[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqOQIrek591hdCnt_3CAqBpPIPOk-mOZBIEEWZ4DaeAM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":163,"crawl_stats":37,"alternatives":171,"analysis":269,"fingerprints":1012},"miniorange-2-factor-authentication","miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator)","6.2.3","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cp>miniOrange WP 2FA plugin adds an extra layer of security to your WordPress website by protecting user logins from unauthorized access, brute-force attacks, and password theft.\u003C\u002Fp>\n\u003Cp>This powerful 2FA – Two-factor authentication for WordPress solution is easy to configure using a step-by-step setup wizard that supports multiple authentication methods such as Google Authenticator, Microsoft Authenticator, OTP via Email, SMS, WhatsApp, Telegram, and more.\u003C\u002Fp>\n\u003Cp>Whether you are a beginner or an advanced user, the WordPress Two Factor Authentication plugin ensures maximum security while keeping the login experience smooth and user-friendly.\u003C\u002Fp>\n\u003Cp>Quick Links: \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002F2-factor-authentication-for-wordpress-wp-2fa\" rel=\"nofollow ugc\">Official Website\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fstep-by-step-guide-for-wordpress-2-factor-authentication\" rel=\"nofollow ugc\">Setup Guide\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002F2-factor-authentication-for-wordpress-wp-2fa#pricing\" rel=\"nofollow ugc\">Pricing Plans\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Ffaq.miniorange.com\u002F\" rel=\"nofollow ugc\">Support\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>What is the WP 2FA Authenticator Plugin for WordPress?\u003C\u002Fh3>\n\u003Cp>The WP 2FA Authenticator plugin adds an extra verification step (OTP or approval) beyond your password. This two-step login process enhances security without disrupting daily operations.\u003C\u002Fp>\n\u003Cp>Easy to install and configure, this WordPress 2FA plugin helps protect your website from credential theft and unauthorized access.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FrE-awZZt13Q?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch3>WordPress W2FA Plugin Features (Free Version)\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-quick-setup-tab-wordpress#step1\" rel=\"nofollow ugc\">User Role-Based Configuration\u003C\u002Fa>:\u003C\u002Fstrong> Apply 2FA or MFA selectively based on user roles or configure it individually per user for more control over who needs additional verification.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-quick-setup-tab-wordpress#step3\" rel=\"nofollow ugc\">Backup Access Support\u003C\u002Fa>:\u003C\u002Fstrong> Let users generate and use backup codes or email verification links to log in when their primary 2FA method is unavailable.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Guided Setup Wizard:\u003C\u002Fstrong> An intuitive step-by-step wizard makes it easy to configure and deploy 2FA—no technical skills required.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-Language Support:\u003C\u002Fstrong> The plugin is translation-ready and supports major languages, including French, Spanish, Italian, and German.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Free for up to 3 Users:\u003C\u002Fstrong> Includes full access to 2FA features for up to three users—ideal for small teams or personal sites.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customize Email Templates:\u003C\u002Fstrong> Personalize OTP and 2FA emails to reflect your brand and improve user trust.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>2FA Login Reports & IP Alerts:\u003C\u002Fstrong> Track login activity and get email alerts for logins from new IP addresses.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Post-Login Redirection:\u003C\u002Fstrong> Redirect users to any page after 2FA, like a dashboard, homepage, or custom URL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Labels in Authenticator Apps:\u003C\u002Fstrong> Customize the account name shown in Google Authenticator and other apps for clearer identification.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-set-up-2fa-on-custom-login-form-wordpress\" rel=\"nofollow ugc\">2FA for Popular Login Forms\u003C\u002Fa>:\u003C\u002Fstrong> Enable 2FA on WooCommerce, Theme My Login, Elementor, and other login forms.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Supported WP 2FA Authentication Methods\u003C\u002Fh3>\n\u003Ch4>TOTP-Based Authentication\u003C\u002Fh4>\n\u003Cp>Compatible with:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-two-factor-authentication-using-authenticator-apps\" rel=\"nofollow ugc\">Google Authenticator\u003C\u002Fa>:\u003C\u002Fstrong> A widely trusted TOTP app that generates rotating login codes every 30 seconds—ideal for fast and offline verification.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-two-factor-authentication-using-authenticator-apps\" rel=\"nofollow ugc\">Microsoft Authenticator\u003C\u002Fa>:\u003C\u002Fstrong> Easily syncs with your Microsoft account and supports time-based one-time passcodes for secure WordPress login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-two-factor-authentication-using-authenticator-apps\" rel=\"nofollow ugc\">LastPass Authenticator\u003C\u002Fa>:\u003C\u002Fstrong> Combines password management with strong 2FA protection by generating time-based codes linked to your LastPass account.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-two-factor-authentication-using-authenticator-apps\" rel=\"nofollow ugc\">Duo Authenticator\u003C\u002Fa>:\u003C\u002Fstrong> Enterprise-ready authentication app offering secure TOTP codes and push notifications for streamlined two-factor login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-two-factor-authentication-using-authenticator-apps\" rel=\"nofollow ugc\">Authy 2-Factor Authenticator\u003C\u002Fa>:\u003C\u002Fstrong> Supports multi-device syncing and cloud backups while generating secure TOTP codes for your WordPress login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-two-factor-authentication-using-authenticator-apps\" rel=\"nofollow ugc\">FreeOTP\u003C\u002Fa>\u003C\u002Fstrong> and others\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These authenticator apps enable secure WordPress 2FA using time-based one-time passwords (TOTP).\u003C\u002Fp>\n\u003Ch4>OTP Authentication\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fotp-over-email-for-wordpress-two-factor-authentication-2fa-mfa\" rel=\"nofollow ugc\">OTP via Email\u003C\u002Fa>:\u003C\u002Fstrong> Send one-time passcodes to users directly via email for secure and convenient login verification with OTP Over Email support.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fotp-over-sms-for-wordpress-two-factor-authentication-2fa-mfa\" rel=\"nofollow ugc\">OTP via SMS\u003C\u002Fa>:\u003C\u002Fstrong> Get login codes to users through SMS for fast two-step OTP login verification on mobile devices.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Flogin-with-telegram-as-a-two-factor-method-for-wordpress\" rel=\"nofollow ugc\">OTP over Telegram\u003C\u002Fa>:\u003C\u002Fstrong> Use Telegram for OTP authentication if you prefer messaging-based login verification.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fwhatsapp-two-factor-authentication-setup-for-wordpress-2fa-plugin\" rel=\"nofollow ugc\">OTP over WhatsApp (Premium)\u003C\u002Fa>:\u003C\u002Fstrong> Use \u003Cstrong>WhatsApp 2FA\u003C\u002Fstrong> to send login passcodes directly to the user’s WhatsApp account for a faster and familiar authentication experience.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-setup-email-verification-for-2-factor-authentication-wordpress-2fa\" rel=\"nofollow ugc\">Email Verification via Link\u003C\u002Fa>:\u003C\u002Fstrong> Let users verify their login using a secure one-click email verification link—no passcode entry needed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-security-questions-for-two-factor-authentication-wordpress-2fa\" rel=\"nofollow ugc\">Security Questions\u003C\u002Fa>:\u003C\u002Fstrong> Add a personal security layer by asking predefined questions during login, ideal as a backup or secondary method.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Upgrade to miniOrange WP 2FA Premium for Advanced Security\u003C\u002Fh3>\n\u003Cp>The premium WordPress Two Factor Authentication plugin offers complete control over user authentication policies with advanced features such as unlimited OTP transactions, trusted devices, multisite compatibility, and full branding control.\u003C\u002Fp>\n\u003Cp>It is ideal for enterprises, eCommerce websites, and business-critical WordPress environments requiring strict login security.\u003C\u002Fp>\n\u003Ch3>Premium Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-quick-setup-tab-wordpress#step1\" rel=\"nofollow ugc\">2FA for All Users & Roles\u003C\u002Fa>:\u003C\u002Fstrong> Enforce 2FA across your entire website or apply it selectively to specific user roles or individual users.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlimited Email OTP Transactions:\u003C\u002Fstrong> Send unlimited email-based one-time passcodes—ideal for large-scale user bases and frequent login environments.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-quick-setup-tab-wordpress?select-2fa=2fa-for-specific-role#step2\" rel=\"nofollow ugc\">Role-Based 2FA Policies\u003C\u002Fa>:\u003C\u002Fstrong> Create different 2FA rules for each user role—require stronger authentication for admins while offering simpler methods for customers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-quick-setup-tab-wordpress#step2\" rel=\"nofollow ugc\">User-Specific 2FA Management\u003C\u002Fa>:\u003C\u002Fstrong> Enable or disable 2FA for individual users directly from their profile or admin settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fenable-2fa-on-specific-pages-wordpress\" rel=\"nofollow ugc\">Page-Protection with 2FA\u003C\u002Fa>:\u003C\u002Fstrong> Add two-factor authentication (2FA) protection to selected pages for enhanced security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-quick-setup-tab-wordpress#step3\" rel=\"nofollow ugc\">Backup Login Options\u003C\u002Fa>:\u003C\u002Fstrong> Allow users to log in using alternate methods like security questions, email-based OTP, or backup codes when the default method is inaccessible.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Redirect After 2FA:\u003C\u002Fstrong> Send users to a specific page (dashboard, custom welcome, etc.) after completing 2FA authentication.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-setup-custom-security-questions-kba-from-wordpress-wp-2fa\" rel=\"nofollow ugc\">Custom Security Questions\u003C\u002Fa>:\u003C\u002Fstrong> Set your own challenge questions to match your organization’s security policies.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Force 2FA Setup on Login:\u003C\u002Fstrong> Automatically prompt users to configure 2FA on their next login and restrict access until it’s enabled.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-set-remember-device-with-two-factor-authentication-2fa\" rel=\"nofollow ugc\">Trusted Devices Feature\u003C\u002Fa>:\u003C\u002Fstrong> Let users remember their device or browser to bypass 2FA on trusted systems for future logins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-login-popup-tab-wordpress#step2\" rel=\"nofollow ugc\">Customizable Login UI\u003C\u002Fa>:\u003C\u002Fstrong> Easily style 2FA prompts and popups to match your theme and brand—no coding needed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multisite Compatibility:\u003C\u002Fstrong> Support for WordPress multisite networks, with 2FA settings across up to 3 subsites included.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fconfigure-2fa-settings-login-popup-tab-wordpress#step1\" rel=\"nofollow ugc\">White Labeling & Branding\u003C\u002Fa>:\u003C\u002Fstrong> Fully rebrand the login or registration forms with your logo, colors, and email templates to offer a seamless branded experience.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortcodes for User Profile Controls:\u003C\u002Fstrong> Add 2FA management shortcodes to user account pages so users can enable, disable, or reconfigure their 2FA settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fprevent-account-sharing-restrict-concurrent-sessions-wordpress-session-restriction\" rel=\"nofollow ugc\">Session Management Controls\u003C\u002Fa>:\u003C\u002Fstrong> Restrict users from logging in on multiple devices simultaneously to prevent unauthorized access or credential sharing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-set-passwordless-login-as-a-login-screen-options-wordpress-2fa\" rel=\"nofollow ugc\">Passwordless Login\u003C\u002Fa>:\u003C\u002Fstrong> Let users log in using a one-time passcode—no password required—while maintaining strong account security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-set-up-2fa-on-custom-login-form-wordpress\" rel=\"nofollow ugc\">Support for Custom & Third-Party Login Forms\u003C\u002Fa>:\u003C\u002Fstrong> Works seamlessly with plugins like UserPro, Login with Ajax, Theme My Login, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom SMS Gateway Support:\u003C\u002Fstrong> Integrate your own SMS gateway to send OTPs, giving you full control over delivery, cost, and sender branding.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsetup-remember-whitelist-ip-2fa-wordpress\" rel=\"nofollow ugc\">Remember IP to Bypass 2FA\u003C\u002Fa>:\u003C\u002Fstrong> Mark trusted IP addresses to skip 2FA prompts and streamline login for internal users or safe environments.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prevent Credential Sharing:\u003C\u002Fstrong> Restrict multiple logins from different IPs or devices, helping you enforce strict account access policies and stop sharing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-set-up-2fa-on-custom-login-form-wordpress?utm_source=readme&utm_medium=2fa_sg&utm_campaign=2fa_login_forms_2#step2\" rel=\"nofollow ugc\">Custom Form Integration\u003C\u002Fa>:\u003C\u002Fstrong> Add 2FA to any custom login form—even those not on the supported list—through flexible integration and custom support.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>How to Install and Activate the WP 2FA Plugin\u003C\u002Fh3>\n\u003Ch4>Step 1: Install and Activate\u003C\u002Fh4>\n\u003Cp>Search for the miniOrange Two Factor Authentication plugin in the WordPress marketplace and activate it.\u003C\u002Fp>\n\u003Ch4>Step 2: Enable WP 2FA from Quick Setup\u003C\u002Fh4>\n\u003Cp>Go to the Quick Setup tab, choose user roles, and save settings.\u003C\u002Fp>\n\u003Ch4>Step 3: Configure Authentication Method\u003C\u002Fh4>\n\u003Cp>Select and set up your preferred \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fstep-by-step-guide-for-wordpress-2-factor-authentication#step3\" rel=\"nofollow ugc\">2FA authentication method\u003C\u002Fa>, such as Google Authenticator, OTP over SMS, or WhatsApp 2FA, from the available options while logging into the form for the first time.\u003C\u002Fp>\n\u003Ch3>Built to Integrate Seamlessly\u003C\u002Fh3>\n\u003Cp>Two Factor Authentication – WordPress 2FA\u002FMFA plugin is compatible with \u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fhow-to-set-up-2fa-on-custom-login-form-wordpress\" rel=\"nofollow ugc\">popular plugins\u003C\u002Fa> such as:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>WooCommerce\u003C\u002Fli>\n\u003Cli>Ultimate Member\u003C\u002Fli>\n\u003Cli>BuddyPress\u003C\u002Fli>\n\u003Cli>Elementor Pro\u003C\u002Fli>\n\u003Cli>Login With Ajax\u003C\u002Fli>\n\u003Cli>User Registration\u003C\u002Fli>\n\u003Cli>Restrict Content Pro\u003C\u002Fli>\n\u003Cli>LoginPress\u003C\u002Fli>\n\u003Cli>Registration Magic\u003C\u002Fli>\n\u003Cli>Admin Custom Login\u003C\u002Fli>\n\u003Cli>Theme My Login\u003C\u002Fli>\n\u003Cli>Profile Builder and many more.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Have a form not listed here? We offer custom integration support—just reach out.\u003C\u002Fp>\n\u003Ch3>Third-Party Custom SMS Gateway for OTP via SMS\u003C\u002Fh3>\n\u003Cp>The premium version of the miniOrange Two-Factor Authentication plugin supports any third-party SMS gateway for OTP-based login via SMS. Whether you already use a custom SMS provider or need to integrate with a local\u002Fregional provider, you can easily configure it within the plugin. \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fplugins.miniorange.com\u002Fsms-email-gateways-supported-by-2fa-plugin\" rel=\"nofollow ugc\">Famous SMS gateways supported by Two Factor Authentication\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>Why Register with miniOrange?\u003C\u002Fh3>\n\u003Cp>Some features like OTP via SMS or Email in the Free plugin require secure transactions credited to your miniOrange account.\u003C\u002Fp>\n\u003Cp>Most features work without registration, including:\u003Cbr \u002F>\n * Google Authenticator\u003Cbr \u002F>\n * Microsoft Authenticator\u003Cbr \u002F>\n * Security questions\u003Cbr \u002F>\n * Backup codes\u003C\u002Fp>\n\u003Cp>For customized solutions and support, contact:\u003Cbr \u002F>\n\u003Ca href=\"mailto:info@xecurify.com\" rel=\"nofollow ugc\">info@xecurify.com\u003C\u002Fa> or \u003Ca href=\"mailto:2fasupport@xecurify.com\" rel=\"nofollow ugc\">2fasupport@xecurify.com\u003C\u002Fa>\u003C\u002Fp>\n","miniOrange WP 2FA plugin adds an extra layer of security to your WordPress website by protecting user logins from unauthorized access, brute-force att …",10000,2395361,90,381,"2026-03-10T18:44:00.000Z","6.9.4","3.0.1","5.3.0",[20,21,22,23,24],"2-factor-authentication","2fa","google-authenticator","mfa","wp-2fa","https:\u002F\u002Fminiorange.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-2-factor-authentication.6.2.3.zip",10,0,"2025-08-23 00:00:00","2026-03-15T15:16:48.613Z",[32,48,63,76,88,99,112,126,139,152],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":29,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2025-54745","minioranges-google-authenticator-missing-authorization-2","miniOrange's Google Authenticator \u003C= 6.1.1 - Missing Authorization","The miniOrange 2-factor Authentication (2FA with SMS, Email, Google Authenticator) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.",null,"\u003C=6.1.1","6.1.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2025-12-19 21:57:58",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb5d787e9-b8b7-4ac1-a278-074afabc0239?source=api-prod",119,{"id":49,"url_slug":50,"title":51,"description":52,"plugin_slug":4,"theme_slug":37,"affected_versions":53,"patched_in_version":54,"severity":55,"cvss_score":56,"cvss_vector":57,"vuln_type":43,"published_date":58,"updated_date":59,"references":60,"days_to_patch":62},"CVE-2022-4943","minioranges-google-authenticator-missing-authorization-to-plugin-settings-change","miniOrange's Google Authenticator \u003C= 5.6.5 - Missing Authorization to Plugin Settings Change","The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.","\u003C=5.6.5","5.6.6","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","2023-04-19 00:00:00","2024-01-22 19:56:02",[61],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7267ede1-7745-47cc-ac0d-4362140b4c23?source=api-prod",279,{"id":64,"url_slug":65,"title":66,"description":67,"plugin_slug":4,"theme_slug":37,"affected_versions":68,"patched_in_version":69,"severity":55,"cvss_score":56,"cvss_vector":70,"vuln_type":71,"published_date":72,"updated_date":59,"references":73,"days_to_patch":75},"CVE-2022-44589","minioranges-google-authenticator-sensitive-data-exposure-of-multifactor-backup-codes","miniOrange's Google Authenticator \u003C= 5.6.1 - Sensitive Data Exposure of Multifactor Backup Codes","The miniOrange's Google Authenticator plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 5.6.1 via functions such as 'mo_wpns_get_progress' and 'mo2f_use_backup_codes'. This can allow attackers to extract sensitive data about multifactor authentication backup codes, and information about plugin malware scans.","\u003C=5.6.1","5.6.2","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2022-11-23 00:00:00",[74],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa0e54185-a917-49cd-b99d-5b773a7ed06a?source=api-prod",426,{"id":77,"url_slug":78,"title":79,"description":80,"plugin_slug":4,"theme_slug":37,"affected_versions":68,"patched_in_version":69,"severity":55,"cvss_score":81,"cvss_vector":82,"vuln_type":83,"published_date":84,"updated_date":59,"references":85,"days_to_patch":87},"WF-ed117fb8-c13a-4088-aa33-8d44fc5dcf37-miniorange-2-factor-authentication","minioranges-google-authenticator-cross-site-request-forgery-to-malware-scan-termination","miniOrange's Google Authenticator \u003C= 5.6.1 - Cross-Site Request Forgery to Malware Scan Termination","The miniOrange's Google Authenticator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.6.1. This is due to missing or incorrect nonce validation on the mo_wpns_stop_scan function. This makes it possible for unauthenticated attackers to terminate malware scans, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2022-11-01 00:00:00",[86],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fed117fb8-c13a-4088-aa33-8d44fc5dcf37?source=api-prod",448,{"id":89,"url_slug":90,"title":91,"description":92,"plugin_slug":4,"theme_slug":37,"affected_versions":68,"patched_in_version":69,"severity":40,"cvss_score":93,"cvss_vector":94,"vuln_type":43,"published_date":95,"updated_date":59,"references":96,"days_to_patch":98},"CVE-2022-42461","minioranges-google-authenticator-missing-authorization-to-plugin-settings-change-2","miniOrange's Google Authenticator \u003C= 5.6.1 - Missing Authorization to Plugin Settings Change","The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the plugin's settings.",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","2022-10-31 00:00:00",[97],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb9ea24b5-ef7d-4bd5-bddb-46082a4a0763?source=api-prod",449,{"id":100,"url_slug":101,"title":102,"description":103,"plugin_slug":4,"theme_slug":37,"affected_versions":104,"patched_in_version":105,"severity":40,"cvss_score":106,"cvss_vector":107,"vuln_type":43,"published_date":108,"updated_date":59,"references":109,"days_to_patch":111},"WF-52a03c45-1d65-43aa-b30f-13698019e05f-miniorange-2-factor-authentication","minioranges-google-authenticator-missing-authorization","miniOrange's Google Authenticator  \u003C= 5.5.82 - Missing Authorization","miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on an the mo_wpns_malware_redirect function in versions up to, and including, 5.5.82. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to initiate\u002Fterminate malware scans or obtain the malware scan status of a currently ongoing or the last scan. Terminating ongoing scans could aid an attacker who is attempting to infect a site, while repeatedly initiating new scans could lead to resource exhaustion. Additionally, knowing the status of the last scan might help an attacker who wishes to further compromise a site or server.","\u003C=5.5.82","5.6.0",6.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:L","2022-09-16 00:00:00",[110],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F52a03c45-1d65-43aa-b30f-13698019e05f?source=api-prod",494,{"id":113,"url_slug":114,"title":115,"description":116,"plugin_slug":4,"theme_slug":37,"affected_versions":117,"patched_in_version":118,"severity":40,"cvss_score":119,"cvss_vector":120,"vuln_type":121,"published_date":122,"updated_date":59,"references":123,"days_to_patch":125},"WF-bb929679-85bb-4d5b-9a99-e6081d55019f-miniorange-2-factor-authentication","minioranges-google-authenticator-reflected-cross-site-scripting","miniOrange's Google Authenticator \u003C= 5.5.7 - Reflected Cross-Site Scripting","The miniOrange's Google Authenticator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in versions up to, and including, 5.5.7. This makes it possible for attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","\u003C=5.5.7","5.5.75",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2022-06-27 00:00:00",[124],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbb929679-85bb-4d5b-9a99-e6081d55019f?source=api-prod",575,{"id":127,"url_slug":128,"title":129,"description":130,"plugin_slug":4,"theme_slug":37,"affected_versions":131,"patched_in_version":132,"severity":40,"cvss_score":133,"cvss_vector":134,"vuln_type":121,"published_date":135,"updated_date":59,"references":136,"days_to_patch":138},"CVE-2022-1321","minioranges-google-authenticator-authenticated-admin-cross-site-scripting","miniOrange's Google Authenticator \u003C= 5.5.5 - Authenticated (Admin+) Cross-Site Scripting","The miniOrange's Google Authenticator plugin for WordPress vulnerable to Stored Cross-Site Scripting via the ‘Add Referer’ field in versions up to, and including, 5.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative capabilities to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html have been disabled.","\u003C=5.5.5","5.5.6",5.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2022-06-06 00:00:00",[137],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F90c0eb3e-b3f1-483c-9afd-2bbc4ff0cdf3?source=api-prod",596,{"id":140,"url_slug":141,"title":142,"description":143,"plugin_slug":4,"theme_slug":37,"affected_versions":144,"patched_in_version":145,"severity":55,"cvss_score":146,"cvss_vector":147,"vuln_type":43,"published_date":148,"updated_date":59,"references":149,"days_to_patch":151},"CVE-2022-0229","minioranges-google-authenticator-unauthenticated-arbitrary-options-deletion","miniOrange's Google Authenticator \u003C= 5.4.52 - Unauthenticated Arbitrary Options Deletion","The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.","\u003C=5.4.52","5.5",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:H\u002FA:H","2022-02-28 00:00:00",[150],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff53875aa-9347-464c-aaeb-e8248628fca2?source=api-prod",694,{"id":153,"url_slug":154,"title":155,"description":156,"plugin_slug":4,"theme_slug":37,"affected_versions":157,"patched_in_version":158,"severity":40,"cvss_score":119,"cvss_vector":120,"vuln_type":121,"published_date":159,"updated_date":59,"references":160,"days_to_patch":162},"WF-f810326f-f84a-4066-aa28-5caa915ba877-miniorange-2-factor-authentication","minioranges-google-authenticator-cross-site-scripting","miniOrange's Google Authenticator \u003C= 5.4.39 - Cross-Site Scripting","The miniOrange's Google Authenticator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user’ parameter in versions up to, and including, 5.4.39 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","\u003C=5.4.39","5.4.40","2021-08-10 00:00:00",[161],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff810326f-f84a-4066-aa28-5caa915ba877?source=api-prod",896,{"slug":164,"display_name":7,"profile_url":8,"plugin_count":165,"total_installs":166,"avg_security_score":167,"avg_patch_time_days":168,"trust_score":169,"computed_at":170},"cyberlord92",38,83130,96,324,76,"2026-04-03T20:00:42.764Z",[172,193,213,235,253],{"slug":24,"name":173,"version":174,"author":175,"author_profile":176,"description":177,"short_description":178,"active_installs":179,"downloaded":180,"rating":181,"num_ratings":182,"last_updated":183,"tested_up_to":16,"requires_at_least":145,"requires_php":184,"tags":185,"homepage":188,"download_link":189,"security_score":190,"vuln_count":191,"unpatched_count":28,"last_vuln_date":192,"fetched_at":30},"WP 2FA – Two-factor authentication for WordPress","3.1.1.2","Melapress","https:\u002F\u002Fprofiles.wordpress.org\u002Fmelapress\u002F","\u003Ch3>A free and easy-to-use two-factor authentication plugin for WordPress\u003C\u002Fh3>\n\u003Cp>Add an extra layer of security to your WordPress website login and protect your users. Enable two-factor authentication (2FA), the best protection against password leaks, automated password guessing, and brute force attacks.\u003C\u002Fp>\n\u003Cp>Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, enforce 2FA for all your website users, or for users with specific roles. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non-technical users can set up 2FA without requiring technical assistance.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FvRlX_NNGeFo?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Ffeatures\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Features\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fsupport\u002Fkb\u002Fwp-2fa-plugin-getting-started\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Getting Started\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Fpricing\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Get the Premium!\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>🔒 WP 2FA key plugin features and capabilities\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Passkeys support\u003C\u002Fstrong> for passwordless logins   \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Free two-factor authentication (2FA)\u003C\u002Fstrong> for all users  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple 2FA methods\u003C\u002Fstrong> supported, including authenticator app (TOTP) and code over email  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer API\u003C\u002Fstrong> to integrate any alternative 2FA method (WhatsApp, OTP Token, etc.)  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Universal 2FA app support\u003C\u002Fstrong> – works with Google Authenticator, Authy, and any TOTP-compatible app  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup codes\u003C\u002Fstrong> (16 digits) for recovery access  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Wizard-driven setup\u003C\u002Fstrong> – no technical knowledge required  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>2FA policies\u003C\u002Fstrong> to enforce setup with grace periods or instant activation  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API endpoints\u003C\u002Fstrong> for custom integrations and headless WordPress setups  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dashboard-free setup\u003C\u002Fstrong> – users can configure 2FA without WP admin access  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Editable email templates\u003C\u002Fstrong> for full customization  \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Much more!\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>💎 Upgrade to WP 2FA Premium and get even more benefits\u003C\u002Fh3>\n\u003Cp>The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.\u003C\u002Fp>\n\u003Cp>With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, extensive white labeling capabilities, and much more!\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Fpricing\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">Check out WP 2FA Premium!\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Premium features list\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Everything in the free version\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Full white labeling capabilities\u003C\u002Fstrong> to change all text and visuals in the wizards, emails, SMS, and 2FA pages\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Support for multiple passkeys per user\u003C\u002Fstrong> for flexible passwordless logins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Zero-setup email 2FA\u003C\u002Fstrong> that automatically enrolls users without manual configuration\u003C\u002Fli>\n\u003Cli>\u003Cstrong>YubiKey hardware key support\u003C\u002Fstrong> for enterprise-grade security\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Additional 2FA methods\u003C\u002Fstrong> such as SMS, email link, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Trusted devices\u003C\u002Fstrong> so users can log in without 2FA for a configured period\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Require 2FA on password reset\u003C\u002Fstrong> to strengthen account protection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Allow next user login without 2FA\u003C\u002Fstrong> to help recover accounts locked out of authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>One-click WooCommerce integration\u003C\u002Fstrong> to enable 2FA for customers and store admins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>And much more!\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Refer to the \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Ffeatures\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">WP 2FA plugin features and benefits page\u003C\u002Fa> to learn more about the benefits of upgrading to WP 2FA Premium.\u003C\u002Fp>\n\u003Ch3>🛠️ Free and premium support\u003C\u002Fh3>\n\u003Cp>Support for the free edition of WP 2FA is free on the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fwp-2fa\u002F\" rel=\"ugc\">WordPress support forums\u003C\u002Fa>. Premium world-class support via one-to-one email is available to the Premium users – \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fwordpress-2fa\u002Fpricing\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">upgrade to premium\u003C\u002Fa> to benefit from email support.\u003C\u002Fp>\n\u003Cp>For any other queries, feedback, or if you simply want to get in touch with us, please use our \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002Fcontact\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">contact form\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>MAINTAINED & SUPPORTED BY MELAPRESS\u003C\u002Fh4>\n\u003Cp>Melapress develops high-quality WordPress management and security plugins, such as Melapress Login Security, Melapress Role Editor, and WP Activity Log; the #1 user-rated activity log plugin for WordPress.\u003C\u002Fp>\n\u003Cp>Browse our list of \u003Ca href=\"https:\u002F\u002Fmelapress.com\u002F?utm_source=wp+repo&utm_medium=repo+link&utm_campaign=wordpress_org&utm_content=wp2fa\" rel=\"nofollow ugc\">WordPress security and administration plugins\u003C\u002Fa> to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.\u003C\u002Fp>\n\u003Ch3>Installing WP 2FA\u003C\u002Fh3>\n\u003Ch3>From within WordPress\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Navigate to ‘Plugins’ > ‘Add New’\u003C\u002Fli>\n\u003Cli>Search for ‘WP 2FA’\u003C\u002Fli>\n\u003Cli>Install & activate WP 2FA from your Plugins page\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Manually\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Download the plugin from the WordPress plugins repository\u003C\u002Fli>\n\u003Cli>Unzip the zip file and upload the folder to the ‘\u002Fwp-content\u002Fplugins\u002F directory’\u003C\u002Fli>\n\u003Cli>Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>As featured on:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.wpbeginner.com\u002Fplugins\u002Fhow-to-add-two-factor-authentication-for-wordpress\u002F\" rel=\"nofollow ugc\">WP Beginner\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.isitwp.com\u002Fbest-wordpress-security-authentication-plugins\u002F\" rel=\"nofollow ugc\">IsitWP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpastra.com\u002Ftwo-factor-authentication-wordpress\u002F\" rel=\"nofollow ugc\">WP Astra\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fmainwp.com\u002Fhow-to-use-the-wp-2fa-plugin-on-your-child-sites\u002F\" rel=\"nofollow ugc\">MainWP\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.fixrunner.com\u002Fwordpress-two-factor-authentication\u002F\" rel=\"nofollow ugc\">FixRunner\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.inmotionhosting.com\u002Fsupport\u002Fedu\u002Fwordpress\u002Fplugins\u002Fwp-2fa\u002F\" rel=\"nofollow ugc\">Inmotion Hosting\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwpmarmite.com\u002Fen\u002Fwordpress-two-factor-authentication\u002F\" rel=\"nofollow ugc\">WP Marmite\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.",100000,1555592,94,162,"2026-02-25T13:18:00.000Z","7.4",[20,21,22,186,187],"two-factor-authentication","wordpress-authentication","https:\u002F\u002Fmelapress.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-2fa.3.1.1.2.zip",95,9,"2025-11-03 00:00:00",{"slug":194,"name":195,"version":196,"author":197,"author_profile":198,"description":199,"short_description":200,"active_installs":179,"downloaded":201,"rating":167,"num_ratings":202,"last_updated":203,"tested_up_to":16,"requires_at_least":204,"requires_php":205,"tags":206,"homepage":210,"download_link":211,"security_score":212,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"two-factor","Two Factor","0.15.0","WordPress.org","https:\u002F\u002Fprofiles.wordpress.org\u002Fwordpressdotorg\u002F","\u003Cp>The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password.  This helps protect against unauthorized access even if passwords are compromised.\u003C\u002Fp>\n\u003Ch3>Setup Instructions\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Important\u003C\u002Fstrong>: Each user must individually configure their two-factor authentication settings.  There are no site-wide settings for this plugin.\u003C\u002Fp>\n\u003Ch3>For Individual Users\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Navigate to your profile\u003C\u002Fstrong>: Go to “Users” \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> “Your Profile” in the WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Find Two-Factor Options\u003C\u002Fstrong>: Scroll down to the “Two-Factor Options” section\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Choose your methods\u003C\u002Fstrong>: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):\n\u003Cul>\n\u003Cli>\u003Cstrong>Authenticator App (TOTP)\u003C\u002Fstrong> – Use apps like Google Authenticator, Authy, or 1Password\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Codes\u003C\u002Fstrong> – Receive one-time codes via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>FIDO U2F Security Keys\u003C\u002Fstrong> – Use physical security keys (requires HTTPS)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup Codes\u003C\u002Fstrong> – Generate one-time backup codes for emergencies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dummy Method\u003C\u002Fstrong> – For testing purposes only (requires WP_DEBUG)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configure each method\u003C\u002Fstrong>: Follow the setup instructions for each enabled provider\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Set primary method\u003C\u002Fstrong>: Choose which method to use as your default authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Save changes\u003C\u002Fstrong>: Click “Update Profile” to save your settings\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>For Site Administrators\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>No global settings\u003C\u002Fstrong>: This plugin operates on a per-user basis only. For more, see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002Ftwo-factor\u002Fissues\u002F249\" rel=\"nofollow ugc\">GH#249\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User management\u003C\u002Fstrong>: Administrators can configure 2FA for other users by editing their profiles\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security recommendations\u003C\u002Fstrong>: Encourage users to enable backup methods to prevent account lockouts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Available Authentication Methods\u003C\u002Fh3>\n\u003Ch3>Authenticator App (TOTP) – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Time-based one-time passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Scan QR code with authenticator app\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with Google Authenticator, Authy, 1Password, and other TOTP apps\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Most users, provides excellent security with good usability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Backup Codes – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time use codes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Generate 10 backup codes for emergency access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works everywhere, no special hardware needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Emergency access when other methods are unavailable\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Email Codes\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time codes sent via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Automatic – uses your WordPress email address\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with any email-capable device\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users who prefer email-based authentication\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>FIDO U2F Security Keys\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Hardware-based authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Register physical security keys (USB, NFC, or Bluetooth)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Requirements\u003C\u002Fstrong>: HTTPS connection required, compatible browser needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Browser Support\u003C\u002Fstrong>: Chrome, Firefox, Edge (varies by key type)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users with security keys who want maximum security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Dummy Method\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: None – Always succeeds\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Only available when WP_DEBUG is enabled\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Testing and development only\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Developers testing the plugin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Important Notes\u003C\u002Fh3>\n\u003Ch3>HTTPS Requirement\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FIDO U2F Security Keys require an HTTPS connection to function\u003C\u002Fli>\n\u003Cli>Other methods work on both HTTP and HTTPS sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Browser Compatibility\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FIDO U2F requires a compatible browser and may not work on all devices\u003C\u002Fli>\n\u003Cli>TOTP and email methods work on all devices and browsers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Account Recovery\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Always enable backup codes to prevent being locked out of your account\u003C\u002Fli>\n\u003Cli>If you lose access to all authentication methods, contact your site administrator\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security Best Practices\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Use multiple authentication methods when possible\u003C\u002Fli>\n\u003Cli>Keep backup codes in a secure location\u003C\u002Fli>\n\u003Cli>Regularly review and update your authentication settings\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For more information about two-factor authentication in WordPress, see the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fmfa\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration Security Guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>For more history, see \u003Ca href=\"https:\u002F\u002Fgeorgestephanis.wordpress.com\u002F2013\u002F08\u002F14\u002Ftwo-cents-on-two-factor\u002F\" rel=\"nofollow ugc\">this post\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Actions & Filters\u003C\u002Fh4>\n\u003Cp>Here is a list of action and filter hooks provided by the plugin:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>two_factor_providers\u003C\u002Fcode> filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_providers_for_user\u003C\u002Fcode> filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object \u003Ccode>WP_User\u003C\u002Fcode> is available as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_enabled_providers_for_user\u003C\u002Fcode> filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_authenticated\u003C\u002Fcode> action which receives the logged in \u003Ccode>WP_User\u003C\u002Fcode> object as the first argument for determining the logged in user right after the authentication workflow.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_api_login_enable\u003C\u002Fcode> filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_ttl\u003C\u002Fcode> filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the \u003Ccode>WP_User\u003C\u002Fcode> object being authenticated.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_length\u003C\u002Fcode> filter overrides the default 8 character count for email tokens.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_backup_code_length\u003C\u002Fcode> filter overrides the default 8 character count for backup codes. Provides the \u003Ccode>WP_User\u003C\u002Fcode> of the associated user as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_rest_api_can_edit_user\u003C\u002Fcode> filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current \u003Ccode>$can_edit\u003C\u002Fcode> boolean, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_before_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires prior to the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires after the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_input\u003C\u002Fcode>action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after \u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode>).\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.",1526344,199,"2026-02-17T13:21:00.000Z","6.8","7.2",[21,207,23,208,209],"authentication","security","totp","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwo-factor.0.15.0.zip",100,{"slug":186,"name":214,"version":215,"author":216,"author_profile":217,"description":218,"short_description":219,"active_installs":220,"downloaded":221,"rating":222,"num_ratings":223,"last_updated":224,"tested_up_to":16,"requires_at_least":225,"requires_php":226,"tags":227,"homepage":230,"download_link":231,"security_score":232,"vuln_count":233,"unpatched_count":28,"last_vuln_date":234,"fetched_at":30},"Two Factor Authentication","1.16.0","David Anderson \u002F Team Updraft","https:\u002F\u002Fprofiles.wordpress.org\u002Fdavidanderson\u002F","\u003Cp>Secure WordPress login with this two factor authentication (TFA \u002F 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of \u003Ca href=\"https:\u002F\u002Fupdraftplus.com\u002F\" rel=\"nofollow ugc\">UpdraftPlus – WP’s #1 backup\u002Frestore plugin\u003C\u002Fa>, with over two million active installs.\u003C\u002Fp>\n\u003Cp>Are you completely new to TFA? \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor-authentication\u002Ffaq\u002F\" rel=\"ugc\">If so, please see our FAQ\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Features (please see the “Screenshots” for more information):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).\u003C\u002Fli>\n\u003Cli>Displays graphical QR codes for easy scanning into apps on your phone\u002Ftablet\u003C\u002Fli>\n\u003Cli>TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)\u003C\u002Fli>\n\u003Cli>TFA can be turned on or off by each user\u003C\u002Fli>\n\u003Cli>TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>), including forcing them to immediately set up (by redirecting them to the page to do so)\u003C\u002Fli>\n\u003Cli>Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The \u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa> allows custom designing of any layout you wish).\u003C\u002Fli>\n\u003Cli>Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database \u003Cem>and\u003C\u002Fem> your files in order to break TFA codes (as well as breaking a user’s password in order to use them)\u003C\u002Fli>\n\u003Cli>Works together with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftheme-my-login\u002F\" rel=\"ugc\">“Theme My Login”\u003C\u002Fa> (both forms and widgets)\u003C\u002Fli>\n\u003Cli>Includes support for the WooCommerce and Affiliates-WP login forms\u003C\u002Fli>\n\u003Cli>Includes support for Ultimate Membership Pro\u003C\u002Fli>\n\u003Cli>Includes support for CozmosLabs Profile Builder\u003C\u002Fli>\n\u003Cli>Includes support for Ultimate Member login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for Elementor Pro login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for bbPress login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for Easy Digital Downloads login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for RegistrationMagic login forms (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for login forms from the Gravity Forms User Registration add-on (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for login forms (shortcode forms only) from Paid Memberships Pro (Premium version)\u003C\u002Fli>\n\u003Cli>Includes support for any and every third-party login form (Premium version) without any further coding needed via appending your TFA code to the end of your password\u003C\u002Fli>\n\u003Cli>Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)\u003C\u002Fli>\n\u003Cli>WP Multisite compatible (plugin should be network activated)\u003C\u002Fli>\n\u003Cli>Simplified user interface and code base for ease of use and performance\u003C\u002Fli>\n\u003Cli>Added a number of extra security checks to the original forked code\u003C\u002Fli>\n\u003Cli>Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.\u003C\u002Fli>\n\u003Cli>Emergency codes for when you lose your phone\u002Ftablet (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>When using the front-end shortcode (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>), require the user to enter the current TFA code correctly to be able to activate TFA \u003C\u002Fli>\n\u003Cli>Works together with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-members\u002F\" rel=\"ugc\">“WP Members”\u003C\u002Fa> (shortcode form)\u003C\u002Fli>\n\u003Cli>Administrators can access other users’ codes, and turn them on\u002Foff when needed (\u003Ca href=\"https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Premium version\u003C\u002Fa>)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Why use TFA \u002F 2FA ?\u003C\u002Fh4>\n\u003Cp>Read this! \u003Ca href=\"https:\u002F\u002Fwww.wired.com\u002F2012\u002F08\u002Fapple-amazon-mat-honan-hacking\u002F\" rel=\"nofollow ugc\">https:\u002F\u002Fwww.wired.com\u002F2012\u002F08\u002Fapple-amazon-mat-honan-hacking\u002F\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch4>How Does TFA \u002F 2FA Work?\u003C\u002Fh4>\n\u003Cp>This plugin uses the industry standard TFA \u002F 2FA algorithm \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FTime-based_One-time_Password_Algorithm\" rel=\"nofollow ugc\">TOTP\u003C\u002Fa> or \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FHMAC-based_One-time_Password_Algorithm\" rel=\"nofollow ugc\">HOTP\u003C\u002Fa> for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.\u003C\u002Fp>\n\u003Cp>A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.\u003C\u002Fp>\n\u003Ch4>Plugin Notes\u003C\u002Fh4>\n\u003Cp>This plugin began life in early 2015 as a friendly fork and enhancement of \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor-auth\u002F\" rel=\"ugc\">Oscar Hane’s “two factor auth” plugin\u003C\u002Fa>.\u003C\u002Fp>\n","Secure WordPress login with Two Factor Authentication - supports WP, Woo + other login forms, HOTP, TOTP (Google Authenticator, Authy, etc.)",20000,879343,88,77,"2025-12-09T10:56:00.000Z","3.4","5.6",[21,22,228,194,229],"tfa","two-factor-auth","https:\u002F\u002Fwww.simbahosting.co.uk\u002Fs3\u002Fproduct\u002Ftwo-factor-authentication\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwo-factor-authentication.1.16.0.zip",99,2,"2018-12-18 00:00:00",{"slug":236,"name":237,"version":238,"author":239,"author_profile":240,"description":241,"short_description":242,"active_installs":243,"downloaded":244,"rating":245,"num_ratings":222,"last_updated":246,"tested_up_to":16,"requires_at_least":247,"requires_php":248,"tags":249,"homepage":251,"download_link":252,"security_score":212,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"rublon","Rublon Multi-Factor Authentication (MFA)","4.4.5","Rublon","https:\u002F\u002Fprofiles.wordpress.org\u002Frublon\u002F","\u003Cp>Rublon MFA is a multi-factor authentication (MFA) solution that protects your organization’s data and access to networks, servers, and applications. Rublon MFA provides MFA for cloud apps, VPNs, servers, and Microsoft technologies using authentication methods like \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fproduct\u002Fmobile-push\u002F\" rel=\"nofollow ugc\">Mobile Push\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fproduct\u002Fsms-passcodes\u002F\" rel=\"nofollow ugc\">SMS Passcode\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fproduct\u002Fqr-codes\u002F\" rel=\"nofollow ugc\">QR Code\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fproduct\u002Fsecurity-keys\u002F\" rel=\"nofollow ugc\">WebAuthn\u002FU2F Security Keys\u003C\u002Fa>, and more.\u003C\u002Fp>\n\u003Cp>Rublon MFA is easy to use, affordable, and scalable. It helps reduce compliance risk, improve user experience, and reduce costs. Rublon MFA is compatible with a variety of technologies, including but not limited to \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fdocs\u002F#vpn\" rel=\"nofollow ugc\">VPN\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fdoc\u002Frds\u002F\" rel=\"nofollow ugc\">Remote Desktop Services (RDS)\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fdoc\u002Fowa\u002F\" rel=\"nofollow ugc\">Outlook Web App (OWA)\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fproduct\u002Fldap-mfa\u002F\" rel=\"nofollow ugc\">LDAP\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fproduct\u002Fradius-mfa\u002F\" rel=\"nofollow ugc\">RADIUS\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fdoc\u002Fwordpress\u002F\" rel=\"nofollow ugc\">WordPress\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Start your \u003Ca href=\"https:\u002F\u002Fadmin.rublon.net\u002Fauth\u002Fregister\" rel=\"nofollow ugc\">Free 30-Day Trial\u003C\u002Fa> and see how easy it is to get started with Rublon MFA.\u003C\u002Fh3>\n\u003Ch3>To learn more, visit \u003Ca href=\"https:\u002F\u002Frublon.com\u002F\" rel=\"nofollow ugc\">www.rublon.com\u003C\u002Fa>.\u003C\u002Fh3>\n\u003Cblockquote>\n\u003Ch4>Recommended by Security Experts and Industry Professionals\u003C\u002Fh4>\n\u003Cp>\u003Cem>“The fact that I could speak instantly with tech support while evaluating was super important. Connecting with Rublon technicians via remote sessions was SUPER handy to assist with setting things up.” — \u003Cstrong>Chris D., Manager of GIS\u002FIT\u003C\u002Fstrong>\u003C\u002Fem> \u003C\u002Fp>\n\u003Cp>  \u003Cem>“We were able to get Rublon MFA installed, tested, and in use in under a day across all offices.” — \u003Cstrong>Ethan M. Hospital & Health Care\u003C\u002Fstrong>\u003C\u002Fem> \u003C\u002Fp>\n\u003Cp>  \u003Cem>“Product was absolutely superb for integrating MFA into our RDS solution very easy to use and the moblie app was brilliant for our end users.” — \u003Cstrong>Scott L., IT Network Manager\u003C\u002Fstrong>\u003C\u002Fem> \u003C\u002Fp>\n\u003Cp>  \u003Cem>“we tested a trial version, it was very easy to set up. we got the pricing immediately. other suppliers did not even replied to my email yet and i already implemented Rublon” — \u003Cstrong>Mihail B., Logistics Manager\u003C\u002Fstrong>\u003C\u002Fem> \u003C\u002Fp>\n\u003Cp>  \u003Cem>“I searched for a tool for a very specific security need and Rublon filled that need perfectly. Not only does it work every single time as expected, the support and setup are amazing! Highly recommended.” — \u003Cstrong>Charles D., Financial Services\u003C\u002Fstrong>\u003C\u002Fem> \u003C\u002Fp>\n\u003Cp>  \u003Ca href=\"https:\u002F\u002Frublon.com\u002Fcustomers\u002F\" rel=\"nofollow ugc\">Read More\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch4>In What Languages Is Rublon For WordPress Available?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>English\u003C\u002Fli>\n\u003Cli>German\u003C\u002Fli>\n\u003Cli>Japanese (translated by \u003Ca href=\"https:\u002F\u002Fen.digitalcube.jp\" rel=\"nofollow ugc\">Digital Cube\u003C\u002Fa>)\u003C\u002Fli>\n\u003Cli>Turkish (translated by Mehmet Emre Baş, proofread by Tarık Çayır)\u003C\u002Fli>\n\u003Cli>Polish\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cblockquote>\n\u003Ch4>Follow Us\u003C\u002Fh4>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.facebook.com\u002FRublonApp\" rel=\"nofollow ugc\">Facebook\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.linkedin.com\u002Fcompany\u002F2772205\" rel=\"nofollow ugc\">LinkedIn\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002Frublon\" rel=\"nofollow ugc\">Twitter\u003C\u002Fa>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch3>Legal notice\u003C\u002Fh3>\n\u003Cp>I have read and agree to the \u003Ca href=\"https:\u002F\u002Flegal.rublon.com\u002Ftos\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Flegal.rublon.com\u002Fprivacy\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa> before installing the Rublon WordPress Plugin.\u003C\u002Fp>\n","Instant account security with effortless multi-factor authentication via Mobile Push, Mobile Passcode (TOTP), WebAuthn\u002FU2F Security Keys, and more.",500,116338,84,"2025-12-04T13:45:00.000Z","5.0","5.5.1",[21,23,250,208,186],"multi-factor-authentication","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Frublon\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frublon.4.4.5.zip",{"slug":254,"name":255,"version":256,"author":257,"author_profile":258,"description":259,"short_description":260,"active_installs":27,"downloaded":261,"rating":28,"num_ratings":28,"last_updated":262,"tested_up_to":263,"requires_at_least":264,"requires_php":226,"tags":265,"homepage":266,"download_link":267,"security_score":268,"vuln_count":28,"unpatched_count":28,"last_vuln_date":37,"fetched_at":30},"absolute-2fa-for-woocommerce","Absolute 2fa For Woocommerce","1.0.1","AbsolutePlugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fabsoluteplugins\u002F","\u003Cp>Absolute 2fa For WooCommerce plugin seamlessly integrates into your WooCommerce login page implementing a two-factor authentication process! This will help you to prevent brute force attack for your WooCommerce shop. The plugin will provide you a straightforward usages experience as there in no configuration required.\u003C\u002Fp>\n","A Two Factor Authentication addon that will add 2fa settings page under WooCommerce's My Account Page.",1351,"2022-02-17T06:15:00.000Z","5.9.13","4.5",[21,22,228,194,229],"https:\u002F\u002Fabsoluteplugins.com\u002Fwordpress-plugins\u002Fabsp-2fa-for-woocommerce\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fabsolute-2fa-for-woocommerce.1.0.1.zip",85,{"attackSurface":270,"codeSignals":570,"taintFlows":849,"riskAssessment":992,"analyzedAt":1011},{"hooks":271,"ajaxHandlers":517,"restRoutes":555,"shortcodes":564,"cronEvents":568,"entryPointCount":569,"unprotectedCount":314},[272,278,282,286,290,294,297,301,304,307,311,316,320,323,327,330,334,337,339,341,344,348,351,356,360,363,366,369,374,378,382,386,389,392,396,400,404,407,411,416,418,422,425,428,431,435,439,443,445,450,453,457,461,465,468,471,474,477,480,482,485,488,491,495,497,499,502,505,507,509,511,513],{"type":273,"name":274,"callback":275,"file":276,"line":277},"action","admin_init","mo_login_security_ajax","controllers\\class-wpns-ajax.php",27,{"type":273,"name":279,"callback":280,"file":276,"line":281},"init","mo2fa_elementor_ajax_fun",28,{"type":273,"name":274,"callback":283,"file":284,"line":285},"mo_2f_two_factor","controllers\\twofa\\class-mo-2f-ajax.php",46,{"type":273,"name":274,"callback":287,"file":288,"line":289},"mo_wpns_2fa_actions","handler\\class-ajaxhandler.php",35,{"type":273,"name":274,"callback":291,"file":292,"line":293},"mo_wpns_feedback_actions","handler\\class-feedbackhandler.php",34,{"type":273,"name":274,"callback":295,"priority":27,"file":296,"line":281},"mo2f_handle_migration","handler\\class-handle-migration.php",{"type":273,"name":279,"callback":298,"file":299,"line":300},"mo_wpns_init","handler\\class-loginhandler.php",33,{"type":273,"name":302,"callback":303,"file":299,"line":289},"rest_api_init","mo_block_rest_api",{"type":273,"name":305,"callback":306,"file":299,"line":165},"wp_login","mo_wpns_login_success",{"type":273,"name":308,"callback":309,"file":299,"line":310},"wp_login_failed","mo_wpns_login_failed",39,{"type":273,"name":312,"callback":313,"priority":314,"file":299,"line":315},"woocommerce_register_post","wooc_validate_user_captcha_register",1,42,{"type":273,"name":317,"callback":318,"priority":27,"file":299,"line":319},"show_user_profile","twofa_on_user_profile",64,{"type":273,"name":321,"callback":318,"priority":27,"file":299,"line":322},"edit_user_profile",65,{"type":273,"name":324,"callback":325,"priority":27,"file":299,"line":326},"personal_options_update","user_two_factor_options_update",66,{"type":273,"name":328,"callback":325,"priority":27,"file":299,"line":329},"edit_user_profile_update",67,{"type":273,"name":274,"callback":331,"file":332,"line":333},"mo2f_twofa_admin_settings","handler\\class-mo2f-2fa-settings-handler.php",41,{"type":273,"name":274,"callback":283,"file":335,"line":336},"handler\\class-mo2f-advance-settings-handler.php",30,{"type":273,"name":274,"callback":283,"file":338,"line":293},"handler\\class-mo2f-ip-blocking-handler.php",{"type":273,"name":274,"callback":340,"file":338,"line":289},"mo2f_handle_advanced_blocking",{"type":273,"name":342,"callback":342,"file":343,"line":336},"log_403","handler\\class-mo2f-logger.php",{"type":273,"name":345,"callback":346,"file":343,"line":347},"template_redirect","log_404",31,{"type":273,"name":279,"callback":349,"file":350,"line":322},"miniorange_pass2login_redirect","handler\\class-mo2f-main-handler.php",{"type":352,"name":353,"callback":354,"file":350,"line":355},"filter","login_errors","mo2f_show_error_on_wp_login_form",68,{"type":352,"name":357,"callback":358,"file":350,"line":359},"login_message","mo2f_show_on_wp_login_form",69,{"type":273,"name":302,"callback":361,"file":362,"line":289},"mo2f_add_custom_users_api","handler\\class-mo2f-reconfigure-link.php",{"type":352,"name":357,"callback":364,"file":362,"line":365},"mo2f_reconfiguration_success_message",36,{"type":273,"name":274,"callback":367,"file":368,"line":300},"mo2f_whitelabeling_action","handler\\class-mo2f-whitelabelling.php",{"type":352,"name":370,"callback":371,"priority":27,"file":372,"line":373},"registration_errors","mo_wpns_registration_validations","handler\\class-registrationhandler.php",24,{"type":273,"name":375,"callback":376,"file":372,"line":377},"register_form","mo2f_wp_verification",26,{"type":273,"name":274,"callback":379,"file":380,"line":381},"mo2f_auth_save_settings","handler\\twofa\\class-miniorange-authentication.php",70,{"type":273,"name":383,"callback":384,"file":380,"line":385},"plugins_loaded","mo2f_update_db_check",71,{"type":273,"name":387,"callback":388,"priority":27,"file":380,"line":169},"login_form","mo_2_factor_pass2login_show_wp_login_form",{"type":352,"name":390,"callback":391,"priority":27,"file":380,"line":223},"mo2f_shortcode_rba_gauth","mo2f_validate_google_auth",{"type":352,"name":393,"callback":394,"priority":27,"file":380,"line":395},"mo2f_shortcode_kba","mo2f_register_kba_details",78,{"type":352,"name":397,"callback":398,"priority":27,"file":380,"line":399},"mo2f_update_info","mo2f_update_user_info",79,{"type":273,"name":401,"callback":402,"priority":27,"file":380,"line":403},"mo2f_shortcode_form_fields","miniorange_pass2login_form_fields",80,{"type":273,"name":405,"callback":406,"file":380,"line":13},"delete_user","mo2f_delete_user",{"type":352,"name":408,"callback":409,"priority":27,"file":380,"line":410},"mo2f_gauth_service","mo2f_google_auth_service",92,{"type":352,"name":412,"callback":413,"priority":414,"file":380,"line":415},"authenticate","mo2f_check_username_password",99999,97,{"type":273,"name":387,"callback":388,"priority":27,"file":380,"line":417},98,{"type":273,"name":419,"callback":420,"file":380,"line":421},"login_enqueue_scripts","mo_2_factor_enable_jquery_default_login",107,{"type":273,"name":423,"callback":388,"file":380,"line":424},"woocommerce_login_form",116,{"type":273,"name":426,"callback":420,"file":380,"line":427},"wp_enqueue_scripts",124,{"type":273,"name":429,"callback":413,"priority":314,"file":380,"line":430},"miniorange_pre_authenticate_user_login",133,{"type":273,"name":432,"callback":433,"priority":314,"file":380,"line":434},"miniorange_post_authenticate_user_login","miniorange_initiate_2nd_factor",142,{"type":273,"name":436,"callback":437,"priority":314,"file":380,"line":438},"miniorange_collect_attributes_for_authenticated_user","mo2f_collect_device_attributes_for_authenticated_user",151,{"type":273,"name":440,"callback":441,"priority":314,"file":442,"line":365},"woocommerce_created_customer","wc_post_registration","handler\\twofa\\class-mo2fcustomregformshortcode.php",{"type":273,"name":274,"callback":444,"file":442,"line":165},"mo_enqueue_shortcode",{"type":273,"name":446,"callback":447,"file":448,"line":449},"admin_notices","mo2f_display_test_2fa_notification","helper\\class-mo2f-common-helper.php",45,{"type":273,"name":446,"callback":451,"file":452,"line":277},"mo2f_show_message_strip","helper\\class-mowpnsmessages.php",{"type":352,"name":454,"callback":455,"priority":27,"file":452,"line":456},"gettext","maybe_translate_key",29,{"type":273,"name":458,"callback":459,"file":460,"line":385},"admin_menu","mo_wpns_widget_menu","miniorange_2_factor_settings.php",{"type":273,"name":462,"callback":463,"file":460,"line":464},"admin_enqueue_scripts","mo_wpns_settings_style",72,{"type":273,"name":462,"callback":466,"file":460,"line":467},"mo_wpns_settings_script",73,{"type":273,"name":274,"callback":469,"file":460,"line":470},"miniorange_reset_save_settings",74,{"type":273,"name":274,"callback":472,"file":460,"line":473},"mo2f_mail_send",75,{"type":352,"name":475,"callback":476,"file":460,"line":169},"manage_users_columns","mo2f_mapped_email_column",{"type":273,"name":478,"callback":479,"priority":27,"file":460,"line":223},"manage_users_custom_column","mo2f_mapped_email_column_content",{"type":273,"name":446,"callback":481,"file":460,"line":395},"mo2f_notices",{"type":352,"name":483,"callback":484,"priority":27,"file":460,"line":399},"user_row_actions","miniorange_reset_users",{"type":273,"name":486,"callback":487,"file":460,"line":403},"admin_footer","feedback_request",{"type":273,"name":279,"callback":489,"file":460,"line":490},"mo2fa_maybe_load_textdomain",81,{"type":273,"name":492,"callback":493,"file":460,"line":494},"wp_dashboard_setup","my_custom_dashboard_widgets",86,{"type":273,"name":383,"callback":496,"priority":314,"file":460,"line":222},"mo2f_add_wizard_actions",{"type":273,"name":274,"callback":376,"file":460,"line":498},91,{"type":273,"name":500,"callback":501,"file":460,"line":410},"elementor\u002Finit","mo2fa_login_elementor_note",{"type":273,"name":503,"callback":504,"priority":27,"file":460,"line":181},"user_profile_update_errors","mo2f_user_profile_errors",{"type":273,"name":274,"callback":506,"file":460,"line":190},"mo2f_migrate_whitelisted_ips_table",{"type":273,"name":274,"callback":508,"file":460,"line":167},"mo2f_migrate_network_blocked_ips_table",{"type":273,"name":274,"callback":510,"file":460,"line":415},"mo2f_migrate_user_details",{"type":273,"name":274,"callback":512,"file":460,"line":417},"mo2f_drop_wpns_attack_logs_and_network_email_sent_audit",{"type":273,"name":274,"callback":514,"priority":515,"file":460,"line":516},"mo2f_setup_page",11,208,[518,522,524,526,529,531,533,536,537,539,542,543,544,546,548,550,553],{"action":519,"nopriv":520,"callback":519,"hasNonce":521,"hasCapCheck":521,"file":276,"line":165},"wpns_login_security",false,true,{"action":523,"nopriv":520,"callback":523,"hasNonce":521,"hasCapCheck":520,"file":276,"line":310},"mo2f_ajax",{"action":523,"nopriv":521,"callback":523,"hasNonce":521,"hasCapCheck":520,"file":276,"line":525},40,{"action":527,"nopriv":520,"callback":527,"hasNonce":521,"hasCapCheck":521,"file":284,"line":528},"mo_two_factor_ajax",54,{"action":527,"nopriv":521,"callback":527,"hasNonce":521,"hasCapCheck":521,"file":284,"line":530},55,{"action":532,"nopriv":520,"callback":532,"hasNonce":521,"hasCapCheck":521,"file":332,"line":525},"mo2f_login_settings_ajax",{"action":527,"nopriv":520,"callback":527,"hasNonce":521,"hasCapCheck":521,"file":534,"line":535},"handler\\class-mo2f-admin-action-handler.php",37,{"action":527,"nopriv":521,"callback":527,"hasNonce":521,"hasCapCheck":521,"file":534,"line":165},{"action":538,"nopriv":520,"callback":538,"hasNonce":521,"hasCapCheck":521,"file":335,"line":165},"mo2f_advance_settings_ajax",{"action":540,"nopriv":520,"callback":540,"hasNonce":521,"hasCapCheck":521,"file":338,"line":541},"mo2f_ip_black_list_ajax",43,{"action":527,"nopriv":520,"callback":527,"hasNonce":521,"hasCapCheck":520,"file":350,"line":326},{"action":527,"nopriv":521,"callback":527,"hasNonce":521,"hasCapCheck":520,"file":350,"line":329},{"action":545,"nopriv":520,"callback":545,"hasNonce":521,"hasCapCheck":521,"file":368,"line":293},"mo2f_white_labelling_ajax",{"action":547,"nopriv":520,"callback":547,"hasNonce":521,"hasCapCheck":520,"file":442,"line":285},"mo_shortcode",{"action":547,"nopriv":521,"callback":547,"hasNonce":521,"hasCapCheck":520,"file":442,"line":549},47,{"action":551,"nopriv":520,"callback":551,"hasNonce":521,"hasCapCheck":520,"file":442,"line":552},"mo_ajax_register",48,{"action":551,"nopriv":521,"callback":551,"hasNonce":521,"hasCapCheck":520,"file":442,"line":554},49,[556],{"namespace":557,"route":558,"methods":559,"callback":561,"permissionCallback":562,"file":362,"line":563},"miniorange\u002Fmo_2fa_two_fa","\u002Fresetuser2fa=(?P\u003Cresetuser2fa>[A-Za-z0-9=+\u002F]+)\u002Fmessage=(?P\u003Cmessage>[A-Za-z]+)",[560],"GET","mo2f_allow_users_2fa_reconfiguration","__return_true",160,[565],{"tag":566,"callback":376,"file":460,"line":567},"mo2f_enable_register",93,[],19,{"dangerousFunctions":571,"sqlUsage":688,"outputEscaping":730,"fileOperations":840,"externalRequests":841,"nonceChecks":470,"capabilityChecks":165,"bundledLibraries":842},[572,576,578,580,583,586,589,592,595,598,600,602,605,608,611,613,615,617,620,623,626,629,631,634,637,639,641,644,646,648,651,654,657,659,661,663,665,668,671,673,675,678,680,682,684,686],{"fn":573,"file":574,"line":410,"context":575},"assert","handler\\twofa\\two-fa-duo-handler.php","assert( is_string( $username ) || is_null( $username ) );",{"fn":573,"file":574,"line":567,"context":577},"assert( is_int( $valid_secs ) || is_null( $valid_secs ) );",{"fn":573,"file":574,"line":47,"context":579},"assert( is_string( $user_id ) );",{"fn":573,"file":574,"line":581,"context":582},120,"assert( is_string( $activation_code ) );",{"fn":573,"file":574,"line":584,"context":585},153,"assert( is_string( $ipaddr ) || is_null( $ipaddr ) );",{"fn":573,"file":574,"line":587,"context":588},154,"assert( is_string( $trusted_device_token ) || is_null( $trusted_device_token ) );",{"fn":573,"file":574,"line":590,"context":591},201,"assert( is_string( $user_identifier ) );",{"fn":573,"file":574,"line":593,"context":594},202,"assert(",{"fn":573,"file":574,"line":596,"context":597},206,"assert( is_array( $factor_params ) );",{"fn":573,"file":574,"line":599,"context":585},207,{"fn":573,"file":574,"line":516,"context":601},"assert( is_bool( $async ) );",{"fn":573,"file":574,"line":603,"context":604},209,"assert( is_bool( $username ) );",{"fn":573,"file":574,"line":606,"context":607},230,"assert( array_key_exists( 'device', $factor_params ) && is_string( $factor_params['device'] ) );",{"fn":573,"file":574,"line":609,"context":610},243,"assert( array_key_exists( 'passcode', $factor_params ) && is_string( $factor_params['passcode'] ) );",{"fn":573,"file":574,"line":612,"context":607},246,{"fn":573,"file":574,"line":614,"context":607},249,{"fn":573,"file":574,"line":616,"context":607},252,{"fn":573,"file":574,"line":618,"context":619},307,"assert( is_string( $url ) );",{"fn":573,"file":574,"line":621,"context":622},308,"assert( is_string( $method ) );",{"fn":573,"file":574,"line":624,"context":625},309,"assert( is_array( $headers ) );",{"fn":573,"file":574,"line":627,"context":628},310,"assert( is_string( $body ) || is_null( $body ) );",{"fn":573,"file":574,"line":630,"context":622},378,{"fn":573,"file":574,"line":632,"context":633},379,"assert( is_string( $path ) );",{"fn":573,"file":574,"line":635,"context":636},380,"assert( is_array( $params ) );",{"fn":573,"file":574,"line":638,"context":636},394,{"fn":573,"file":574,"line":640,"context":622},417,{"fn":573,"file":574,"line":642,"context":643},418,"assert( is_string( $host ) );",{"fn":573,"file":574,"line":645,"context":633},419,{"fn":573,"file":574,"line":647,"context":636},420,{"fn":573,"file":574,"line":649,"context":650},421,"assert( is_string( $now ) );",{"fn":573,"file":574,"line":652,"context":653},438,"assert( is_string( $msg ) );",{"fn":573,"file":574,"line":655,"context":656},439,"assert( is_string( $key ) );",{"fn":573,"file":574,"line":658,"context":622},456,{"fn":573,"file":574,"line":660,"context":643},457,{"fn":573,"file":574,"line":662,"context":633},458,{"fn":573,"file":574,"line":664,"context":636},459,{"fn":573,"file":574,"line":666,"context":667},460,"assert( is_string( $skey ) );",{"fn":573,"file":574,"line":669,"context":670},461,"assert( is_string( $ikey ) );",{"fn":573,"file":574,"line":672,"context":650},462,{"fn":573,"file":574,"line":674,"context":622},484,{"fn":573,"file":574,"line":676,"context":677},485,"assert( is_string( $uri ) );",{"fn":573,"file":574,"line":679,"context":628},486,{"fn":573,"file":574,"line":681,"context":625},487,{"fn":573,"file":574,"line":683,"context":622},514,{"fn":573,"file":574,"line":685,"context":633},515,{"fn":573,"file":574,"line":687,"context":636},516,{"prepared":530,"raw":569,"locations":689},[690,694,697,700,703,705,707,709,711,713,715,717,718,720,721,723,725,727,728],{"file":691,"line":692,"context":693},"database\\class-mo2fdb.php",519,"$wpdb->get_results() with variable interpolation",{"file":691,"line":695,"context":696},556,"$wpdb->query() with variable interpolation",{"file":698,"line":699,"context":696},"database\\class-mowpnsdb.php",126,{"file":701,"line":702,"context":696},"uninstall.php",108,{"file":701,"line":704,"context":696},109,{"file":701,"line":706,"context":696},110,{"file":701,"line":708,"context":696},111,{"file":701,"line":710,"context":696},112,{"file":701,"line":712,"context":696},113,{"file":701,"line":714,"context":696},114,{"file":701,"line":716,"context":696},115,{"file":701,"line":424,"context":696},{"file":701,"line":719,"context":696},117,{"file":701,"line":581,"context":696},{"file":701,"line":722,"context":696},121,{"file":701,"line":724,"context":696},122,{"file":701,"line":726,"context":696},123,{"file":701,"line":427,"context":696},{"file":701,"line":729,"context":696},125,{"escaped":731,"rawEcho":530,"locations":732},1249,[733,737,739,742,743,744,746,748,750,752,753,755,757,759,760,762,764,767,770,772,775,777,779,780,781,783,785,787,789,791,792,794,796,798,800,802,804,807,810,812,813,814,816,817,819,822,825,826,828,830,832,834,835,838,839],{"file":734,"line":735,"context":736},"controllers\\two-factor-page.php",53,"raw output",{"file":534,"line":738,"context":736},295,{"file":740,"line":741,"context":736},"handler\\class-mo2f-backup-codes.php",128,{"file":740,"line":584,"context":736},{"file":362,"line":181,"context":736},{"file":745,"line":473,"context":736},"handler\\twofamethods\\class-mo2f-email-handler.php",{"file":747,"line":190,"context":736},"handler\\twofamethods\\class-mo2f-googleauthenticator-handler.php",{"file":749,"line":395,"context":736},"handler\\twofamethods\\class-mo2f-kba-handler.php",{"file":751,"line":268,"context":736},"handler\\twofamethods\\class-mo2f-outofbandemail-handler.php",{"file":751,"line":618,"context":736},{"file":754,"line":464,"context":736},"handler\\twofamethods\\class-mo2f-sms-handler.php",{"file":756,"line":473,"context":736},"handler\\twofamethods\\class-mo2f-telegram-handler.php",{"file":758,"line":735,"context":736},"helper\\class-miniorange-security-notification.php",{"file":758,"line":326,"context":736},{"file":448,"line":761,"context":736},2240,{"file":448,"line":763,"context":736},2268,{"file":765,"line":766,"context":736},"helper\\class-mo2f-login-popup.php",947,{"file":768,"line":769,"context":736},"views\\2faconfigurations\\advancedfeatures\\passwordlesslogin.php",17,{"file":771,"line":569,"context":736},"views\\2faconfigurations\\advancedfeatures\\rememberdevice.php",{"file":773,"line":774,"context":736},"views\\2faconfigurations\\advancedfeatures\\rememberip.php",18,{"file":776,"line":569,"context":736},"views\\2faconfigurations\\advancedfeatures\\sessionmanagement.php",{"file":778,"line":410,"context":736},"views\\2faconfigurations\\formintegration.php",{"file":778,"line":415,"context":736},{"file":778,"line":584,"context":736},{"file":778,"line":782,"context":736},155,{"file":778,"line":784,"context":736},235,{"file":786,"line":569,"context":736},"views\\2faconfigurations\\quicksetup\\pageprotectionaddon.php",{"file":788,"line":223,"context":736},"views\\2faconfigurations\\quicksetup\\quicksetup.php",{"file":788,"line":790,"context":736},104,{"file":788,"line":581,"context":736},{"file":788,"line":793,"context":736},130,{"file":788,"line":795,"context":736},149,{"file":788,"line":797,"context":736},171,{"file":788,"line":799,"context":736},181,{"file":788,"line":801,"context":736},222,{"file":803,"line":281,"context":736},"views\\2faconfigurations\\settings.php",{"file":805,"line":806,"context":736},"views\\feedback-form.php",101,{"file":808,"line":809,"context":736},"views\\ipblocking\\advancedblocking.php",14,{"file":811,"line":403,"context":736},"views\\main-menu.php",{"file":811,"line":494,"context":736},{"file":811,"line":222,"context":736},{"file":815,"line":809,"context":736},"views\\mo2fawhatsapp.php",{"file":815,"line":569,"context":736},{"file":818,"line":515,"context":736},"views\\myaccount\\account.php",{"file":820,"line":821,"context":736},"views\\myaccount\\login.php",13,{"file":823,"line":824,"context":736},"views\\myaccount\\verify.php",12,{"file":823,"line":281,"context":736},{"file":827,"line":223,"context":736},"views\\navbar.php",{"file":829,"line":774,"context":736},"views\\reports\\remembereddevices.php",{"file":831,"line":809,"context":736},"views\\troubleshooting.php",{"file":833,"line":293,"context":736},"views\\whitelabelling\\2facustomizations.php",{"file":833,"line":285,"context":736},{"file":836,"line":837,"context":736},"views\\whitelabelling\\loginpopup.php",20,{"file":836,"line":329,"context":736},{"file":836,"line":710,"context":736},3,5,[843,846],{"name":844,"version":37,"knownCves":845},"DataTables",[],{"name":847,"version":37,"knownCves":848},"Select2",[],[850,866,880,890,902,914,931,943,951,962,970,980],{"entryPoint":851,"graph":852,"unsanitizedCount":28,"severity":865},"\u003Ctwo-factor-page> (controllers\\two-factor-page.php:0)",{"nodes":853,"edges":863},[854,858],{"id":855,"type":856,"label":857,"file":734,"line":837},"n0","source","$_GET (x2)",{"id":859,"type":860,"label":861,"file":734,"line":347,"wp_function":862},"n1","sink","echo() [XSS]","echo",[864],{"from":855,"to":859,"sanitized":521},"low",{"entryPoint":867,"graph":868,"unsanitizedCount":314,"severity":865},"mo_two_factor_ajax (handler\\class-mo2f-admin-action-handler.php:46)",{"nodes":869,"edges":877},[870,872,875],{"id":855,"type":856,"label":871,"file":534,"line":329},"$_POST",{"id":859,"type":873,"label":874,"file":534,"line":329},"transform","→ mo2f_show_confirmation_popup()",{"id":876,"type":860,"label":861,"file":534,"line":738,"wp_function":862},"n2",[878,879],{"from":855,"to":859,"sanitized":520},{"from":859,"to":876,"sanitized":520},{"entryPoint":881,"graph":882,"unsanitizedCount":314,"severity":865},"\u003Cclass-mo2f-admin-action-handler> (handler\\class-mo2f-admin-action-handler.php:0)",{"nodes":883,"edges":887},[884,885,886],{"id":855,"type":856,"label":871,"file":534,"line":329},{"id":859,"type":873,"label":874,"file":534,"line":329},{"id":876,"type":860,"label":861,"file":534,"line":738,"wp_function":862},[888,889],{"from":855,"to":859,"sanitized":520},{"from":859,"to":876,"sanitized":520},{"entryPoint":891,"graph":892,"unsanitizedCount":28,"severity":865},"\u003Cclass-mo2f-main-handler> (handler\\class-mo2f-main-handler.php:0)",{"nodes":893,"edges":900},[894,896],{"id":855,"type":856,"label":871,"file":350,"line":895},619,{"id":859,"type":860,"label":897,"file":350,"line":898,"wp_function":899},"call_user_func() [RCE]",783,"call_user_func",[901],{"from":855,"to":859,"sanitized":521},{"entryPoint":903,"graph":904,"unsanitizedCount":314,"severity":865},"mo2fa_register_customer (handler\\mo2f-register-verify-user.php:50)",{"nodes":905,"edges":912},[906,909],{"id":855,"type":856,"label":907,"file":908,"line":528},"$_SERVER","handler\\mo2f-register-verify-user.php",{"id":859,"type":860,"label":910,"file":908,"line":470,"wp_function":911},"update_option() [Settings Manipulation]","update_option",[913],{"from":855,"to":859,"sanitized":520},{"entryPoint":915,"graph":916,"unsanitizedCount":314,"severity":865},"\u003Cmo2f-register-verify-user> (handler\\mo2f-register-verify-user.php:0)",{"nodes":917,"edges":927},[918,919,920,922,925],{"id":855,"type":856,"label":907,"file":908,"line":528},{"id":859,"type":860,"label":910,"file":908,"line":470,"wp_function":911},{"id":876,"type":856,"label":871,"file":908,"line":921},25,{"id":923,"type":873,"label":924,"file":908,"line":921},"n3","→ mo2fa_register_customer()",{"id":926,"type":860,"label":910,"file":908,"line":245,"wp_function":911},"n4",[928,929,930],{"from":855,"to":859,"sanitized":521},{"from":876,"to":923,"sanitized":520},{"from":923,"to":926,"sanitized":520},{"entryPoint":932,"graph":933,"unsanitizedCount":28,"severity":865},"miniorange_login_footer_form (handler\\twofa\\class-miniorange-mobile-login.php:183)",{"nodes":934,"edges":941},[935,939],{"id":855,"type":856,"label":936,"file":937,"line":938},"$_POST (x3)","handler\\twofa\\class-miniorange-mobile-login.php",185,{"id":859,"type":860,"label":861,"file":937,"line":940,"wp_function":862},198,[942],{"from":855,"to":859,"sanitized":521},{"entryPoint":944,"graph":945,"unsanitizedCount":28,"severity":865},"\u003Cclass-miniorange-mobile-login> (handler\\twofa\\class-miniorange-mobile-login.php:0)",{"nodes":946,"edges":949},[947,948],{"id":855,"type":856,"label":936,"file":937,"line":938},{"id":859,"type":860,"label":861,"file":937,"line":940,"wp_function":862},[950],{"from":855,"to":859,"sanitized":521},{"entryPoint":952,"graph":953,"unsanitizedCount":28,"severity":865},"mo2f_reset_2fa_for_users_by_admin (helper\\class-mo2f-menuitems.php:132)",{"nodes":954,"edges":960},[955,959],{"id":855,"type":856,"label":956,"file":957,"line":958},"$_GET (x3)","helper\\class-mo2f-menuitems.php",138,{"id":859,"type":860,"label":861,"file":957,"line":795,"wp_function":862},[961],{"from":855,"to":859,"sanitized":521},{"entryPoint":963,"graph":964,"unsanitizedCount":28,"severity":865},"\u003Cclass-mo2f-menuitems> (helper\\class-mo2f-menuitems.php:0)",{"nodes":965,"edges":968},[966,967],{"id":855,"type":856,"label":956,"file":957,"line":958},{"id":859,"type":860,"label":861,"file":957,"line":795,"wp_function":862},[969],{"from":855,"to":859,"sanitized":521},{"entryPoint":971,"graph":972,"unsanitizedCount":28,"severity":865},"mo2f_reset_2fa_for_users_by_admin (miniorange_2_factor_settings.php:476)",{"nodes":973,"edges":978},[974,976],{"id":855,"type":856,"label":956,"file":460,"line":975},482,{"id":859,"type":860,"label":861,"file":460,"line":977,"wp_function":862},493,[979],{"from":855,"to":859,"sanitized":521},{"entryPoint":981,"graph":982,"unsanitizedCount":28,"severity":865},"\u003Cminiorange_2_factor_settings> (miniorange_2_factor_settings.php:0)",{"nodes":983,"edges":989},[984,985,986,987],{"id":855,"type":856,"label":956,"file":460,"line":975},{"id":859,"type":860,"label":861,"file":460,"line":977,"wp_function":862},{"id":876,"type":856,"label":871,"file":460,"line":708},{"id":923,"type":860,"label":861,"file":460,"line":988,"wp_function":862},497,[990,991],{"from":855,"to":859,"sanitized":521},{"from":876,"to":923,"sanitized":521},{"summary":993,"deductions":994},"The plugin \"miniorange-2-factor-authentication\" v6.2.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices such as a high percentage of SQL queries using prepared statements and a strong emphasis on output escaping, with 96% of outputs properly escaped. The plugin also has a robust system of nonce and capability checks, indicating an effort to secure its functionalities. However, there are significant concerns highlighted by the static analysis and vulnerability history.\n\nThe static analysis reveals a notable concern with one REST API route lacking permission callbacks, presenting a direct entry point for unauthorized access. While no critical or high severity taint flows were identified, the presence of four flows with unsanitized paths is a red flag, potentially leading to vulnerabilities if not carefully handled. The code also utilizes the dangerous 'assert' function 46 times, which can be a security risk if not properly managed.\n\nThe plugin's historical vulnerability record is a major concern, with a total of 10 known CVEs, including 4 high-severity ones. Although none are currently unpatched, the prevalence of past vulnerabilities such as Exposure of Sensitive Information, CSRF, Missing Authorization, and XSS suggests recurring security weaknesses in the plugin's development or maintenance. The most recent vulnerability being in August 2025 is concerning for a current version. The overall picture is a plugin with some strong security implementations but burdened by a history of serious vulnerabilities and a few clear static analysis weaknesses.",[995,998,1001,1004,1007,1009],{"reason":996,"points":997},"REST API route without permission callbacks",8,{"reason":999,"points":1000},"Flows with unsanitized paths",6,{"reason":1002,"points":1003},"Total of 10 known CVEs",15,{"reason":1005,"points":1006},"4 High severity CVEs",16,{"reason":1008,"points":1000},"6 Medium severity CVEs",{"reason":1010,"points":841},"Use of dangerous function 'assert'","2026-03-16T17:37:09.720Z",{"wat":1013,"direct":1040},{"assetPaths":1014,"generatorPatterns":1026,"scriptPaths":1027,"versionParams":1028},[1015,1016,1017,1018,1019,1020,1021,1022,1023,1024,1025],"\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Ffont-awesome.min.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fmo2f-admin-style.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fmo2f-frontend-style.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fmo2f-responsive.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fsocial-login-buttons.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2fa_elementor.min.js","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-admin-script.min.js","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-frontend.min.js","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-setup-wizard.min.js","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-social-login.min.js","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-update-script.min.js",[],[1020,1021,1022,1023,1024,1025],[1029,1030,1031,1032,1033,1034,1035,1036,1037,1038,1039],"\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Ffont-awesome.min.css?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fmo2f-admin-style.css?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fmo2f-frontend-style.css?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fmo2f-responsive.css?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fcss\u002Fsocial-login-buttons.css?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2fa_elementor.min.js?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-admin-script.min.js?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-frontend.min.js?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-setup-wizard.min.js?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-social-login.min.js?ver=","\u002Fwp-content\u002Fplugins\u002Fminiorange-2-factor-authentication\u002Fincludes\u002Fjs\u002Fmo2f-update-script.min.js?ver=",{"cssClasses":1041,"htmlComments":1050,"htmlAttributes":1054,"restEndpoints":1058,"jsGlobals":1061,"shortcodeOutput":1067},[1042,1043,1044,1045,1046,1047,1048,1049],"mo2f-login-form","mo2f-setup-wizard-page","mo2f_account_details","mo2f_user_profile_section","mo2f_hide_admin_bar","mo2f_otp_verification_form","mo2f_admin_notice","mo2f_plugin_action_link",[1051,1052,1053],"\u003C!-- Miniorange 2FA Settings -->","\u003C!-- Added by miniOrange 2FA plugin -->","\u003C!-- IMPORTANT: Remove this file and its contents if you are upgrading to a version of WordPress that has this file as part of core. -->",[1055,1056,1057],"data-nonce","data-plugin-path","data-site-url",[1059,1060],"\u002Fwp-json\u002Fminiorange-2fa\u002Fv1\u002Flogin","\u002Fwp-json\u002Fminiorange-2fa\u002Fv1\u002Fvalidate_otp",[1062,1063,1064,1065,1066],"my_ajax_object","Mo2fAdminScript","Mo2fSetupWizard","Mo2fSocialLogin","Mo2fFrontend",[1068],"[mo2f_enable_register]"]