[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJptFEyCJZSu5FAh-ClX0lpxqEX1PnLehQI8YvGQ1acs":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30,"vulnerabilities":31,"developer":32,"crawl_stats":29,"alternatives":38,"analysis":129,"fingerprints":310},"wp-secure-login","WP Secure Login","1.1","brijeshk89","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrijeshk89\u002F","\u003Cp>WP Secure Login adds a security layer and 2 step authentication to your WordPress site by asking a One Time Password in addition to the username and password on the login page. The One Time Password is displayed on your smartphone using Google Authenticator app (available in market place for FREE). The One Time Password is re-generated at regular intervals which can be customized from admin panel. As soon as the new OTP is generated the old ones are marked as invalid.\u003C\u002Fp>\n\u003Cp>One Time Password needs to be configured once by every user from Edit Profile page.\u003C\u002Fp>\n\u003Cp>Features in WP Secure Login 1.1 include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>2 Step Authentication\u003C\u002Fli>\n\u003Cli>Unique Secret key for each user\u003C\u002Fli>\n\u003Cli>Configure\u002FRe-Configure WP Secure Login\u003C\u002Fli>\n\u003Cli>Unique One Time Passwords generated by Google Authenticator App\u003C\u002Fli>\n\u003Cli>Supported on iOS\u002FAndroid\u002FBlackberry smartphones\u003C\u002Fli>\n\u003Cli>Completely FREE\u003C\u002Fli>\n\u003Cli>Licensed under GNU GPL version 3\u003C\u002Fli>\n\u003Cli>Safe & Secure\u003C\u002Fli>\n\u003C\u002Ful>\n","WP Secure Login adds a security layer and 2 step authentication to your WordPress site by asking a One Time Password in addition to the username and p &hellip;",10,2693,100,1,"2014-09-17T18:12:00.000Z","4.0.38","3.0","",[20,21,22,23,24],"2-step","authenticate","authentication","login","secure","http:\u002F\u002Fwordpress.org\u002Fextend\u002Fplugins\u002Fwp-secure-login\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-secure-login.1.1.zip",85,0,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":27,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},5,1500,25,84,"2026-04-05T02:03:41.401Z",[39,59,75,96,112],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":28,"num_ratings":28,"last_updated":49,"tested_up_to":50,"requires_at_least":51,"requires_php":18,"tags":52,"homepage":57,"download_link":58,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"keyless-auth","Keyless Auth – Login without Passwords","3.2.4","Chris Martens","https:\u002F\u002Fprofiles.wordpress.org\u002Fchrmrtns\u002F","\u003Cp>Transform your WordPress login experience with passwordless authentication. Users simply enter their email address and receive a secure magic link – click to login instantly. It’s more secure than weak passwords and infinitely more user-friendly.\u003C\u002Fp>\n\u003Ch4>Why Choose Keyless Auth?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Enhanced Security\u003C\u002Fstrong>: No more weak, reused, or compromised passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Better User Experience\u003C\u002Fstrong>: One click instead of remembering complex passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reduced Support\u003C\u002Fstrong>: Eliminate “forgot password” requests\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Modern Authentication\u003C\u002Fstrong>: Enterprise-grade security used by Slack, Medium, and others\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Hardening\u003C\u002Fstrong>: Built-in protection against brute force attacks and username enumeration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Quick Start\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate the plugin\u003C\u002Fli>\n\u003Cli>Create a new page and add the shortcode \u003Ccode>[keyless-auth]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Configure email templates in \u003Cstrong>Keyless Auth \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Templates\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Done! Users can now login passwordlessly\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Core Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Ready to Use\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>Magic Link Authentication\u003C\u002Fstrong> – Secure, one-time login links via email\u003Cbr \u002F>\n* \u003Cstrong>Two-Factor Authentication (2FA)\u003C\u002Fstrong> – Complete TOTP support with Google Authenticator\u003Cbr \u002F>\n* \u003Cstrong>Role-Based 2FA\u003C\u002Fstrong> – Require 2FA for specific user roles (admins, editors, etc.)\u003Cbr \u002F>\n* \u003Cstrong>Custom 2FA Setup URLs\u003C\u002Fstrong> – Direct users to branded frontend 2FA setup pages\u003Cbr \u002F>\n* \u003Cstrong>SMTP Integration\u003C\u002Fstrong> – Reliable email delivery through your mail server\u003Cbr \u002F>\n* \u003Cstrong>Email Templates\u003C\u002Fstrong> – Professional, customizable login emails\u003Cbr \u002F>\n* \u003Cstrong>Mail Logging\u003C\u002Fstrong> – Track all sent emails with delivery status\u003Cbr \u002F>\n* \u003Cstrong>Custom Database Tables\u003C\u002Fstrong> – Scalable architecture with dedicated audit logs\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advanced Security\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>Token Security\u003C\u002Fstrong>: 10-minute expiration, single-use tokens\u003Cbr \u002F>\n* \u003Cstrong>Audit Logging\u003C\u002Fstrong>: IP addresses, device types, login attempts\u003Cbr \u002F>\n* \u003Cstrong>Emergency Mode\u003C\u002Fstrong>: Grace period system with admin controls\u003Cbr \u002F>\n* \u003Cstrong>Secure Storage\u003C\u002Fstrong>: SMTP credentials in wp-config.php option\u003Cbr \u002F>\n* \u003Cstrong>XML-RPC Disable\u003C\u002Fstrong>: Block brute force attacks via XML-RPC interface\u003Cbr \u002F>\n* \u003Cstrong>Application Passwords Control\u003C\u002Fstrong>: Disable programmatic authentication when not needed\u003Cbr \u002F>\n* \u003Cstrong>User Enumeration Prevention\u003C\u002Fstrong>: Block username discovery attacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Customization\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>WYSIWYG Email Editor\u003C\u002Fstrong>: Full HTML support with live preview\u003Cbr \u002F>\n* \u003Cstrong>Advanced Color Controls\u003C\u002Fstrong>: Hex, RGB, HSL color formats\u003Cbr \u002F>\n* \u003Cstrong>Template System\u003C\u002Fstrong>: German, English, and custom templates\u003Cbr \u002F>\n* \u003Cstrong>Branding Options\u003C\u002Fstrong>: Custom sender names and professional styling\u003C\u002Fp>\n\u003Ch4>Installation & Setup\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Basic Installation\u003C\u002Fstrong>\u003Cbr \u002F>\n1. WordPress Admin \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Plugins \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Add New\u003Cbr \u002F>\n2. Search for “Keyless Auth”\u003Cbr \u002F>\n3. Install and activate\u003Cbr \u002F>\n4. Add [keyless-auth] shortcode to any page\u003C\u002Fp>\n\u003Cp>\u003Cstrong>SMTP Configuration (Recommended)\u003C\u002Fstrong>\u003Cbr \u002F>\n1. Navigate to Keyless Auth \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> SMTP\u003Cbr \u002F>\n2. Configure your email provider (Gmail, Outlook, SendGrid, etc.)\u003Cbr \u002F>\n3. Test email delivery\u003Cbr \u002F>\n4. Save settings\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Two-Factor Authentication Setup\u003C\u002Fstrong>\u003Cbr \u002F>\n1. Go to Keyless Auth \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Options\u003Cbr \u002F>\n2. Enable “Two-Factor Authentication”\u003Cbr \u002F>\n3. Select required user roles\u003Cbr \u002F>\n4. Users scan QR code with authenticator app\u003C\u002Fp>\n\u003Ch4>Email Templates\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Template Options\u003C\u002Fstrong>\u003Cbr \u002F>\n* \u003Cstrong>German Professional\u003C\u002Fstrong>: Sleek German-language template\u003Cbr \u002F>\n* \u003Cstrong>English Simple\u003C\u002Fstrong>: Clean, minimalist design\u003Cbr \u002F>\n* \u003Cstrong>Custom HTML\u003C\u002Fstrong>: Create your own with WYSIWYG editor\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Customization Features\u003C\u002Fstrong>\u003Cbr \u002F>\n* Full HTML and CSS support\u003Cbr \u002F>\n* Color picker for buttons and links\u003Cbr \u002F>\n* Responsive email design\u003Cbr \u002F>\n* Live template preview\u003Cbr \u002F>\n* Placeholder system for dynamic content\u003C\u002Fp>\n\u003Ch4>Security & Compliance\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Token Security\u003C\u002Fstrong>\u003Cbr \u002F>\n* Generated using WordPress security standards\u003Cbr \u002F>\n* Based on user ID, timestamp, and wp-config.php salt\u003Cbr \u002F>\n* 10-minute expiration with single-use enforcement\u003Cbr \u002F>\n* Secure database storage with automatic cleanup\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Two-Factor Authentication\u003C\u002Fstrong>\u003Cbr \u002F>\n* TOTP-based system compatible with Google Authenticator, Authy\u003Cbr \u002F>\n* Role-based requirements for granular control\u003Cbr \u002F>\n* Grace period system for smooth user transitions\u003Cbr \u002F>\n* Custom verification forms with professional styling\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Database Architecture\u003C\u002Fstrong>\u003Cbr \u002F>\n* Custom tables for optimal performance\u003Cbr \u002F>\n* Comprehensive audit logging\u003Cbr \u002F>\n* Device tracking and IP monitoring\u003Cbr \u002F>\n* Automatic maintenance and cleanup routines\u003C\u002Fp>\n\u003Ch4>Security Hardening\u003C\u002Fh4>\n\u003Cp>Keyless Auth includes comprehensive security hardening features to protect your WordPress site from common attack vectors. All features are optional and can be enabled based on your site’s needs.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>XML-RPC Disable\u003C\u002Fstrong>\u003Cbr \u002F>\n* Prevents brute force attacks via WordPress XML-RPC interface\u003Cbr \u002F>\n* Reduces attack surface by disabling legacy API\u003Cbr \u002F>\n* Recommended for sites not using Jetpack, mobile apps, or pingbacks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Application Passwords Control\u003C\u002Fstrong>\u003Cbr \u002F>\n* Disable REST API and XML-RPC authentication when programmatic access isn’t needed\u003Cbr \u002F>\n* Prevents unauthorized API access\u003Cbr \u002F>\n* Recommended for simple sites without third-party integrations\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User Enumeration Prevention\u003C\u002Fstrong>\u003Cbr \u002F>\n* Blocks REST API user endpoints (\u003Ccode>\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fcode>)\u003Cbr \u002F>\n* Redirects author archives and \u003Ccode>?author=N\u003C\u002Fcode> queries\u003Cbr \u002F>\n* Removes login error messages that reveal usernames\u003Cbr \u002F>\n* Strips comment author CSS classes\u003Cbr \u002F>\n* Removes author data from oEmbed responses\u003Cbr \u002F>\n* Recommended for business\u002Fcorporate sites without author profiles\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Benefits\u003C\u002Fstrong>\u003Cbr \u002F>\n* Combined protection against brute force attacks\u003Cbr \u002F>\n* Prevents username discovery for targeted attacks\u003Cbr \u002F>\n* Reduces unauthorized API access\u003Cbr \u002F>\n* Easy to configure without code or .htaccess modifications\u003Cbr \u002F>\n* All features include comprehensive documentation\u003Cbr \u002F>\n* FTP recovery available if needed\u003C\u002Fp>\n\u003Ch4>SMTP & Email Delivery\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Supported Providers\u003C\u002Fstrong>\u003Cbr \u002F>\n* Gmail \u002F Google Workspace\u003Cbr \u002F>\n* Outlook \u002F Microsoft 365\u003Cbr \u002F>\n* Mailgun, SendGrid, Amazon SES\u003Cbr \u002F>\n* Any SMTP-compatible service\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advanced Email Features\u003C\u002Fstrong>\u003Cbr \u002F>\n* Message-ID domain alignment for deliverability\u003Cbr \u002F>\n* SPF\u002FDKIM\u002FDMARC compliance\u003Cbr \u002F>\n* Custom sender names and addresses\u003Cbr \u002F>\n* Bulk email log management\u003Cbr \u002F>\n* Delivery status tracking\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Secure Credential Storage\u003C\u002Fstrong>\u003Cbr \u002F>\nStore SMTP credentials securely in wp-config.php:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('CHRMRTNS_KLA_SMTP_USERNAME', 'your-email@example.com');\ndefine('CHRMRTNS_KLA_SMTP_PASSWORD', 'your-smtp-password');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>WordPress Integration\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Login Page Integration\u003C\u002Fstrong>\u003Cbr \u002F>\n* Optional magic login field on wp-login.php\u003Cbr \u002F>\n* Seamless integration with existing login flow\u003Cbr \u002F>\n* Toggle control for easy enable\u002Fdisable\u003Cbr \u002F>\n* Clean, responsive form styling\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Shortcode Usage\u003C\u002Fstrong>\u003Cbr \u002F>\nUse \u003Ccode>[keyless-auth]\u003C\u002Fcode> anywhere: pages, posts, widgets, or custom templates.\u003C\u002Fp>\n\u003Ch4>Developer Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Hooks & Filters\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Customize login redirect:\u003Cbr \u002F>\n    add_filter(‘wpa_after_login_redirect’, ‘custom_redirect_function’);\u003C\u002Fp>\n\u003Cp>Modify email headers:\u003Cbr \u002F>\n    add_filter(‘wpa_email_headers’, ‘custom_email_headers’);\u003C\u002Fp>\n\u003Cp>Change token expiration:\u003Cbr \u002F>\n    add_filter(‘wpa_change_link_expiration’, ‘custom_expiration_time’);\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Modular Architecture\u003C\u002Fstrong>\u003Cbr \u002F>\n* Clean, organized class structure\u003Cbr \u002F>\n* Separated concerns for easy maintenance\u003Cbr \u002F>\n* WordPress coding standards compliance\u003Cbr \u002F>\n* Extensive documentation and comments\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>WordPress\u003C\u002Fstrong>: 3.9 or higher (tested up to 6.8)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>PHP\u003C\u002Fstrong>: 7.4 or higher\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Delivery\u003C\u002Fstrong>: SMTP recommended for reliability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Note\u003C\u002Fstrong>: Keyless Auth complements WordPress’s default login system – it doesn’t replace it.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Developed by Chris Martens | Based on the original Passwordless Login plugin by Cozmoslabs\u003C\u002Fstrong>\u003C\u002Fp>\n","Secure, passwordless authentication for WordPress. Your users login via magic email links – no passwords to remember or forget.",30,1177,"2025-11-24T22:55:00.000Z","6.8.5","3.9",[53,22,54,55,56],"2fa","passwordless","secure-login","smtp","https:\u002F\u002Fgithub.com\u002Fchrmrtns\u002Fkeyless-auth","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkeyless-auth.3.2.4.zip",{"slug":55,"name":60,"version":61,"author":62,"author_profile":63,"description":64,"short_description":65,"active_installs":11,"downloaded":66,"rating":13,"num_ratings":67,"last_updated":68,"tested_up_to":69,"requires_at_least":51,"requires_php":18,"tags":70,"homepage":73,"download_link":74,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"Secure Login","1.0.4","David Leonard","https:\u002F\u002Fprofiles.wordpress.org\u002Fd4v1d\u002F","\u003Cp>Secure your WordPress site with WordPress Secure Login.\u003C\u002Fp>\n\u003Cp>WordPress Secure Login provides 2-step verification on login. Once a user submits their login credentials, a One Time Pin (OTP) is emailed to them. They need to enter this OTP in order to continue to login.\u003C\u002Fp>\n\u003Cp>Stop Brute force hacking attempts, and keep your data safe!\u003C\u002Fp>\n\u003Cpre>\u003Ccode>* Easy to install!\n* Easy to replace the Email system with an SMS Gateway\n* WordPress 4.0 Ready!\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Secure, 2 step Verification for WordPress login, via One Time Pin (OTP).",3222,2,"2014-12-20T12:12:00.000Z","4.1.42",[20,23,71,24,72],"safety","verification","http:\u002F\u002Frockingthemes.com\u002Fwordpress-plugins\u002Fsecure-login","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-login.1.0.4.zip",{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":11,"downloaded":83,"rating":84,"num_ratings":14,"last_updated":18,"tested_up_to":85,"requires_at_least":86,"requires_php":18,"tags":87,"homepage":93,"download_link":94,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":95},"wp-2-step","WP 2 Step Authentication","1.5","Scriptonite","https:\u002F\u002Fprofiles.wordpress.org\u002Fscriptonite\u002F","\u003Cp>This plugin adds a layer of security to your login page. You have full control over who can use it and also who can use which type. Included in this release is login pin by email and login pin by sms. You can allow users to recieve their pins by email and allow admins to use sms, or you can allow sms and email for eveyone, the choice is yours.  Users can select their prefrences in their own profile page and set the cellphone they would like to recieve messages on if sms is used.\u003C\u002Fp>\n\u003Cp>The android app and pin code by email are free services and hook directly to your site and uses no 3rd party sites or services.  The sms service will require an account with \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Fmembership-levels\u002F\" rel=\"nofollow ugc\">WP2step.com\u003C\u002Fa> to send the sms, you can sign up for free \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Fmembership-levels\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.  WP2Step does not collect any login data or save any personal information from your users, they only recieve the pin and cell number along with your API key.  API keys can be used on multiple sites and are not limited to a single domain or user and are perfect for a admin developer with multiple sites looking to protect their account.\u003C\u002Fp>\n\u003Cp>Simply login as you would normally, your random pin will arrive instantly.  What kind of pin? You can decide and set the lenth and characters used as well as the time until it expires.  Have an idea for new features? Find a bug? We want to make this plugin as secure and benificial as possible so please let us know \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Ffeature-requests-and-bug-reports\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>We do not actively monitor this plugins support page, if you need support please open a ticket \u003Ca href=\"https:\u002F\u002Fwp2step.com\u002Fsupport-tickets\u002F\" rel=\"nofollow ugc\">here\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>\u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.whereyoursolutionis.wp2step\" rel=\"nofollow ugc\">Get The App Free on Google Play\u003C\u002Fa>\u003C\u002Fh3>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.whereyoursolutionis.wp2step\" rel=\"nofollow ugc\">\u003C\u002Fp>\n\u003Cp>\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Upcoming Features\u003C\u002Fh3>\n\u003Cp>Recieve your login code via the free wp2step app for iOS, coming soon\u003C\u002Fp>\n","Simple 2 step authentication for the masses!",1681,20,"3.9.40","3.0.1",[88,89,90,91,92],"2-step-authentication","2-step-login","login-security","login-with-pin","two-step-authentication","http:\u002F\u002Fwww.whereyoursolutionis.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-2-step.zip","2026-03-15T10:48:56.248Z",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":28,"downloaded":104,"rating":28,"num_ratings":28,"last_updated":105,"tested_up_to":106,"requires_at_least":107,"requires_php":18,"tags":108,"homepage":110,"download_link":111,"security_score":27,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":30},"admin-authentication","Admin Authentication","1.4","Saad Amin","https:\u002F\u002Fprofiles.wordpress.org\u002Fsaadamin\u002F","\u003Cp>An extra layer of security for administrators of wordpress sites . Administrator users can not visit sites or wp-admin dashboard until 2 step email verification completed. A authentication code will be sent to the administrator user’s email account after submitting user name and password in login form , admin user can’t access the site until submitting the authentication code he received in his email , if intruder has admin user name and password still he can’t visit the site .\u003C\u002Fp>\n\u003Cp>The plugin uses a \u003Ca href=\"http:\u002F\u002Fip-api.com\" rel=\"nofollow ugc\">Geolocation IP API\u003C\u002Fa> to check the IP address in order to collect details for logins.\u003C\u002Fp>\n\u003Cp>icon : https:\u002F\u002Ffreeiconshop.com\u002Ficon\u002Fshield-icon-flat\u002F\u003Cbr \u002F>\nbanner : https:\u002F\u002Fwww.pexels.com\u002Fphoto\u002Fcity-street-house-broken-731\u002F\u003C\u002Fp>\n\u003Ch3>Arbitrary section 1\u003C\u002Fh3>\n","2 step email authentication system for wordpress administrator .",1375,"2017-07-13T21:19:00.000Z","4.8.28","3.3",[88,97,109],"admin-login-verificaion","http:\u002F\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadmin-authentication.zip",{"slug":113,"name":114,"version":115,"author":116,"author_profile":117,"description":118,"short_description":119,"active_installs":28,"downloaded":120,"rating":13,"num_ratings":14,"last_updated":18,"tested_up_to":121,"requires_at_least":122,"requires_php":123,"tags":124,"homepage":127,"download_link":128,"security_score":13,"vuln_count":28,"unpatched_count":28,"last_vuln_date":29,"fetched_at":95},"av-2fa","AV 2FA","1.2.0","Avrasys","https:\u002F\u002Fprofiles.wordpress.org\u002Favrasys\u002F","\u003Cp>AV 2FA adds a crucial layer of security to your WordPress login process. After a user successfully enters their password, this plugin sends a unique, time-sensitive verification code to their registered email address. The user must then enter this code to complete the login, effectively protecting their account even if their password is compromised.\u003C\u002Fp>\n\u003Cp>The plugin is designed to be lightweight, easy to use, and seamlessly integrated into the WordPress experience.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Email-Based 2FA:\u003C\u002Fstrong> Sends a 6-digit verification code to the user’s email.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Login URL:\u003C\u002Fstrong> Hide your login page by setting a custom login slug. The default wp-login.php becomes inaccessible, protecting against brute force attacks and bots.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Rate Limiting & Account Lockout:\u003C\u002Fstrong> Protects against brute force attacks on 2FA codes with configurable thresholds and temporary lockouts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Progressive Lockout:\u003C\u002Fstrong> Automatically increases lockout duration for repeat offenders (2x, 4x, 8x multiplier).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP-Based Protection:\u003C\u002Fstrong> Tracks failed attempts by IP address to prevent distributed attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Notifications:\u003C\u002Fstrong> Alerts users when their account is locked due to suspicious activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin Controls:\u003C\u002Fstrong> View and manually unlock locked accounts from the settings page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable Code Validity:\u003C\u002Fstrong> Admin can set how long the code is valid for (default is 60 seconds).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Exclusion List:\u003C\u002Fstrong> Easily bypass 2FA for specific users (e.g., admin or integration accounts) by adding their User ID to an exclusion list.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Countdown Timer:\u003C\u002Fstrong> The verification screen displays a countdown timer to show the user how much time is left.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure & Reliable:\u003C\u002Fstrong> Uses WordPress’s built-in mailer and secure practices for code generation and verification.\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple and secure Two-Factor Authentication plugin that sends a verification code to your email.",290,"6.9.4","5.2","7.4",[53,55,125,126],"security","two-factor-authentication","https:\u002F\u002Favrasys.hu\u002Fletoltes\u002Fav-2fa-wordpress-ketfaktoros-hitelesites-bovitmeny","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fav-2fa.1.2.0.zip",{"attackSurface":130,"codeSignals":166,"taintFlows":271,"riskAssessment":300,"analyzedAt":309},{"hooks":131,"ajaxHandlers":162,"restRoutes":163,"shortcodes":164,"cronEvents":165,"entryPointCount":28,"unprotectedCount":28},[132,138,142,146,150,154,158],{"type":133,"name":134,"callback":135,"file":136,"line":137},"action","login_form","wpsl_login_form","wp-secure-login.php",40,{"type":139,"name":21,"callback":140,"priority":47,"file":136,"line":141},"filter","wpsl_login_form_validate",61,{"type":133,"name":143,"callback":144,"file":136,"line":145},"plugins_loaded","wp_secure_login_update_check",139,{"type":133,"name":147,"callback":148,"file":136,"line":149},"profile_personal_options","wp_secure_login_setting_up",158,{"type":133,"name":151,"callback":152,"file":136,"line":153},"personal_options_update","wp_secure_login_setting_updated",159,{"type":133,"name":155,"callback":156,"file":136,"line":157},"admin_notices","wp_secure_login_admin_notices",310,{"type":133,"name":159,"callback":160,"file":136,"line":161},"admin_menu","wp_secure_login_admin_menu",335,[],[],[],[],{"dangerousFunctions":167,"sqlUsage":168,"outputEscaping":192,"fileOperations":28,"externalRequests":28,"nonceChecks":14,"capabilityChecks":14,"bundledLibraries":270},[],{"prepared":33,"raw":169,"locations":170},9,[171,175,177,179,181,183,185,187,189],{"file":172,"line":173,"context":174},"includes\\functions.php",24,"$wpdb->query() with variable interpolation",{"file":172,"line":176,"context":174},38,{"file":172,"line":178,"context":174},52,{"file":136,"line":180,"context":174},172,{"file":136,"line":182,"context":174},189,{"file":136,"line":184,"context":174},217,{"file":136,"line":186,"context":174},239,{"file":136,"line":188,"context":174},375,{"file":136,"line":190,"context":191},448,"$wpdb->get_results() with variable interpolation",{"escaped":28,"rawEcho":193,"locations":194},37,[195,198,200,202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268],{"file":172,"line":196,"context":197},113,"raw output",{"file":172,"line":199,"context":197},130,{"file":172,"line":201,"context":197},147,{"file":136,"line":203,"context":197},53,{"file":136,"line":205,"context":197},54,{"file":136,"line":207,"context":197},266,{"file":136,"line":209,"context":197},271,{"file":136,"line":211,"context":197},275,{"file":136,"line":213,"context":197},278,{"file":136,"line":215,"context":197},287,{"file":136,"line":217,"context":197},289,{"file":136,"line":219,"context":197},295,{"file":136,"line":221,"context":197},299,{"file":136,"line":223,"context":197},376,{"file":136,"line":225,"context":197},434,{"file":136,"line":227,"context":197},484,{"file":136,"line":229,"context":197},495,{"file":136,"line":231,"context":197},500,{"file":136,"line":233,"context":197},506,{"file":136,"line":235,"context":197},510,{"file":136,"line":237,"context":197},512,{"file":136,"line":239,"context":197},513,{"file":136,"line":241,"context":197},517,{"file":136,"line":243,"context":197},523,{"file":136,"line":245,"context":197},525,{"file":136,"line":247,"context":197},526,{"file":136,"line":249,"context":197},530,{"file":136,"line":251,"context":197},536,{"file":136,"line":253,"context":197},538,{"file":136,"line":255,"context":197},539,{"file":136,"line":257,"context":197},543,{"file":136,"line":259,"context":197},549,{"file":136,"line":261,"context":197},576,{"file":136,"line":263,"context":197},577,{"file":136,"line":265,"context":197},578,{"file":136,"line":267,"context":197},579,{"file":136,"line":269,"context":197},586,[],[272,290],{"entryPoint":273,"graph":274,"unsanitizedCount":28,"severity":289},"wp_secure_login_option_page (wp-secure-login.php:356)",{"nodes":275,"edges":286},[276,281],{"id":277,"type":278,"label":279,"file":136,"line":280},"n0","source","$_GET",373,{"id":282,"type":283,"label":284,"file":136,"line":188,"wp_function":285},"n1","sink","query() [SQLi]","query",[287],{"from":277,"to":282,"sanitized":288},true,"low",{"entryPoint":291,"graph":292,"unsanitizedCount":28,"severity":289},"\u003Cwp-secure-login> (wp-secure-login.php:0)",{"nodes":293,"edges":298},[294,297],{"id":277,"type":278,"label":295,"file":136,"line":296},"$_GET (x2)",216,{"id":282,"type":283,"label":284,"file":136,"line":184,"wp_function":285},[299],{"from":277,"to":282,"sanitized":288},{"summary":301,"deductions":302},"The \"wp-secure-login\" plugin v1.1 exhibits a mixed security posture. On the positive side, the plugin boasts a remarkably small attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that could be exploited as entry points.  The vulnerability history is also clean, with no recorded CVEs, suggesting a generally stable and secure development over time.  Furthermore, the presence of nonce and capability checks, albeit limited, indicates an awareness of basic WordPress security principles.\n\nHowever, significant concerns arise from the code analysis. The most alarming finding is that 100% of output is not properly escaped. This presents a substantial risk of Cross-Site Scripting (XSS) vulnerabilities across all output generated by the plugin. While the taint analysis didn't reveal specific unsanitized paths, the lack of output escaping means any data flowing through the plugin, if not meticulously sanitized at its source, could be maliciously injected and executed in a user's browser.  Additionally, a substantial portion of SQL queries are not using prepared statements, increasing the risk of SQL injection vulnerabilities, especially if sensitive data is being handled or if the input to these queries is not rigorously validated.\n\nIn conclusion, while the plugin has a clean vulnerability history and a small attack surface, the critical flaw of unescaped output and the significant use of raw SQL queries represent serious security weaknesses that need immediate attention.  These issues significantly outweigh the positive aspects and necessitate a cautious approach to its deployment until they are addressed.",[303,306],{"reason":304,"points":305},"100% of output not properly escaped",15,{"reason":307,"points":308},"Only 64% of SQL queries use prepared statements",7,"2026-03-17T00:54:34.576Z",{"wat":311,"direct":320},{"assetPaths":312,"generatorPatterns":315,"scriptPaths":316,"versionParams":317},[313,314],"\u002Fwp-content\u002Fplugins\u002Fwp-secure-login\u002Fincludes\u002Fgoogle-authenticator.css","\u002Fwp-content\u002Fplugins\u002Fwp-secure-login\u002Fincludes\u002Fgoogle-authenticator.js",[],[314],[318,319],"wp-secure-login\u002Fincludes\u002Fgoogle-authenticator.css?ver=","wp-secure-login\u002Fincludes\u002Fgoogle-authenticator.js?ver=",{"cssClasses":321,"htmlComments":322,"htmlAttributes":326,"restEndpoints":330,"jsGlobals":331,"shortcodeOutput":332},[],[323,324,325],"\u003C!-- WP Secure Login adds a security layer and 2 step authentication to your WordPress site by asking a One Time Password in addition to the username and password on the login page. The One Time Password is displayed on your smartphone using Google Authenticator app (available in market place for FREE). The One Time Password is re-generated at regular intervals which can be customized from admin panel. As soon as the new OTP is generated the old ones are marked as invalid. -->","\u003C!-- Copyright (C) 2013  Brijesh Kothari (email : admin@wpinspired.com) This program is free software: you can redistribute it and\u002For modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see \u003Chttp:\u002F\u002Fwww.gnu.org\u002Flicenses\u002F>. -->","\u003C!-- Ok so we are now ready to go -->",[327,328,329],"name=\"wpsl_otp_field\"","id=\"wpsl_otp_field\"","name=\"wpsl_test_otp\"",[],[],[333],"\u003Cp>\n\u003Clabel for=\"wpsl_otp_field\">"]