Larger, more readable fonts on the forced setup screen. All translations now 100% complete in all eight supported locales.<\/p>","2.5.8":"
Critical fix continued: forced 2FA setup AJAX returned 403 because of nonce-validation issues for unauthenticated users. Now uses token-based authorization on the login screen.<\/p>","2.5.7":"
Critical fix: forced 2FA setup on the login screen was non-functional. The "Set up now" button now properly opens the setup flow.<\/p>","2.5.6":"
Important fixes: REST API user data is now protected by a strict whitelist (so future SEO\/page-builder plugins that add user fields are automatically covered), with a Internal compatibility fix that allows the package to pass the WordPress.org SVN pre-commit linter. No functional changes.<\/p>","2.5.4":" Fixes three strings in the en_US translation that accidentally contained German text. English-locale sites will now show correct English wording on the settings page and notices.<\/p>","2.5.3":" i18n cleanup: removed remaining hardcoded German strings from PHP and JavaScript so the plugin can be fully translated through the standard gettext workflow.<\/p>","2.5.2":" Fix: 2FA email codes were silently dropped on hosts that require an explicit "From" header. The setup email now sends reliably and surfaces the real error if delivery still fails.<\/p>","2.5.1":" New "SDTFA" column on the Users list shows actual 2FA status. Removes duplicate columns added by host mu-plugins or other 2FA plugins.<\/p>","2.5.0":" New optional Privacy & Hardening features: hide REST user data, block author archive enumeration, disable password reset for admins\/roles. Plus a small admin UI fix for the datepicker container.<\/p>","2.4.1":" Bugfix: the \u00d7 button on the admin notice now works correctly.<\/p>","2.4.0":" WordPress.org compliance release: new distinctive name, admin notice instead of auto-popup, proper enqueuing of all assets, corrected menu position.<\/p>","2.3.0":" First public release. Install and activate to add two-factor authentication to your WordPress site.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3520060,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3520060,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3520060,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3520060,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.5.11","2.5.12","2.5.13","2.5.5","2.5.9"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3520060,"resolution":"1","location":"assets","locale":"","width":1560,"height":756},"screenshot-10.jpg":{"filename":"screenshot-10.jpg","revision":3520060,"resolution":"10","location":"assets","locale":"","width":1816,"height":1426},"screenshot-11.jpg":{"filename":"screenshot-11.jpg","revision":3520060,"resolution":"11","location":"assets","locale":"","width":1762,"height":1104},"screenshot-12.jpg":{"filename":"screenshot-12.jpg","revision":3520060,"resolution":"12","location":"assets","locale":"","width":2354,"height":1604},"screenshot-13.jpg":{"filename":"screenshot-13.jpg","revision":3520060,"resolution":"13","location":"assets","locale":"","width":1732,"height":576},"screenshot-14.jpg":{"filename":"screenshot-14.jpg","revision":3520060,"resolution":"14","location":"assets","locale":"","width":2460,"height":1354},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3520060,"resolution":"2","location":"assets","locale":"","width":1292,"height":1100},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3520060,"resolution":"3","location":"assets","locale":"","width":1288,"height":1206},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3520060,"resolution":"4","location":"assets","locale":"","width":1278,"height":1632},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3520060,"resolution":"5","location":"assets","locale":"","width":1062,"height":1050},"screenshot-6.jpg":{"filename":"screenshot-6.jpg","revision":3520060,"resolution":"6","location":"assets","locale":"","width":1336,"height":1128},"screenshot-7.jpg":{"filename":"screenshot-7.jpg","revision":3520060,"resolution":"7","location":"assets","locale":"","width":2140,"height":1516},"screenshot-8.jpg":{"filename":"screenshot-8.jpg","revision":3520060,"resolution":"8","location":"assets","locale":"","width":1450,"height":966},"screenshot-9.jpg":{"filename":"screenshot-9.jpg","revision":3520060,"resolution":"9","location":"assets","locale":"","width":1860,"height":1414}},"screenshots":{"1":"Admin notice prompting users to set up 2FA","2":"Setup prompt asking the user to start now or later","3":"Choosing the authentication method: email or authenticator app","4":"App-based authentication \u2013 FreeOTP recommended, with download links","5":"Email-based authentication","6":"Email confirmation step","7":"Backup codes \u2013 send by email, download, or print","8":"Shortcode displaying the 2FA status on any page","9":"2FA status on the user's My Account page \u2013 inactive","10":"2FA status on the user's My Account page \u2013 active, with the chosen method","11":"Backend admin view: per-account 2FA status and the method in use","12":"Settings: enforcement reminder, which roles must use 2FA, grace period, enforcement areas, validation strictness (strict \/ normal \/ tolerant), and trusted-device duration","13":"Shortcode for embedding the 2FA status indicator on any page","14":"Privacy & Hardening: hide user data in the REST API and disable password reset per role"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[9211,602,600,9225,9217],"plugin_category":[38,54],"plugin_contributors":[242870],"plugin_business_model":[],"class_list":["post-300820","plugin","type-plugin","status-publish","hentry","plugin_tags-2fa","plugin_tags-login","plugin_tags-security","plugin_tags-totp","plugin_tags-two-factor","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-rogerruckstuhl","plugin_committers-rogerruckstuhl"],"banners":{"banner":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/banner-772x250.png?rev=3520060","banner_2x":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/banner-1544x500.png?rev=3520060","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/icon-128x128.png?rev=3520060","icon_2x":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/icon-256x256.png?rev=3520060","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-1.jpg?rev=3520060","caption":"Admin notice prompting users to set up 2FA"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-2.jpg?rev=3520060","caption":"Setup prompt asking the user to start now or later"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-3.jpg?rev=3520060","caption":"Choosing the authentication method: email or authenticator app"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-4.jpg?rev=3520060","caption":"App-based authentication \u2013 FreeOTP recommended, with download links"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-5.jpg?rev=3520060","caption":"Email-based authentication"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-6.jpg?rev=3520060","caption":"Email confirmation step"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-7.jpg?rev=3520060","caption":"Backup codes \u2013 send by email, download, or print"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-8.jpg?rev=3520060","caption":"Shortcode displaying the 2FA status on any page"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-9.jpg?rev=3520060","caption":"2FA status on the user's My Account page \u2013 inactive"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-10.jpg?rev=3520060","caption":"2FA status on the user's My Account page \u2013 active, with the chosen method"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-11.jpg?rev=3520060","caption":"Backend admin view: per-account 2FA status and the method in use"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-12.jpg?rev=3520060","caption":"Settings: enforcement reminder, which roles must use 2FA, grace period, enforcement areas, validation strictness (strict \/ normal \/ tolerant), and trusted-device duration"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-13.jpg?rev=3520060","caption":"Shortcode for embedding the 2FA status indicator on any page"},{"src":"https:\/\/ps.w.org\/super-duper-two-factor-login\/assets\/screenshot-14.jpg?rev=3520060","caption":"Privacy & Hardening: hide user data in the REST API and disable password reset per role"}],"raw_content":"\n Super Duper Two-Factor Login<\/strong> adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free \u2013 no hidden costs, no premium tiers, no upsells. Every feature is included from the start.<\/p>\n\n \ud83c\udde8\ud83c\udded\ud83c\udde9\ud83c\uddea\ud83c\udde6\ud83c\uddf9 Hinweis f\u00fcr DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz\/Deutschland\/\u00d6sterreich) verf\u00fcgbar. Alle Texte und Einstellungen sind vollst\u00e4ndig auf Deutsch \u00fcbersetzt.<\/em><\/p>\n\n Fully translated out of the box<\/strong> in German (Switzerland, Germany, Austria), English, French, Spanish, Italian and Dutch \u2013 no separate language pack required.<\/p>\n\n Hide user data in REST API<\/strong> \u2013 Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names. Uses a strict whitelist that automatically drops any extra fields injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO, Elementor, WooCommerce, \u2026). Example response for an anonymous visitor on {\"id\":1,\"name\":\"Author\",\"url\":\"\",\"description\":\"\",\"link\":\"https:\\\/\\\/example.com\\\/\",\"slug\":\"author\",\"avatar_urls\":{}}<\/p><\/li>\n Block author archives<\/strong> \u2013 Redirect unauthenticated visitors away from Any TOTP-compatible app works, including Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and many others. We recommend FreeOTP+ (Android) and FreeOTP (iOS) as free, open-source options.<\/p><\/dd>\n You can log in using one of your 10 backup codes. If those are also gone, administrators can use their personal recovery key on the login page. As a last resort, create an empty file named Yes. Go to Two-Factor Login settings and select which roles must use 2FA. You can set a grace period with a deadline, or enforce it immediately \u2013 users will then be required to complete 2FA setup on the login page before gaining any access.<\/p><\/dd>\n Yes. It adds a \"Two-Factor Authentication\" tab to the WooCommerce My Account page. You can also enforce 2FA for the WooCommerce account area and checkout.<\/p><\/dd>\n When enabled by the admin, users can check \"Save this computer\" during login. The 2FA code won't be required again on that device for the configured number of days.<\/p><\/dd>\n No. Everything runs locally. QR codes are generated in PHP, TOTP calculations happen on the server, and app store badges use local SVG files. No external images, scripts, or API calls are made.<\/p><\/dd>\n It bundles four optional, independently toggleable features that close common WordPress information-leak and lock-out paths. Hide user data (REST API) replaces sensitive fields (name, slug, link, avatar) with neutral values for unauthenticated requests, while keeping the endpoint reachable so SEO and import plugins still work. Block author archives redirects unauthenticated visitors away from Some hosts and other 2FA plugins inject their own \"2FA\" column on the users list. When Super Duper Two-Factor Login is installed, those columns can show outdated or misleading status (for example a red \u2717 even though 2FA is configured here). The plugin replaces them with a single, accurate \"SDTFA\" column that reads the real status from this plugin's own user meta. If you prefer the original column behavior, you can disable this in the Privacy & Hardening section.<\/p><\/dd>\n It is not designed to run side-by-side with another active 2FA plugin \u2013 two plugins both intercepting Yes, completely. There is no premium version, no upsells, and no feature restrictions. All features are available to everyone.<\/p><\/dd>\n\n<\/dl>\n\n\nsdtfa_rest_user_allowed_keys<\/code> filter for legitimate exceptions. Also fixed the "Set up now" button on the admin notice.<\/p>","2.5.5":"Two Verification Methods<\/h4>\n\n
\n
Comprehensive Fallback System<\/h4>\n\n
\n
.sdtfa-recovery<\/code> in wp-content\/<\/code> via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.<\/li>\n<\/ul>\n\nEnforcement & Trust<\/h4>\n\n
\n
Integration<\/h4>\n\n
\n
[sdtfa_status]<\/code>.<\/li>\nSecurity<\/h4>\n\n
\n
Privacy & Hardening (optional)<\/h4>\n\n
\n
\/wp-json\/wp\/v2\/users\/1<\/code>:<\/p>\n\n?author=N<\/code> and \/author\/<slug>\/<\/code> to prevent user enumeration.<\/p><\/li>\n\n
\n
Which authenticator apps are supported?<\/h3><\/dt>\n
What happens if I lose my phone?<\/h3><\/dt>\n
.sdtfa-recovery<\/code> in wp-content\/<\/code> via FTP to temporarily disable 2FA.<\/p><\/dd>\nCan I enforce 2FA for all users?<\/h3><\/dt>\n
Does this plugin work with WooCommerce?<\/h3><\/dt>\n
What is the \"Trust this device\" feature?<\/h3><\/dt>\n
Are external services or images used?<\/h3><\/dt>\n
What does the \"Privacy & Hardening\" section do?<\/h3><\/dt>\n
?author=N<\/code> and \/author\/<slug>\/<\/code> to prevent user enumeration. Disable password reset blocks the \"Lost your password?\" function for administrators and\/or selected roles. The users-list column adds a clean \"SDTFA\" status indicator on Users \u2192 All Users. All four features are off by default except the users-list column, which is on by default to clean up duplicate columns from other plugins.<\/p><\/dd>\nWhy does the Users \u2192 All Users page show an \"SDTFA\" column instead of a generic \"2FA\" one?<\/h3><\/dt>\n
Will this plugin conflict with other 2FA plugins?<\/h3><\/dt>\n
wp-login.php<\/code> will produce unpredictable results. If you are migrating from another 2FA plugin, deactivate the other one first. The \"SDTFA\" users-list column will hide a leftover column from a deactivated plugin only if that plugin still injects it; in normal cases the foreign column simply disappears with the foreign plugin.<\/p><\/dd>\nIs this plugin really free?<\/h3><\/dt>\n
2.5.13 \u2013 13.05.2026<\/h4>\n\n
\n
2.5.12 \u2013 11.05.2026<\/h4>\n\n
\n
From:<\/code> header on outgoing emails so SMTP plugins can apply their SPF\/DKIM-aligned sender address without conflict.<\/li>\n[SDTFA]<\/code> entries to debug.log (when WP_DEBUG is on) to make email-delivery failures diagnosable.<\/li>\n2.5.11 \u2013 05.05.2026<\/h4>\n\n
\n
customer-logout<\/code> endpoint is now explicitly excluded from 2FA enforcement so customers can always log out, even when wc_account<\/code> or entire_site<\/code> enforcement is active.<\/li>\n<\/ul>\n\n2.5.9 \u2013 05.05.2026<\/h4>\n\n
\n
2.5.8 \u2013 05.05.2026<\/h4>\n\n
\n
2.5.7 \u2013 05.05.2026<\/h4>\n\n
\n
2.5.6 \u2013 05.05.2026<\/h4>\n\n
\n
sdtfa_rest_user_allowed_keys<\/code> to extend the whitelist for plugins or sites that have a legitimate need to expose additional public fields.<\/li>\n2.5.5 \u2013 01.05.2026<\/h4>\n\n
\n
2.5.4 \u2013 30.04.2026<\/h4>\n\n
\n
2.5.3 \u2013 30.04.2026<\/h4>\n\n
\n
2.5.2 \u2013 30.04.2026<\/h4>\n\n
\n
2.5.1 \u2013 30.04.2026<\/h4>\n\n
\n
2.5.0 \u2013 30.04.2026<\/h4>\n\n
\n
2.4.1 \u2013 22.04.2026<\/h4>\n\n
\n
2.4.0 \u2013 22.04.2026<\/h4>\n\n
\n
<style><\/code> and <script><\/code> output into enqueued assets (wp_enqueue_style<\/code>, wp_enqueue_script<\/code>, wp_add_inline_style<\/code>)<\/li>\nwp_localize_script<\/code> (English source, translations via .po)<\/li>\nContributors<\/code> entry in readme.txt to the actual WordPress.org username<\/li>\n<\/ul>\n\n2.3.0 \u2013 10.04.2026<\/h4>\n\n
\n
1.0.0 \u2013 2.2.x<\/h4>\n\n
\n