[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f79_1l4nA2v6O9HrQbY-GseTn2Mhe-cadiuIa88TKdiQ":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":24,"download_link":25,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":38,"analysis":131,"fingerprints":226},"yubikey","Yubikey","1.0.1","Kieran O'Shea","https:\u002F\u002Fprofiles.wordpress.org\u002Fkieranoshea\u002F","\u003Cp>This plugin dramatically enhances the security of your WordPress website by adding Multi Factor Authentication (MFA) in the form of One Time Passwords (OTP)\u003Cbr \u002F>\nusing \u003Ca href=\"https:\u002F\u002Fwww.yubico.com\u002F\" rel=\"nofollow ugc\">Yubikey USB Tokens\u003C\u002Fa>. In addition to providing your username and password to login, this plugin requests an OTP code\u003Cbr \u002F>\ngenerated by a Yubikey, validates this via an API and only grants access if this check passes. The requirement to use an OTP can be set on a user by user\u003Cbr \u002F>\nbasis and there is also a feature to require users above a certain privilege level to always use OTP.\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin connects to an API to validate the OTP tokens generated by your security key. This is required because storing the private keys\u003Cbr \u002F>\non the same web server as the site you wish to protect would be a security risk.\u003C\u002Fp>\n\u003Cp>By default Yubico’s own validation server is employed, although you may setup your own server and use this instead\u003C\u002Fp>\n\u003Cp>The default Yubico API only collects the one time password (OTP) data as provided by your security key when you login. The service validates this\u003Cbr \u002F>\nand then stores this token as “used” so it may not be replayed as part of an attack. It does not collect any other data (such as what URL is being\u003Cbr \u002F>\nauthenticated using the key etc.)\u003C\u002Fp>\n\u003Cp>This service is provided by “Yubico AB”: \u003Ca href=\"https:\u002F\u002Fwww.yubico.com\u002Fsupport\u002Fterms-conditions\u002Fprivacy-notice\u002F\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.yubico.com\u002Fsupport\u002Fterms-conditions\u002Fyubico-website-terms-conditions\u002F\" rel=\"nofollow ugc\">Terms of Use\u003C\u002Fa>\u003C\u002Fp>\n","Enhanced login security for WordPress by requiring the presentation of a One Time Password (OTP) from a registered Yubikey",40,951,100,1,"2025-05-09T07:32:00.000Z","6.8.5","5.2","",[20,21,22,23,4],"login","mfa","otp","security","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fyubikey\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyubikey.1.0.1.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":33,"avg_security_score":34,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"kieranoshea",4,4090,90,1609,72,"2026-04-05T02:29:48.708Z",[39,61,82,99,114],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":50,"last_updated":51,"tested_up_to":52,"requires_at_least":53,"requires_php":54,"tags":55,"homepage":59,"download_link":60,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"two-factor","Two Factor","0.15.0","WordPress.org","https:\u002F\u002Fprofiles.wordpress.org\u002Fwordpressdotorg\u002F","\u003Cp>The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password.  This helps protect against unauthorized access even if passwords are compromised.\u003C\u002Fp>\n\u003Ch3>Setup Instructions\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Important\u003C\u002Fstrong>: Each user must individually configure their two-factor authentication settings.  There are no site-wide settings for this plugin.\u003C\u002Fp>\n\u003Ch3>For Individual Users\u003C\u002Fh3>\n\u003Col>\n\u003Cli>\u003Cstrong>Navigate to your profile\u003C\u002Fstrong>: Go to “Users” \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> “Your Profile” in the WordPress admin\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Find Two-Factor Options\u003C\u002Fstrong>: Scroll down to the “Two-Factor Options” section\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Choose your methods\u003C\u002Fstrong>: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):\n\u003Cul>\n\u003Cli>\u003Cstrong>Authenticator App (TOTP)\u003C\u002Fstrong> – Use apps like Google Authenticator, Authy, or 1Password\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Codes\u003C\u002Fstrong> – Receive one-time codes via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>FIDO U2F Security Keys\u003C\u002Fstrong> – Use physical security keys (requires HTTPS)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Backup Codes\u003C\u002Fstrong> – Generate one-time backup codes for emergencies\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dummy Method\u003C\u002Fstrong> – For testing purposes only (requires WP_DEBUG)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configure each method\u003C\u002Fstrong>: Follow the setup instructions for each enabled provider\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Set primary method\u003C\u002Fstrong>: Choose which method to use as your default authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Save changes\u003C\u002Fstrong>: Click “Update Profile” to save your settings\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>For Site Administrators\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>No global settings\u003C\u002Fstrong>: This plugin operates on a per-user basis only. For more, see \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002Ftwo-factor\u002Fissues\u002F249\" rel=\"nofollow ugc\">GH#249\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User management\u003C\u002Fstrong>: Administrators can configure 2FA for other users by editing their profiles\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security recommendations\u003C\u002Fstrong>: Encourage users to enable backup methods to prevent account lockouts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Available Authentication Methods\u003C\u002Fh3>\n\u003Ch3>Authenticator App (TOTP) – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Time-based one-time passwords\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Scan QR code with authenticator app\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with Google Authenticator, Authy, 1Password, and other TOTP apps\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Most users, provides excellent security with good usability\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Backup Codes – Recommended\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time use codes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Generate 10 backup codes for emergency access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works everywhere, no special hardware needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Emergency access when other methods are unavailable\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Email Codes\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: Medium – One-time codes sent via email\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Automatic – uses your WordPress email address\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatibility\u003C\u002Fstrong>: Works with any email-capable device\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users who prefer email-based authentication\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>FIDO U2F Security Keys\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: High – Hardware-based authentication\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Register physical security keys (USB, NFC, or Bluetooth)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Requirements\u003C\u002Fstrong>: HTTPS connection required, compatible browser needed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Browser Support\u003C\u002Fstrong>: Chrome, Firefox, Edge (varies by key type)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Users with security keys who want maximum security\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Dummy Method\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: None – Always succeeds\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setup\u003C\u002Fstrong>: Only available when WP_DEBUG is enabled\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Purpose\u003C\u002Fstrong>: Testing and development only\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Best for\u003C\u002Fstrong>: Developers testing the plugin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Important Notes\u003C\u002Fh3>\n\u003Ch3>HTTPS Requirement\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FIDO U2F Security Keys require an HTTPS connection to function\u003C\u002Fli>\n\u003Cli>Other methods work on both HTTP and HTTPS sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Browser Compatibility\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>FIDO U2F requires a compatible browser and may not work on all devices\u003C\u002Fli>\n\u003Cli>TOTP and email methods work on all devices and browsers\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Account Recovery\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Always enable backup codes to prevent being locked out of your account\u003C\u002Fli>\n\u003Cli>If you lose access to all authentication methods, contact your site administrator\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security Best Practices\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Use multiple authentication methods when possible\u003C\u002Fli>\n\u003Cli>Keep backup codes in a secure location\u003C\u002Fli>\n\u003Cli>Regularly review and update your authentication settings\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For more information about two-factor authentication in WordPress, see the \u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fadvanced-administration\u002Fsecurity\u002Fmfa\u002F\" rel=\"nofollow ugc\">WordPress Advanced Administration Security Guide\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>For more history, see \u003Ca href=\"https:\u002F\u002Fgeorgestephanis.wordpress.com\u002F2013\u002F08\u002F14\u002Ftwo-cents-on-two-factor\u002F\" rel=\"nofollow ugc\">this post\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Actions & Filters\u003C\u002Fh4>\n\u003Cp>Here is a list of action and filter hooks provided by the plugin:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>two_factor_providers\u003C\u002Fcode> filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_providers_for_user\u003C\u002Fcode> filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object \u003Ccode>WP_User\u003C\u002Fcode> is available as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_enabled_providers_for_user\u003C\u002Fcode> filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_authenticated\u003C\u002Fcode> action which receives the logged in \u003Ccode>WP_User\u003C\u002Fcode> object as the first argument for determining the logged in user right after the authentication workflow.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_user_api_login_enable\u003C\u002Fcode> filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_ttl\u003C\u002Fcode> filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the \u003Ccode>WP_User\u003C\u002Fcode> object being authenticated.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_email_token_length\u003C\u002Fcode> filter overrides the default 8 character count for email tokens.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_backup_code_length\u003C\u002Fcode> filter overrides the default 8 character count for backup codes. Provides the \u003Ccode>WP_User\u003C\u002Fcode> of the associated user as the second argument.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_rest_api_can_edit_user\u003C\u002Fcode> filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current \u003Ccode>$can_edit\u003C\u002Fcode> boolean, the second argument is the user ID.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_before_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires prior to the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode> action which receives the provider object and fires after the prompt shown on the authentication input form.\u003C\u002Fli>\n\u003Cli>\u003Ccode>two_factor_after_authentication_input\u003C\u002Fcode>action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after \u003Ccode>two_factor_after_authentication_prompt\u003C\u002Fcode>).\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.",100000,1526344,96,199,"2026-02-17T13:21:00.000Z","6.9.4","6.8","7.2",[56,57,21,23,58],"2fa","authentication","totp","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftwo-factor\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftwo-factor.0.15.0.zip",{"slug":62,"name":63,"version":64,"author":65,"author_profile":66,"description":67,"short_description":68,"active_installs":69,"downloaded":70,"rating":71,"num_ratings":72,"last_updated":73,"tested_up_to":74,"requires_at_least":75,"requires_php":18,"tags":76,"homepage":78,"download_link":79,"security_score":80,"vuln_count":14,"unpatched_count":26,"last_vuln_date":81,"fetched_at":28},"google-authenticator","Google Authenticator","0.54","Ivan","https:\u002F\u002Fprofiles.wordpress.org\u002Fivankk\u002F","\u003Cp>The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android\u002FiPhone\u002FBlackberry.\u003C\u002Fp>\n\u003Cp>If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail\u002FDropbox\u002FLastpass\u002FAmazon etc.\u003C\u002Fp>\n\u003Cp>The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.\u003C\u002Fp>\n\u003Cp>If You need to maintain your blog using an Android\u002FiPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin,\u003Cbr \u002F>\nbut please note that enabling the App password feature will make your blog less secure.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Thanks to:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fevinak\u002F\" rel=\"nofollow ugc\">Oleksiy\u003C\u002Fa> for a bugfix in multisite.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpancek\" rel=\"nofollow ugc\">Paweł Nowacki\u003C\u002Fa> for the Polish translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FFabioZumbi12\" rel=\"nofollow ugc\">Fabio Zumbi\u003C\u002Fa> for the Portuguese translation\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.guidoschalkx.com\u002F\" rel=\"nofollow ugc\">Guido Schalkx\u003C\u002Fa> for the Dutch translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8\" rel=\"nofollow ugc\">Henrik.Schack\u003C\u002Fa> for writing\u002Fmaintaining versions 0.20 through 0.48\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftobias.baethge.com\u002F\" rel=\"nofollow ugc\">Tobias Bäthge\u003C\u002Fa> for his code rewrite and German translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fblog.pcode.nl\u002F\" rel=\"nofollow ugc\">Pascal de Bruijn\u003C\u002Fa> for his “relaxed mode” idea.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Ftechnobabbl.es\u002F\" rel=\"nofollow ugc\">Daniel Werl\u003C\u002Fa> for his usability tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fdd32.id.au\u002F\" rel=\"nofollow ugc\">Dion Hulse\u003C\u002Fa> for his bugfixes.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fusers\u002Faldolat\u002F\" rel=\"nofollow ugc\">Aldo Latino\u003C\u002Fa> for his Italian translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.kaijia.me\u002F\" rel=\"nofollow ugc\">Kaijia Feng\u003C\u002Fa> for his Simplified Chinese translation.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.buayacorp.com\u002F\" rel=\"nofollow ugc\">Alex Concha\u003C\u002Fa> for his security tips.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fjetienne.com\u002F\" rel=\"nofollow ugc\">Jerome Etienne\u003C\u002Fa> for his jquery-qrcode plugin.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Forizhial.com\u002F\" rel=\"nofollow ugc\">Sébastien Prunier\u003C\u002Fa> for his Spanish and French translation.\u003C\u002Fp>\n","Google Authenticator for your WordPress blog.",20000,687508,86,134,"2022-07-04T04:55:00.000Z","6.0.11","4.5",[57,20,22,77,23],"password","https:\u002F\u002Fgithub.com\u002Fivankruchkoff\u002Fgoogle-authenticator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgoogle-authenticator.0.54.zip",85,"2016-04-28 00:00:00",{"slug":83,"name":84,"version":85,"author":86,"author_profile":87,"description":88,"short_description":89,"active_installs":90,"downloaded":91,"rating":92,"num_ratings":93,"last_updated":94,"tested_up_to":18,"requires_at_least":95,"requires_php":18,"tags":96,"homepage":97,"download_link":98,"security_score":80,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"woo-yubikey","yubikey-plugin","2.3","apb360","https:\u002F\u002Fprofiles.wordpress.org\u002Fapb360\u002F","\u003Cp>This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the \u003Ca href=\"http:\u002F\u002Fwww.yubico.com\u002F\" rel=\"nofollow ugc\">Yubikey USB token\u003C\u002Fa>.\u003Cbr \u002F>\nThe plugin uses the Yubico Web service API in the authentication process.\u003Cbr \u002F>\nThe one-time password requirement can be enabled on a per user basis.\u003C\u002Fp>\n","Enhanced Login Security for Your Wordpress blog.",400,6252,76,9,"2019-02-04T18:57:00.000Z","3.8",[57,20,77,23,4],"https:\u002F\u002Fapb360.com\u002Fyubikey-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-yubikey.zip",{"slug":100,"name":101,"version":102,"author":103,"author_profile":104,"description":105,"short_description":106,"active_installs":11,"downloaded":107,"rating":13,"num_ratings":108,"last_updated":109,"tested_up_to":16,"requires_at_least":110,"requires_php":54,"tags":111,"homepage":18,"download_link":113,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"email-otp-login-with-default-login-form","Email OTP Login with default login form","1.0.3","Lalit Yadav","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebnotics\u002F","\u003Cp>This plugin enhances the default WordPress login security by adding a One-Time Password (OTP) verification step via email:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Users log in with their regular email\u002Fusername and password.\u003C\u002Fli>\n\u003Cli>If credentials are valid, an OTP is generated and emailed to the user.\u003C\u002Fli>\n\u003Cli>A popup is shown on the same login page (\u003Ccode>wp-login.php\u003C\u002Fcode>) to enter the OTP.\u003C\u002Fli>\n\u003Cli>Once the correct OTP is entered, the user is logged in.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>To help you get started, there’s a comprehensive video tutorial available that guides you through the process of setting.\u003Cbr \u002F>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FAZ6w1lkltOI?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Secure login via OTP sent to user’s email.\u003C\u002Fli>\n\u003Cli>Role-based OTP enforcement.\u003C\u002Fli>\n\u003Cli>Uses native wp-login.php form — no custom forms required.\u003C\u002Fli>\n\u003Cli>Session-based OTP handling for security.\u003C\u002Fli>\n\u003Cli>Expiring OTP (default: 40 seconds).\u003C\u002Fli>\n\u003Cli>No third-party dependencies.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Donate\u003C\u002Fh3>\n\u003Cp>If you find this plugin useful and want to support its development, you can make a donation via the following link:\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fdonate.stripe.com\u002F3cI5kE7sv6ex30s5LB5kk2x\" rel=\"nofollow ugc\">Donate Here\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Your donation helps to ensure that this plugin remains free and receives regular updates!\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>The plugin development was supported by [webnotics], [sumitkamboj53]. Contributions and feedback are always welcome.\u003C\u002Fp>\n\u003Ch3>Documentation and Support\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwebnotics.org\u002Femail-otp-login-with-default-login-form\u002F\" title=\"documentation\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fstrong>\u003Cbr \u002F>\nFor detailed documentation, visit https:\u002F\u002Fwebnotics.org\u002Femail-otp-login-with-default-login-form\u002F\u003Cbr \u002F>\nFor support, please contact us at \u003Ca href=\"mailto:support@webnotics.solutions\" rel=\"nofollow ugc\">support@webnotics.solutions\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is licensed under the GPLv2 or later.\u003C\u002Fp>\n","Adds email OTP (One-Time Password) verification after valid login credentials on the default wp-login.php form for added security.",683,6,"2025-08-05T04:08:00.000Z","5.0",[112,20,22,23,40],"email-verification","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-otp-login-with-default-login-form.1.0.3.zip",{"slug":115,"name":116,"version":117,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":122,"downloaded":123,"rating":124,"num_ratings":14,"last_updated":125,"tested_up_to":16,"requires_at_least":126,"requires_php":127,"tags":128,"homepage":18,"download_link":130,"security_score":13,"vuln_count":26,"unpatched_count":26,"last_vuln_date":27,"fetched_at":28},"email-otp-login","Email OTP Login","1.0.0","Tushar Sharma","https:\u002F\u002Fprofiles.wordpress.org\u002Fricheal\u002F","\u003Cp>Email OTP Login adds an additional layer of security to your WordPress site by requiring users to verify an OTP sent to their email after entering their username and password. This ensures that only users with access to the registered email can log in.\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Email OTP verification during \u003Cstrong>login\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>OTP expires in 5 minutes (configurable).\u003C\u002Fli>\n\u003Cli>OTP stored securely using WordPress password hashing.\u003C\u002Fli>\n\u003Cli>Works with the default WordPress login form.\u003C\u002Fli>\n\u003Cli>Uses WordPress built-in \u003Ccode>wp_mail()\u003C\u002Fcode> function (works with SMTP plugins).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This plugin does \u003Cstrong>not modify WordPress core files\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch3>License\u003C\u002Fh3>\n\u003Cp>This plugin is free software: you can redistribute it and\u002For modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2 or later.\u003C\u002Fp>\n\u003Cp>This plugin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\u003C\u002Fp>\n","Adds OTP (One-Time Password) verification after login for enhanced security in WordPress. OTP is sent to the user's email.",30,403,60,"2025-08-29T18:30:00.000Z","6.3","7.4",[112,20,22,23,129],"two-factor-authentication","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-otp-login.1.0.0.zip",{"attackSurface":132,"codeSignals":188,"taintFlows":196,"riskAssessment":216,"analyzedAt":225},{"hooks":133,"ajaxHandlers":184,"restRoutes":185,"shortcodes":186,"cronEvents":187,"entryPointCount":26,"unprotectedCount":26},[134,140,144,148,152,157,161,165,169,173,177,181],{"type":135,"name":136,"callback":137,"file":138,"line":139},"action","personal_options_update","yubikey_personal_options_update","yubikey.php",512,{"type":135,"name":141,"callback":142,"file":138,"line":143},"profile_personal_options","yubikey_profile_personal_options",513,{"type":135,"name":145,"callback":146,"file":138,"line":147},"edit_user_profile","yubikey_edit_user_profile",515,{"type":135,"name":149,"callback":150,"file":138,"line":151},"edit_user_profile_update","yubikey_edit_user_profile_update",516,{"type":153,"name":154,"callback":155,"file":138,"line":156},"filter","pre_kses","yubikey_plugin_description",518,{"type":135,"name":158,"callback":159,"file":138,"line":160},"admin_menu","yubikey_admin",519,{"type":135,"name":162,"callback":163,"file":138,"line":164},"login_form","yubikey_loginform",525,{"type":153,"name":166,"callback":167,"file":138,"line":168},"wp_authenticate_user","yubikey_check_otp",526,{"type":135,"name":170,"callback":171,"file":138,"line":172},"user_register","yubikey_user_register",528,{"type":135,"name":174,"callback":175,"file":138,"line":176},"register_form","yubikey_registerform",529,{"type":135,"name":178,"callback":179,"file":138,"line":180},"admin_notices","yubikey_admin_api_info_missing",532,{"type":135,"name":178,"callback":182,"file":138,"line":183},"yubikey_admin_functions_missing",536,[],[],[],[],{"dangerousFunctions":189,"sqlUsage":190,"outputEscaping":192,"fileOperations":26,"externalRequests":14,"nonceChecks":26,"capabilityChecks":26,"bundledLibraries":195},[],{"prepared":26,"raw":26,"locations":191},[],{"escaped":193,"rawEcho":26,"locations":194},29,[],[],[197],{"entryPoint":198,"graph":199,"unsanitizedCount":14,"severity":215},"\u003Cyubikey> (yubikey.php:0)",{"nodes":200,"edges":212},[201,206],{"id":202,"type":203,"label":204,"file":138,"line":205},"n0","source","$_POST",257,{"id":207,"type":208,"label":209,"file":138,"line":210,"wp_function":211},"n1","sink","wp_remote_get() [SSRF]",486,"wp_remote_get",[213],{"from":202,"to":207,"sanitized":214},false,"medium",{"summary":217,"deductions":218},"The \"yubikey\" plugin v1.0.1 exhibits a generally good security posture based on the provided static analysis.  The absence of any known CVEs and a clean vulnerability history suggest a well-maintained and secure plugin. The code analysis reveals robust practices such as 100% use of prepared statements for SQL queries and proper output escaping, mitigating common web vulnerabilities. The plugin also demonstrates a minimal attack surface with no directly exposed AJAX handlers, REST API routes, shortcodes, or cron events without authentication or capability checks. However, a single external HTTP request presents a potential, albeit small, point of exposure. The taint analysis indicates one flow with an unsanitized path, which, while not classified as critical or high severity, warrants attention as it represents a deviation from ideal sanitization practices and could potentially be exploited in conjunction with other factors or future code changes.",[219,222],{"reason":220,"points":221},"Taint flow with unsanitized path",5,{"reason":223,"points":224},"External HTTP request present",2,"2026-03-16T22:19:59.836Z",{"wat":227,"direct":236},{"assetPaths":228,"generatorPatterns":231,"scriptPaths":232,"versionParams":233},[229,230],"\u002Fwp-content\u002Fplugins\u002Fyubikey\u002Fcss\u002Fyubikey.css","\u002Fwp-content\u002Fplugins\u002Fyubikey\u002Fjs\u002Fyubikey.js",[],[230],[234,235],"yubikey\u002Fcss\u002Fyubikey.css?ver=","yubikey\u002Fjs\u002Fyubikey.js?ver=",{"cssClasses":237,"htmlComments":239,"htmlAttributes":272,"restEndpoints":284,"jsGlobals":285,"shortcodeOutput":286},[238],"password-input",[240,241,242,243,244,244,245,246,247,248,249,250,248,251,252,253,254,255,253,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271],"Thanks to the following contributor(s) :","For creating version 0.96 of yubikey-plugin (now abandoned - https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fyubikey-plugin\u002F) from which this revamp was forked. Contributors","assisting Henrik's efforts left in place from the fork in credits below","Ideas & code contribution to the separate admin\u002Foptionspage.","Ideas.","Direct access shouldn't be allowed","Yubikey external validation server - see External Services section of readme.txt","One-time Password field to login form.","One Time Password (OTP)","If you do not have an OTP or don't know what one is, leave this field blank","One-time Password field to register form.","If you do not wish to use two factor authentication with a Yubikey OTP token or do not know what this is, leave this field blank. Otherwise press the button on your Yubikey in this field.","Warning notice for the admin panel to be used where PHP is missing vital functions which prevent use the plugin","Warning","Required PHP library hash_hmac is missing and the Yubikey plugin will not work without this. Please check your server configuration.","Warning notice for the admin panel to indicate that OTP login is disabled because API ID or Key is missing in the config.","Yubikey plugin is disabled for OTP based login because the API ID and\u002For Key is missing from the Yubikey config page. Please correct this to continue.","Optionspage for editing Yubikey global options (Yubico API ID & Key)","Yubikey Plugin Options","Yubico API ID","Yubico API key","Self-hosted validation server","(optional)","OTP Required for permission","Users posessing the selected permission level and above will be denied access to the site unless their account is OTP enabled. Set this property to N\u002FA to disable this behaviour","N\u002FA","Subscriber","Contributor","Author","Moderator","Admin","Reject XML-RPC for permission",[273,274,275,276,277,278,279,280,281,282,283],"name=\"otp\"","id=\"otp\"","name=\"yubico_api_id\"","id=\"yubico_api_id\"","name=\"yubico_api_key\"","id=\"yubico_api_key\"","name=\"yubikey_validation_server\"","id=\"yubikey_validation_server\"","name=\"yubikey_required_for_permission\"","id=\"yubikey_required_for_permission\"","name=\"yubikey_reject_xml_rpc_for_permission\"",[],[],[]]