Super Duper Two-Factor Login

Changelog

2.5.13 – 13.05.2026

• Fix: Datepicker for the enforcement deadline now opens directly below the input field instead of at the bottom of the page.

2.5.12 – 11.05.2026

• Improvement: All plugin emails (login code, backup codes, recovery notifications) are now sent as properly formatted HTML with clear layout, code highlighting, and per-line backup code display.
• Fix: No longer forces a From: header on outgoing emails so SMTP plugins can apply their SPF/DKIM-aligned sender address without conflict.
• Debug: Added [SDTFA] entries to debug.log (when WP_DEBUG is on) to make email-delivery failures diagnosable.
• i18n: 13 new mail-template strings translated to all eight locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL), including a plural form for the validity-minutes string.

2.5.11 – 05.05.2026

• Fix: WooCommerce customer-logout endpoint is now explicitly excluded from 2FA enforcement so customers can always log out, even when wc_account or entire_site enforcement is active.

2.5.9 – 05.05.2026

• Improved: forced 2FA setup screen on wp-login.php now uses larger, more readable fonts (warning text 16px, button 17px, content 15px) and a slightly wider login box.
• i18n: translations completed for all eight supported locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL) – every string in the plugin is now fully translated. .pot template regenerated from current source.

2.5.8 – 05.05.2026

• Fixed: forced 2FA setup AJAX calls returned HTTP 403 because the WordPress nonce check failed for unauthenticated users on the login page. The forced-setup token (already present in the request and validated against a server-side transient) is now accepted as the authorization for these AJAX calls, with the standard nonce check still applied for logged-in users.

2.5.7 – 05.05.2026

• Fixed: forced 2FA setup screen on wp-login.php was unusable – clicking «Set up now» left the button stuck at «…». The AJAX endpoints were registered for logged-in users only, but the forced-setup flow runs before the user is authenticated. Endpoints now also accept unauthenticated calls when a valid forced-setup token is supplied, and the JavaScript automatically passes that token along.

2.5.6 – 05.05.2026

• Improved: REST API user-data hiding now uses a strict whitelist approach instead of a maintained block list. Only structurally-required fields (id, name, slug, link, avatar_urls, description, url) are kept in the response — everything else is dropped automatically, including fields from Yoast SEO (yoast_head, yoast_head_json), Rank Math, AIOSEO, SEOPress, Elementor, WooCommerce, and any future plugins that inject data into the user REST endpoint.
• New: filter hook sdtfa_rest_user_allowed_keys to extend the whitelist for plugins or sites that have a legitimate need to expose additional public fields.
• Fixed: the filter now runs at priority 999 so it executes after third-party plugins that register their own user REST fields.
• Fixed: REST self/collection links (which expose the numeric user ID) are now removed from the response for unauthenticated requests when user-data hiding is enabled.
• Fixed: «Set up now» button on the admin notice did not open the popup overlay because the script cached DOM selectors before the popup HTML was rendered. Selectors are now resolved after DOM-ready, with a fallback redirect to the profile page if the overlay is still missing.

2.5.5 – 01.05.2026

• Fixed: SVN pre-commit hook on WordPress.org rejected the package because the email-sending method used a «true» return type (PHP 8.2+ feature). Replaced with the equivalent «bool» return type for broader compatibility while keeping identical behavior.

2.5.4 – 30.04.2026

• Fixed: three strings in the en_US translation file contained German text instead of English (the shortcode description, the deadline notice, and the site-icon warning). Sites running with English locale will now correctly show English text.
• Fixed: removed remaining German example text from the docblock of the shortcode class file (no functional impact, source-code cleanup only).

2.5.3 – 30.04.2026

• Fixed: removed remaining hardcoded German strings from PHP source (3× «Nicht angemeldet.», backup-codes email body, recovery-key label, backup-codes textarea header)
• Fixed: removed hardcoded German «Bestätigen» button label from JavaScript (used after a failed verification attempt) – now uses the existing translatable string
• i18n: all four cleaned-up strings translated for all eight supported locales (DE_CH/DE/AT, EN, FR, ES, IT, NL)

2.5.2 – 30.04.2026

• Fixed: 2FA setup via email failed silently on hosts that reject mails without an explicit «From» header – the email now always carries a same-domain sender address
• Improved: when sending the 2FA code fails, the actual underlying mail error (from PHPMailer / SMTP) is now surfaced in the setup dialog instead of a generic «please try again»
• Fixed: send cooldown is now armed only after a successful send, so a failed delivery no longer blocks the next attempt for 60 seconds
• Improved: graceful fallback for the email subject when the issuer/site name option is empty

2.5.1 – 30.04.2026

• New: «SDTFA» column on Users → All Users showing the actual 2FA status (TOTP / Email / off) with green check or red ✗
• New: Removes 2FA columns added by foreign 2FA plugins or host mu-plugins to avoid duplicate or misleading status indicators
• New: Toggle in Privacy & Hardening section to disable the column behavior if not desired (enabled by default)

2.5.0 – 30.04.2026

• New: Privacy & Hardening section with three optional features
• New: Hide sensitive user data in REST API responses for unauthenticated visitors (REST endpoint stays reachable for SEO/import tools)
• New: Block author archives (?author=N) for unauthenticated visitors to prevent user enumeration
• New: Disable WordPress password reset for administrators and/or selected roles
• Fixed: empty jQuery UI datepicker container no longer appears at the bottom of admin pages – it is now hidden by default and moved next to its input field on open

2.4.1 – 22.04.2026

• Fixed: dismiss (×) button on the admin notice now correctly persists via AJAX so the notice doesn’t reappear on every page reload

2.4.0 – 22.04.2026

• Renamed plugin to «Super Duper Two-Factor Login» (slug: super-duper-two-factor-login) for improved distinctiveness in the plugin directory
• Replaced the setup popup with a WordPress-standard dismissable admin notice and a «Set up now» button – the modal opens only on user action
• Moved the admin menu from position 3 to position 71 (after Users) to respect the WordPress admin hierarchy
• Extracted all inline <style> and <script> output into enqueued assets (wp_enqueue_style, wp_enqueue_script, wp_add_inline_style)
• Localized datepicker day and month names via wp_localize_script (English source, translations via .po)
• Updated the plugin header description to English (source strings) with German translations moved to .po/.mo
• Corrected the Contributors entry in readme.txt to the actual WordPress.org username

2.3.0 – 10.04.2026

• First public release on WordPress.org
• TOTP and email-based two-factor authentication
• 10 one-time backup codes with copy, download, print, and email
• Personal recovery key for administrators
• FTP emergency recovery via .sdtfa-recovery file
• Trusted device feature (save this computer)
• Role-based enforcement with optional grace period
• Hard enforcement: 2FA setup required before login
• Enforcement areas: admin, WooCommerce account, checkout, entire site
• WooCommerce My Account integration
• Setup popup reminder (dismissible)
• Shortcode [sdtfa_status]
• AES-256-GCM encryption for TOTP secrets
• Translations: German (DE/AT/CH), English, French, Spanish, Italian, Dutch

1.0.0 – 2.2.x

• Internal development and testing