

= 6.0.0 =
* Updated UI/UX of the 2FA plugin
* Added configuration for customizations of all email templates
* Added 2FA reconfiguration link via email as backup method
* Added Custom Redirect URL after login
* Extended grace period functionality
* Removed miniOrange and DUO Authenticator 2FA methods

= 5.8.4 =
* Updated jquery jquery.dataTables.min.js version to the latest version
* Bug fixes – Getting error on user account creation on WooCommerce

= 5.8.3 =
* Compatibility with WordPress 6.5
* Fixed redirection issue on activation with WordPress 6.5
* Changed refund Policy link
* Updated miniOrange portal links

= 5.8.2 =
* Bug fix – Log out the users when the grace period is enabled
* Improvement – Added SMTP checks for email verification
* Improvement – Updated UX for Email Verification method
* Fixed – Warnings in the error logs in 2FA

= 5.8.1 =
* Bug fix – Show backup codes to users after configuring Email Verification
* Updated UI for Google Authenticator user configuration screens
* Updated UI of Setup Wizard

= 5.8 =
* Bug fix – 2FA method was getting updated when updating a user on the user-edit page
* Updated UI for OTP over SMS, OTP over Email and OTP over Telegram configuration screens
* Added Email Verification method

= 5.7.5 =
* Compatibility with WordPress 6.4

= 5.7.4 =
* Bug fix – Keep end users' 2FA configuration when the plugin is deactivated
* Bug fix – Attempts left for the OTP-based methods
* Bug fix – Display App Key for Google Authenticator in 2FA inline registration

= 5.7.3 =
* Bug fixes for registration forms
* Compatibility with WordPress 6.3

= 5.7.2 =
* Updated flow of 2FA on registration form
* Minor bug fixes

= 5.7.1 =
* Fixes: User can configure/reconfigure/reset cloud method, SMS transactions credited on registration, fixed email sync issue
* Added: Resend OTP button – SMS, Telegram, Email OTP method
* Improvement: Forced reconfiguration after backup code login, 2FA prompt if TOTP is unset for admins

For older changelog entries, please see the [additional changelog.txt file](https://plugins.svn.wordpress.org/miniorange-2-factor-authentication/trunk/changelog.txt) provided with the plugin.

== Upgrade Notice ==

= 6.2.6 =
* Readme changes.
* Security fixes.

= 6.2.5 =
* Increased the free 2FA setup limit so up to **5 users** can complete two-factor authentication configuration.
* Updated account recovery email behavior so the recovery link can be sent without checking remaining email transactions.
* UI Improvements in 2FA plugin.
* 2FA plugin readme changes.
* Compatibility with WordPress 7.0

= 6.2.4 =
* Bug fixes in WP 2FA plugin
* Readme updates in 2FA plugin

= 6.2.3 =
* Readme updates in 2FA plugin

= 6.2.2 =
* Readme updates in 2FA plugin

= 6.2.1 =
* Security fixes in 2FA plugin
* Readme updates in 2FA plugin

= 6.2.0 =
* UI Updates – 2FA Settings

= 6.1.7 =
* Minor Fixes – 2FA User Profile

= 6.1.5 =
* Security fixes in 2FA plugin
* Code optimization changes

= 6.1.4 =
* Bug fixes – 2FA login flow
* Code optimization changes in WP 2FA

= 6.1.3 =
* Vulnerability fixes – Admin XSS/MITM risk via IP Lookup

= 6.1.2 =
* Vulnerability fixes – Broken Access Control

= 6.1.1 =
* Vulnerability fixes – Session Hijacking & Replay Attack (Google Authentication)

= 6.1.0 =
* UI/UX Improvements – 2FA popups
* Vulnerability fixes – 2FA Bypass and Weak Question & Answer Validation (KBA)
* Bug fixes – Low Transactions Notice
* Added Debug Log Feature
* Setup Guides Links added in Forms tab
* Code optimization in 2FA plugin

= 6.0.9 =
* Bug fixes – 2FA Backup Code Validation

= 6.0.8 =
* Compatibility with WordPress 6.8
* Bug fixes – 2FA Login Transaction Report

= 6.0.7 =
* UI/UX Improvements – miniOrange user Login & Registration form | Sync Transactions button
* Bug fixes – Login Report feature
* Updates – Users' 2FA Status table | .pot file

= 6.0.6 =
* Improvements – 2FA admin dashboard UI/UX
* Auto file inclusion added
* Added separate tab for 2FA reports
* Updated Email Verification popup

= 6.0.5 =
* Updated Button CSS
* Updated Custom Logo Branding on 2FA Popup Settings UI
* General CSS Improvements
* 2FA Pricing Page Removed

= 6.0.4 =
* Improvement – Updated Login Transaction Report UX
* 2FA Pricing Plan updates

= 6.0.3 =
* Bug fixes – Google Authentication CSS-JS loading issue in login

= 6.0.2 =
* Setup Wizard flow changes
* Bug fix in Setup Wizard flow

= 6.0.1 =
* Bug fixes for UI/UX 2FA plugin release

= 6.0.0 =
* Updated UI/UX of the 2FA plugin
* Added configuration for customizations of all email templates
* Added 2FA reconfiguration link via email as backup method
* Added Custom Redirect URL after login
* Extended grace period functionality
* Removed miniOrange and DUO Authenticator 2FA methods

= 5.8.4 =
* Updated jquery jquery.dataTables.min.js version to the latest version
* Bug fixes – Getting error on user account creation on WooCommerce

= 5.8.3 =
* Compatibility with WordPress 6.5
* Fixed redirection issue on activation with WordPress 6.5
* Changed refund Policy link
* Updated miniOrange portal links

= 5.8.2 =
* Bug fix – Log out the users when the grace period is enabled
* Improvement – Added SMTP checks for email verification
* Improvement – Updated UX for Email Verification method
* Fixed – Warnings in the error logs in 2FA

= 5.8.1 =
* Bug fix – Show backup codes to users after configuring Email Verification
* Updated UI for Google Authenticator user configuration screens
* Updated UI of Setup Wizard

= 5.8 =
* Bug fix – 2FA method was getting updated when updating a user on the user-edit page
* Updated UI for OTP over SMS, OTP over Email and OTP over Telegram configuration screens
* Added Email Verification method

= 5.7.5 =
* Compatibility with WordPress 6.4

= 5.7.4 =
* Bug fix – Keep end users' 2FA configuration when the plugin is deactivated
* Bug fix – Attempts left for the OTP-based methods
* Bug fix – Display App Key for Google Authenticator in 2FA inline registration

= 5.7.3 =
* Bug fixes for registration forms
* Compatibility with WordPress 6.3

= 5.7.2 =
* Updated flow of 2FA on registration form
* Minor bug fixes

= 5.7.1 =
* Fixes: User can configure/reconfigure/reset cloud method, SMS transactions credited on registration, fixed email sync issue
* Added: Resend OTP button – SMS, Telegram, Email OTP method
* Improvement: Forced reconfiguration after backup code login, 2FA prompt if TOTP is unset for admins
