{"id":303239,"date":"2026-04-28T19:02:25","date_gmt":"2026-04-28T19:02:25","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/oosoft-2fa-security\/"},"modified":"2026-04-28T19:01:41","modified_gmt":"2026-04-28T19:01:41","slug":"oosoft-2fa-security","status":"publish","type":"plugin","link":"https:\/\/os.wordpress.org\/plugins\/oosoft-2fa-security\/","author":23490573,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.2","stable_tag":"trunk","tested":"6.9.4","requires":"6.0","requires_php":"8.0","requires_plugins":null,"header_name":"OOSOFT 2FA Security","header_author":"OOSOFT Technology","header_description":"Enterprise-grade Two-Factor Authentication for WordPress. Supports Google Authenticator (TOTP) and Email OTP with backup codes, rate limiting, and role-based enforcement.","assets_banners_color":"","last_updated":"2026-04-28 19:01:41","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/oosoft.co.in\/plugins\/2fa-security","header_author_uri":"https:\/\/oosoft.co.in","rating":0,"author_block_rating":0,"active_installs":0,"downloads":90,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"1.0.2":"<p>Security hardening release. Update recommended for all users.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3518666,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3518666,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Two-factor authentication challenge screen shown after password login.","2":"User profile section for managing 2FA methods and backup codes.","3":"Admin settings page with role enforcement and rate limiting configuration.","4":"Admin security logs page."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[9211,9210,600,9225,1909],"plugin_category":[54],"plugin_contributors":[261309,261308],"plugin_business_model":[],"class_list":["post-303239","plugin","type-plugin","status-publish","hentry","plugin_tags-2fa","plugin_tags-otp","plugin_tags-security","plugin_tags-totp","plugin_tags-two-factor-authentication","plugin_category-security-and-spam-protection","plugin_contributors-mudivillanv","plugin_contributors-oosoft","plugin_committers-oosoft"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/oosoft-2fa-security\/assets\/icon-128x128.png?rev=3518666","icon_2x":"https:\/\/ps.w.org\/oosoft-2fa-security\/assets\/icon-256x256.png?rev=3518666","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>OOSOFT 2FA Security adds robust two-factor authentication to your WordPress site. Protect every login with a second verification step using a TOTP authenticator app (Google Authenticator, Authy, etc.) or a one-time code sent to your email address.<\/p>\n\n<p><strong>Key Features:<\/strong><\/p>\n\n<ul>\n<li><strong>TOTP Authenticator App<\/strong> \u2014 compatible with Google Authenticator, Authy, Microsoft Authenticator, and any RFC 6238-compliant app.<\/li>\n<li><strong>Email OTP<\/strong> \u2014 sends a time-limited one-time code to the user's registered email address.<\/li>\n<li><strong>Backup Codes<\/strong> \u2014 generate single-use recovery codes so users are never locked out.<\/li>\n<li><strong>Role-Based Enforcement<\/strong> \u2014 require 2FA for specific roles (e.g. administrators) while leaving it optional for others.<\/li>\n<li><strong>Rate Limiting<\/strong> \u2014 brute-force protection with configurable attempt limits and lockout periods.<\/li>\n<li><strong>Security Logs<\/strong> \u2014 detailed event logging with filterable admin view and automatic pruning.<\/li>\n<li><strong>Encrypted Secret Storage<\/strong> \u2014 TOTP secrets are encrypted at rest using libsodium (preferred) or AES-256-GCM\/CBC via OpenSSL.<\/li>\n<li><strong>HKDF Key Derivation<\/strong> \u2014 encryption keys are derived from your WordPress secret keys; no raw key material is stored.<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>oosoft-2fa-security<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory.<\/li>\n<li>Activate the plugin through the <strong>Plugins<\/strong> menu in WordPress.<\/li>\n<li>Go to <strong>Settings &gt; 2FA Security<\/strong> to configure enforcement rules and options.<\/li>\n<li>Users can set up their preferred 2FA method from their <strong>Profile<\/strong> page.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"which%20authenticator%20apps%20are%20supported%3F\"><h3>Which authenticator apps are supported?<\/h3><\/dt>\n<dd><p>Any app that supports the TOTP standard (RFC 6238), including Google Authenticator, Authy, Microsoft Authenticator, and 1Password.<\/p><\/dd>\n<dt id=\"what%20happens%20if%20a%20user%20loses%20their%20authenticator%20app%3F\"><h3>What happens if a user loses their authenticator app?<\/h3><\/dt>\n<dd><p>Users can log in with one of their backup codes. Administrators can also disable 2FA for a user from the Users list.<\/p><\/dd>\n<dt id=\"is%20totp%20secret%20storage%20secure%3F\"><h3>Is TOTP secret storage secure?<\/h3><\/dt>\n<dd><p>Yes. Secrets are encrypted with AES-256 (libsodium secretbox preferred, OpenSSL AES-256-GCM\/CBC as fallback) before being stored in the database. Encryption keys are derived from your site's unique WordPress secret keys via HKDF-SHA256.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20work%20with%20woocommerce%20or%20custom%20login%20forms%3F\"><h3>Does this plugin work with WooCommerce or custom login forms?<\/h3><\/dt>\n<dd><p>The plugin intercepts WordPress's core authentication pipeline, so it works with any theme or plugin that uses <code>wp_signon()<\/code> or the standard login form.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Improved escaping and security hardening throughout.<\/li>\n<li>Removed deprecated load_plugin_textdomain() call (WordPress 4.6+ auto-loads translations).<\/li>\n<li>Added HKDF key derivation fallback warning when WordPress secret keys are not configured.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Fixed QR code scanning compatibility with major authenticator apps.<\/li>\n<li>Switched to proven qrcodejs library for QR generation.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<\/ul>","raw_excerpt":"Enterprise-grade Two-Factor Authentication for WordPress with TOTP, Email OTP, backup codes, and role-based enforcement.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/303239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=303239"}],"author":[{"embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/oosoft"}],"wp:attachment":[{"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=303239"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=303239"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=303239"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=303239"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=303239"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/os.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=303239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}