=== Super Duper Two-Factor Login ===
Contributors: rogerruckstuhl
Tags: two-factor, 2fa, totp, login, security
Requires at least: 6.8
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 2.5.11
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Two-factor authentication for WordPress – TOTP & email, backup codes, recovery keys, trusted devices, role-based enforcement, privacy hardening.

== Description ==
**Super Duper Two-Factor Login** adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.

🇨🇭🇩🇪🇦🇹 *Hinweis für DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz/Deutschland/Österreich) verfügbar. Alle Texte und Einstellungen sind vollständig auf Deutsch übersetzt.*

**Fully translated out of the box** in German (Switzerland, Germany, Austria), English, French, Spanish, Italian and Dutch – no separate language pack required.

= Two Verification Methods =

* **TOTP (Authenticator App)** – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
* **Email** – Receive a 6-digit code via email on every login. No smartphone required.

= Comprehensive Fallback System =

* **10 Backup Codes** – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
* **Administrator Recovery Key** – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
* **FTP Emergency Recovery** – As a last resort, create an empty file named `.sdtfa-recovery` in `wp-content/` via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.

= Enforcement & Trust =

* **Role-Based Enforcement** – Require 2FA for administrators, editors, subscribers, or any role.
* **Grace Period** – Set a deadline so users have time to set up 2FA before enforcement kicks in.
* **Hard Enforcement** – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
* **Enforcement Areas** – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
* **Trust This Device** – Users can save their computer so the 2FA code isn't required on every login. Configurable duration (1–365 days).

= Integration =

* **WooCommerce** – Adds a "Two-Factor Authentication" tab to the My Account page. Enforce 2FA for the account area and checkout.
* **Shortcode** – Display the user's 2FA status anywhere with `[sdtfa_status]`.
* **Setup Reminder** – A dismissable admin notice with a "Set up now" button. No auto-popups; users open the setup flow only by clicking.

= Security =

* AES-256-GCM encryption for TOTP secrets at rest
* Secure HttpOnly cookies for trusted devices
* Hashed token storage (never stored in plain text)
* No external dependencies – everything runs locally in pure PHP
* No external API calls, no tracking, no data collection

= Privacy & Hardening (optional) =

* **Hide user data in REST API** – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names. Uses a strict whitelist that automatically drops any extra fields injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO, Elementor, WooCommerce, …). Example response for an anonymous visitor on `/wp-json/wp/v2/users/1`:

`{"id":1,"name":"Author","url":"","description":"","link":"https:\/\/example.com\/","slug":"author","avatar_urls":{}}`

* **Block author archives** – Redirect unauthenticated visitors away from `?author=N` and `/author/<slug>/` to prevent user enumeration.
* **Disable password reset** – Disable the "Lost your password?" function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
* **Users list column** – A clean "SDTFA" column on Users → All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.

== Installation ==

1. Upload the plugin via **Plugins → Add New → Upload Plugin**, or install it directly from the WordPress plugin directory.
2. Activate the plugin.
3. Configure the main 2FA settings under **Two-Factor Login** in the admin menu. Optional **Privacy & Hardening** features (REST user-data masking, author-archive blocking, password-reset lock-down, users-list status column) are on the same settings page.
4. Users can set up 2FA from their WordPress profile page or WooCommerce My Account.

== Frequently Asked Questions ==

= Which authenticator apps are supported? =

Any TOTP-compatible app works, including Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and many others. We recommend FreeOTP+ (Android) and FreeOTP (iOS) as free, open-source options.

= What happens if I lose my phone? =

You can log in using one of your 10 backup codes. If those are also gone, administrators can use their personal recovery key on the login page. As a last resort, create an empty file named `.sdtfa-recovery` in `wp-content/` via FTP to temporarily disable 2FA.

= Can I enforce 2FA for all users? =

Yes. Go to Two-Factor Login settings and select which roles must use 2FA. You can set a grace period with a deadline, or enforce it immediately – users will then be required to complete 2FA setup on the login page before gaining any access.

= Does this plugin work with WooCommerce? =

Yes. It adds a "Two-Factor Authentication" tab to the WooCommerce My Account page. You can also enforce 2FA for the WooCommerce account area and checkout.

= What is the "Trust this device" feature? =

When enabled by the admin, users can check "Save this computer" during login. The 2FA code won't be required again on that device for the configured number of days.

= Are external services or images used? =

No. Everything runs locally. QR codes are generated in PHP, TOTP calculations happen on the server, and app store badges use local SVG files. No external images, scripts, or API calls are made.

= What does the "Privacy & Hardening" section do? =

It bundles four optional, independently toggleable features that close common WordPress information-leak and lock-out paths. Hide user data (REST API) replaces sensitive fields (name, slug, link, avatar) with neutral values for unauthenticated requests, while keeping the endpoint reachable so SEO and import plugins still work. Block author archives redirects unauthenticated visitors away from `?author=N` and `/author/<slug>/` to prevent user enumeration. Disable password reset blocks the "Lost your password?" function for administrators and/or selected roles. The users-list column adds a clean "SDTFA" status indicator on Users → All Users. All four features are off by default except the users-list column, which is on by default to clean up duplicate columns from other plugins.

= Why does the Users → All Users page show an "SDTFA" column instead of a generic "2FA" one? =

Some hosts and other 2FA plugins inject their own "2FA" column on the users list. When Super Duper Two-Factor Login is installed, those columns can show outdated or misleading status (for example a red ✗ even though 2FA is configured here). The plugin replaces them with a single, accurate "SDTFA" column that reads the real status from this plugin's own user meta. If you prefer the original column behavior, you can disable this in the Privacy & Hardening section.

= Will this plugin conflict with other 2FA plugins? =

It is not designed to run side-by-side with another active 2FA plugin – two plugins both intercepting `wp-login.php` will produce unpredictable results. If you are migrating from another 2FA plugin, deactivate the other one first. The "SDTFA" users-list column will hide a leftover column from a deactivated plugin only if that plugin still injects it; in normal cases the foreign column simply disappears with the foreign plugin.

= Is this plugin really free? =

Yes, completely. There is no premium version, no upsells, and no feature restrictions. All features are available to everyone.

== Screenshots ==

1. Admin notice prompting users to set up 2FA
2. Setup prompt asking the user to start now or later
3. Choosing the authentication method: email or authenticator app
4. App-based authentication – FreeOTP recommended, with download links
5. Email-based authentication
6. Email confirmation step
7. Backup codes – send by email, download, or print
8. Shortcode displaying the 2FA status on any page
9. 2FA status on the user's My Account page – inactive
10. 2FA status on the user's My Account page – active, with the chosen method
11. Backend admin view: per-account 2FA status and the method in use
12. Settings: enforcement reminder, which roles must use 2FA, grace period, enforcement areas, validation strictness (strict / normal / tolerant), and trusted-device duration
13. Shortcode for embedding the 2FA status indicator on any page
14. Privacy & Hardening: hide user data in the REST API and disable password reset per role

== Changelog ==

= 2.5.9 – 05.05.2026 =
* Improved: forced 2FA setup screen on wp-login.php now uses larger, more readable fonts (warning text 16px, button 17px, content 15px) and a slightly wider login box.
* i18n: translations completed for all eight supported locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL) – every string in the plugin is now fully translated. .pot template regenerated from current source.

= 2.5.8 – 05.05.2026 =
* Fixed: forced 2FA setup AJAX calls returned HTTP 403 because the WordPress nonce check failed for unauthenticated users on the login page. The forced-setup token (already present in the request and validated against a server-side transient) is now accepted as the authorization for these AJAX calls, with the standard nonce check still applied for logged-in users.

= 2.5.7 – 05.05.2026 =
* Fixed: forced 2FA setup screen on wp-login.php was unusable – clicking "Set up now" left the button stuck at "…". The AJAX endpoints were registered for logged-in users only, but the forced-setup flow runs before the user is authenticated. Endpoints now also accept unauthenticated calls when a valid forced-setup token is supplied, and the JavaScript automatically passes that token along.

= 2.5.6 – 05.05.2026 =
* Improved: REST API user-data hiding now uses a strict whitelist approach instead of a maintained block list. Only structurally-required fields (id, name, slug, link, avatar_urls, description, url) are kept in the response — everything else is dropped automatically, including fields from Yoast SEO (yoast_head, yoast_head_json), Rank Math, AIOSEO, SEOPress, Elementor, WooCommerce, and any future plugins that inject data into the user REST endpoint.
* New: filter hook `sdtfa_rest_user_allowed_keys` to extend the whitelist for plugins or sites that have a legitimate need to expose additional public fields.
* Fixed: the filter now runs at priority 999 so it executes after third-party plugins that register their own user REST fields.
* Fixed: REST self/collection links (which expose the numeric user ID) are now removed from the response for unauthenticated requests when user-data hiding is enabled.
* Fixed: "Set up now" button on the admin notice did not open the popup overlay because the script cached DOM selectors before the popup HTML was rendered. Selectors are now resolved after DOM-ready, with a fallback redirect to the profile page if the overlay is still missing.

= 2.5.5 – 01.05.2026 =
* Fixed: SVN pre-commit hook on WordPress.org rejected the package because the email-sending method used a "true" return type (PHP 8.2+ feature). Replaced with the equivalent "bool" return type for broader compatibility while keeping identical behavior.

= 2.5.4 – 30.04.2026 =
* Fixed: three strings in the en_US translation file contained German text instead of English (the shortcode description, the deadline notice, and the site-icon warning). Sites running with English locale will now correctly show English text.
* Fixed: removed remaining German example text from the docblock of the shortcode class file (no functional impact, source-code cleanup only).

= 2.5.3 – 30.04.2026 =
* Fixed: removed remaining hardcoded German strings from PHP source (3× "Nicht angemeldet.", backup-codes email body, recovery-key label, backup-codes textarea header)
* Fixed: removed hardcoded German "Bestätigen" button label from JavaScript (used after a failed verification attempt) – now uses the existing translatable string
* i18n: all four cleaned-up strings translated for all eight supported locales (DE_CH/DE/AT, EN, FR, ES, IT, NL)

= 2.5.2 – 30.04.2026 =
* Fixed: 2FA setup via email failed silently on hosts that reject mails without an explicit "From" header – the email now always carries a same-domain sender address
* Improved: when sending the 2FA code fails, the actual underlying mail error (from PHPMailer / SMTP) is now surfaced in the setup dialog instead of a generic "please try again"
* Fixed: send cooldown is now armed only after a successful send, so a failed delivery no longer blocks the next attempt for 60 seconds
* Improved: graceful fallback for the email subject when the issuer/site name option is empty

= 2.5.1 – 30.04.2026 =
* New: "SDTFA" column on Users → All Users showing the actual 2FA status (TOTP / Email / off) with green check or red ✗
* New: Removes 2FA columns added by foreign 2FA plugins or host mu-plugins to avoid duplicate or misleading status indicators
* New: Toggle in Privacy & Hardening section to disable the column behavior if not desired (enabled by default)

= 2.5.0 – 30.04.2026 =
* New: Privacy & Hardening section with three optional features
* New: Hide sensitive user data in REST API responses for unauthenticated visitors (REST endpoint stays reachable for SEO/import tools)
* New: Block author archives (?author=N) for unauthenticated visitors to prevent user enumeration
* New: Disable WordPress password reset for administrators and/or selected roles
* Fixed: empty jQuery UI datepicker container no longer appears at the bottom of admin pages – it is now hidden by default and moved next to its input field on open

= 2.4.1 – 22.04.2026 =
* Fixed: dismiss (×) button on the admin notice now correctly persists via AJAX so the notice doesn't reappear on every page reload

= 2.4.0 – 22.04.2026 =
* Renamed plugin to "Super Duper Two-Factor Login" (slug: super-duper-two-factor-login) for improved distinctiveness in the plugin directory
* Replaced the setup popup with a WordPress-standard dismissable admin notice and a "Set up now" button – the modal opens only on user action
* Moved the admin menu from position 3 to position 71 (after Users) to respect the WordPress admin hierarchy
* Extracted all inline `<style>` and `<script>` output into enqueued assets (`wp_enqueue_style`, `wp_enqueue_script`, `wp_add_inline_style`)
* Localized datepicker day and month names via `wp_localize_script` (English source, translations via .po)
* Updated the plugin header description to English (source strings) with German translations moved to .po/.mo
* Corrected the `Contributors` entry in readme.txt to the actual WordPress.org username

= 2.3.0 – 10.04.2026 =
* First public release on WordPress.org
* TOTP and email-based two-factor authentication
* 10 one-time backup codes with copy, download, print, and email
* Personal recovery key for administrators
* FTP emergency recovery via .sdtfa-recovery file
* Trusted device feature (save this computer)
* Role-based enforcement with optional grace period
* Hard enforcement: 2FA setup required before login
* Enforcement areas: admin, WooCommerce account, checkout, entire site
* WooCommerce My Account integration
* Setup popup reminder (dismissible)
* Shortcode [sdtfa_status]
* AES-256-GCM encryption for TOTP secrets
* Translations: German (DE/AT/CH), English, French, Spanish, Italian, Dutch

= 1.0.0 – 2.2.x =
* Internal development and testing

== Upgrade Notice ==

= 2.5.9 =
Larger, more readable fonts on the forced setup screen. All translations now 100% complete in all eight supported locales.

= 2.5.8 =
Critical fix continued: forced 2FA setup AJAX returned 403 because of nonce-validation issues for unauthenticated users. Now uses token-based authorization on the login screen.

= 2.5.7 =
Critical fix: forced 2FA setup on the login screen was non-functional. The "Set up now" button now properly opens the setup flow.

= 2.5.6 =
Important fixes: REST API user data is now protected by a strict whitelist (so future SEO/page-builder plugins that add user fields are automatically covered), with a `sdtfa_rest_user_allowed_keys` filter for legitimate exceptions. Also fixed the "Set up now" button on the admin notice.

= 2.5.5 =
Internal compatibility fix that allows the package to pass the WordPress.org SVN pre-commit linter. No functional changes.

= 2.5.4 =
Fixes three strings in the en_US translation that accidentally contained German text. English-locale sites will now show correct English wording on the settings page and notices.

= 2.5.3 =
i18n cleanup: removed remaining hardcoded German strings from PHP and JavaScript so the plugin can be fully translated through the standard gettext workflow.

= 2.5.2 =
Fix: 2FA email codes were silently dropped on hosts that require an explicit "From" header. The setup email now sends reliably and surfaces the real error if delivery still fails.

= 2.5.1 =
New "SDTFA" column on the Users list shows actual 2FA status. Removes duplicate columns added by host mu-plugins or other 2FA plugins.

= 2.5.0 =
New optional Privacy & Hardening features: hide REST user data, block author archive enumeration, disable password reset for admins/roles. Plus a small admin UI fix for the datepicker container.

= 2.4.1 =
Bugfix: the × button on the admin notice now works correctly.

= 2.4.0 =
WordPress.org compliance release: new distinctive name, admin notice instead of auto-popup, proper enqueuing of all assets, corrected menu position.

= 2.3.0 =
First public release. Install and activate to add two-factor authentication to your WordPress site.
