外掛說明
AV 2FA adds a crucial layer of security to your WordPress login process. After a user successfully enters their password, this plugin sends a unique, time-sensitive verification code to their registered email address. The user must then enter this code to complete the login, effectively protecting their account even if their password is compromised.
The plugin is designed to be lightweight, easy to use, and seamlessly integrated into the WordPress experience.
Key Features:
- Email-Based 2FA: Sends a 6-digit verification code to the user’s email.
- Custom Login URL: Hide your login page by setting a custom login slug. The default wp-login.php becomes inaccessible, protecting against brute force attacks and bots.
- Rate Limiting & Account Lockout: Protects against brute force attacks on 2FA codes with configurable thresholds and temporary lockouts.
- Progressive Lockout: Automatically increases lockout duration for repeat offenders (2x, 4x, 8x multiplier).
- IP-Based Protection: Tracks failed attempts by IP address to prevent distributed attacks.
- Email Notifications: Alerts users when their account is locked due to suspicious activity.
- Admin Controls: View and manually unlock locked accounts from the settings page.
- Customizable Code Validity: Admin can set how long the code is valid for (default is 60 seconds).
- User Exclusion List: Easily bypass 2FA for specific users (e.g., admin or integration accounts) by adding their User ID to an exclusion list.
- Countdown Timer: The verification screen displays a countdown timer to show the user how much time is left.
- Secure & Reliable: Uses WordPress’s built-in mailer and secure practices for code generation and verification.
螢幕擷圖
The clean and simple settings page where you can configure the code validity and excluded users. 
The 2FA verification screen that prompts the user for their code, complete with a countdown timer.
安裝方式
Installing AV 2FA is simple. Follow these steps:
From your WordPress dashboard:
- Navigate to
Plugins>Add New. - Search for “AV 2FA”.
- Click
Install Now. - Activate the plugin through the
Pluginsscreen in WordPress. - Navigate to
Settings>AV 2FAto configure the options.
Manual installation:
- Upload the
av-2fafolder to the/wp-content/plugins/directory. - Activate the plugin through the
Pluginsscreen in WordPress. - Navigate to
Settings>AV 2FAto configure the options.
常見問題集
-
How do I exclude a user from 2FA?
-
Navigate to
Settings > AV 2FA. In the “Excluded User IDs” box, enter the numeric User ID of the user you wish to exclude. For multiple users, separate their IDs with a comma. You can find a user’s ID by going to the “Users” list and hovering over their “Edit” link; the ID will be visible in the URL in your browser’s status bar. -
Can I change how long the code is valid for?
-
Yes. On the
Settings > AV 2FApage, you can set the “Code Validity” in seconds. The default is 60 seconds. We recommend a value between 30 and 120 seconds. -
What if emails are not being sent or received?
-
This plugin uses WordPress’s built-in
wp_mail()function. This means it relies on your server’s email configuration or any SMTP plugin you have installed (like WP Mail SMTP). If emails are not arriving, please check your spam folder first, then ensure your WordPress site is configured to send emails correctly. -
How does the Custom Login URL feature work?
-
When you set a custom login slug (e.g., “my-secret-login”), your login page will be accessible at
yoursite.com/my-secret-logininstead ofyoursite.com/wp-login.php. The default wp-login.php and wp-admin (for non-logged-in users) will return a 404 error, hiding your login page from bots and attackers. -
What happens if I forget my custom login URL?
-
You can recover access by adding
define('AV_2FA_DISABLE_CUSTOM_LOGIN', true);to your wp-config.php file. This will temporarily disable the custom login feature and restore access to wp-login.php. Once you’ve logged in, you can view or change your custom login slug in the settings. -
Can I set the custom login slug via wp-config.php for maximum security?
-
Yes! For maximum security, you can define the slug directly in wp-config.php using
define('AV_2FA_LOGIN_SLUG', 'your-secret-slug');. When set this way, the slug is never stored in the database, making it impossible to discover even with database access. -
How does the rate limiting work?
-
The plugin tracks failed 2FA code attempts on a per-user basis. After reaching the configured maximum (default: 5 attempts), the account is temporarily locked. The plugin also tracks attempts by IP address to prevent distributed attacks.
-
What is progressive lockout?
-
Progressive lockout automatically increases the lockout duration for users who repeatedly trigger lockouts. The first lockout lasts 15 minutes (default), the second lasts 30 minutes (2x), the third lasts 60 minutes (4x), and so on, up to 8x the base duration. This helps deter persistent attackers while being lenient with occasional mistakes.
-
How can I unlock a user who has been locked out?
-
Navigate to Settings > AV 2FA and scroll to the “Currently Locked Accounts” section. You’ll see a list of all locked users with an “Unlock” button next to each. Click the button to immediately unlock the account. Lockouts also expire automatically after the configured duration.
-
Will users be notified when their account is locked?
-
Yes, by default users receive an email notification when their account is locked. This helps legitimate users understand why they can’t log in and alerts them to potential security threats. You can disable this in Settings > AV 2FA if desired.
-
How long is security data kept?
-
Failed attempt records are automatically cleaned up after 24 hours. Lockout counts are reset after 30 days of no violations. The plugin runs a daily cleanup task to remove old data and prevent database bloat.
-
Does the lockout affect excluded users?
-
No, users in the exclusion list bypass all 2FA checks, including rate limiting and lockout mechanisms.
使用者評論
參與者及開發者
變更記錄
1.2.0
- NEW: Custom Login URL feature – Hide your login page by setting a custom login slug, making wp-login.php return a 404 error.
- NEW: Support for defining custom login slug via wp-config.php constant for maximum security.
- NEW: Emergency recovery mechanism via AV_2FA_DISABLE_CUSTOM_LOGIN constant.
- NEW: Encrypted storage of custom login slug in database for enhanced security.
- NEW: Rate limiting – Prevents brute force attacks on 2FA codes with configurable max attempts.
- NEW: Account lockout – Temporarily locks accounts after multiple failed 2FA attempts.
- NEW: Progressive lockout – Automatically increases lockout duration for repeat violations (2x, 4x, 8x).
- NEW: IP-based rate limiting – Prevents distributed attacks from multiple IPs.
- NEW: Email notifications – Alerts users when their account has been locked.
- NEW: Admin unlock functionality – Manually unlock user accounts from the settings page.
- NEW: Security event logging – Tracks lockout and unlock events for audit purposes.
- NEW: Automatic cleanup – Daily cron job removes expired security data.
- TWEAK: Converted frontend JavaScript from jQuery to vanilla JS for better performance.
- TWEAK: Enhanced security with comprehensive attempt tracking and lockout mechanisms.
1.1.1
- FIX: Added missing nonce check to input calls.
1.1.0
- FIX: Resolved a critical bug that could lock users out by preventing the 2FA form from displaying.
- TWEAK: Refactored the entire plugin into a modern, object-oriented structure for better stability and maintenance.
- TWEAK: Added comprehensive inline and PHPDoc commenting to meet WordPress.org standards.
1.0.0
- Initial release.