WP-Safety

Secure 2FA Security & Risk Analysis

wordpress.org/plugins/secure-tfa

Secure 2FA adds an extra layer of security to your WordPress login process by enabling 2FA via several authentication methods.

10 active installs v1.0.0 PHP 7.4+ WP 6.0+ Updated Apr 10, 2025
2falogintfa
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Secure 2FA Safe to Use in 2026?

Generally Safe

Score 100/100

Secure 2FA has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11mo ago
Risk Assessment

The "secure-tfa" plugin, at version 1.0.0, exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers, which represent a large attack surface. While the plugin demonstrates good practices in SQL query handling and output escaping, the absence of authentication checks on 10 out of 10 AJAX entry points is a critical weakness. This could allow any authenticated user, regardless of their privileges, to trigger potentially sensitive actions or expose information through these handlers.

The taint analysis reveals two high-severity flows with unsanitized paths, suggesting that user-supplied input might be reaching sensitive functions without proper validation or sanitization. This is exacerbated by the fact that these flows could be triggered via the unprotected AJAX handlers. The plugin's vulnerability history is currently clean, with no recorded CVEs. This might indicate that the plugin is either new, has not been extensively targeted, or that previous versions did not have discoverable vulnerabilities. However, the static analysis findings, particularly the unprotected AJAX endpoints and high-severity taint flows, present immediate risks that need to be addressed.

In conclusion, while "secure-tfa" v1.0.0 benefits from robust SQL prepared statements and output escaping, its security is severely undermined by its unprotected AJAX entry points and high-severity taint analysis findings. These weaknesses create a significant risk of privilege escalation, unauthorized actions, or data exposure. The absence of past vulnerabilities should not lead to complacency, given the identified static analysis risks.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flows
  • 100% AJAX handlers without auth
  • File operations detected
  • External HTTP requests detected
  • Only 1 nonce check for 10 AJAX handlers
  • Capability checks limited (3)
Vulnerabilities
None known

Secure 2FA Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Secure 2FA Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
45 prepared
Unescaped Output
2
144 escaped
Nonce Checks
1
Capability Checks
3
File Operations
1
External Requests
4
Bundled Libraries
0

SQL Query Safety

100% prepared45 total queries

Output Escaping

99% escaped146 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
save (src\settings\secure-tfa-whatsapp-settings.php:42)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

Secure 2FA Attack Surface

Entry Points10
Unprotected10

AJAX Handlers 10

authwp_ajax_secure_tfa_adminarea_overviewsrc\ajax\secure-tfa-adminarea-ajax.php:18
authwp_ajax_secure_tfa_adminarea_filter_userssrc\ajax\secure-tfa-adminarea-ajax.php:19
authwp_ajax_secure_tfa_adminarea_users_listsrc\ajax\secure-tfa-adminarea-ajax.php:20
authwp_ajax_secure_tfa_adminarea_delete_tfasrc\ajax\secure-tfa-adminarea-ajax.php:21
authwp_ajax_secure_tfa_adminarea_activity_listsrc\ajax\secure-tfa-adminarea-ajax.php:22
authwp_ajax_secure_tfa_adminarea_get_tfa_in_profilesrc\ajax\secure-tfa-adminarea-ajax.php:23
authwp_ajax_secure_tfa_adminarea_configure_tfasrc\ajax\secure-tfa-adminarea-ajax.php:24
authwp_ajax_secure_tfa_adminarea_activate_tfa_send_otpsrc\ajax\secure-tfa-adminarea-ajax.php:25
authwp_ajax_secure_tfa_adminarea_activate_tfa_confirm_otpsrc\ajax\secure-tfa-adminarea-ajax.php:26
authwp_ajax_secure_tfa_adminarea_deactivate_tfasrc\ajax\secure-tfa-adminarea-ajax.php:27
WordPress Hooks 18
actionactivated_pluginsrc\core\secure-tfa-application.php:23
filterplugin_action_linkssrc\core\secure-tfa-application.php:25
actioninitsrc\core\secure-tfa-application.php:33
actionplugins_loadedsrc\core\secure-tfa-application.php:35
filtercron_schedulessrc\core\secure-tfa-scheduler.php:66
actionlogin_initsrc\hooks\secure-tfa-authentication.php:21
actionwp_logoutsrc\hooks\secure-tfa-authentication.php:22
filterauthenticatesrc\hooks\secure-tfa-authentication.php:23
actioninitsrc\hooks\secure-tfa-enforce-redirect.php:15
actionadmin_menusrc\includes\secure-tfa-adminarea.php:18
actionadmin_menusrc\includes\secure-tfa-adminarea.php:19
actionadmin_enqueue_scriptssrc\includes\secure-tfa-adminarea.php:20
actionadmin_enqueue_scriptssrc\includes\secure-tfa-adminarea.php:21
actionadmin_bar_menusrc\includes\secure-tfa-adminarea.php:22
filtermanage_users_columnssrc\includes\secure-tfa-adminarea.php:23
actionmanage_users_custom_columnsrc\includes\secure-tfa-adminarea.php:24
actionlogin_enqueue_scriptssrc\includes\secure-tfa-frontend.php:18
actionlogin_formsrc\includes\secure-tfa-frontend.php:19
Maintenance & Trust

Secure 2FA Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedApr 10, 2025
PHP min version7.4
Downloads452

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Secure 2FA Alternatives

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
Wordfence Login Security

Wordfence Login Security

wordfence-login-security

A
92

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs
WP Hide & Security Enhancer

WP Hide & Security Enhancer

wp-hide-security-enhancer

A
96

Protect your website by concealing vulnerable WordPress traces, plugins, themes, login/admin url. 2FA, Captcha, Firewall, Security Headers etc.

60K 3 CVEs
Login With Ajax – Fast Logins, 2FA, Redirects

Login With Ajax – Fast Logins, 2FA, Redirects

login-with-ajax

A
97

Add beautiful login forms with smooth AJAX login/registration effects, 2FA support, custom redrection options and many more login-related features!

20K 6 CVEs
Two Factor Authentication

Two Factor Authentication

two-factor-authentication

A
99

Secure WordPress login with Two Factor Authentication - supports WP, Woo + other login forms, HOTP, TOTP (Google Authenticator, Authy, etc.)

20K 2 CVEs
Developer Profile

Secure 2FA Developer Profile

Mohamed Endisha

6 plugins · 1K total installs

94
trust score
Avg Security Score
92/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect Secure 2FA

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/secure-tfa/assets/frontend/css/tfa.login.css/wp-content/plugins/secure-tfa/assets/frontend/js/tfa.login.js
Script Paths
tfa.login.js
Version Parameters
secure-tfa/1.0.0

HTML / DOM Fingerprints

JS Globals
secure_tfa_object
FAQ

Frequently Asked Questions about Secure 2FA