外掛標籤
開發者團隊
原文外掛簡介
Rishav AuthNova OTP adds a one-time-password verification layer to core WordPress authentication flows.
Features include:
Configurable OTP length and charset (numeric or alphanumeric)
OTP expiry and retry limits with temporary lockouts
Login OTP verification step (after password check)
OTP-gated registration flow
OTP-gated password reset flow
Delivery via wp_mail, SendGrid, and Twilio
OTP storage using hashes (never plaintext)
Resend OTP with cooldown and challenge rotation
Security highlights:
OTP values are hashed before storage and are never saved as plaintext
OTP hashes use keyed HMAC storage and constant-time verification
OTP challenges expire automatically and enforce retry limits per challenge
Request throttling applies cooldown and exponential backoff per IP and identifier
Lockout windows reduce repeated invalid OTP submissions
Nonces are applied on sensitive form submissions
Public auth responses are intentionally generic to reduce account-enumeration leakage
Delivery uses synchronous-first send with bounded async retry fallback and challenge-level delivery status tracking
Security limitations:
This plugin does not replace passwords, HTTPS, WAF/rate-limiting at the edge, or secure hosting controls
OTP delivery depends on the configured email/SMS provider uptime and deliverability
Administrators should combine this plugin with standard WordPress hardening and monitoring
Reliability notes:
OTP delivery is attempted synchronously first to reduce silent failures
If synchronous delivery fails and background delivery is healthy, the plugin schedules bounded retries
If background delivery is unhealthy (for example DISABLE_WP_CRON), fallback queueing is skipped and users receive a retry-safe error
Resend cooldown state is server-authoritative and exposed through a status endpoint used by frontend countdown UX
Background queue payload contains only challenge ID (no raw OTP or destination data)
External Services
This plugin can connect to third-party services to deliver OTP messages. These services are optional and only used if enabled in plugin settings.
Twilio (SMS Delivery)
Service: Twilio Programmable Messaging API
Purpose: Send OTP codes by SMS
Data sent: destination phone number, sender phone number, OTP message text, account SID for authentication
Credential handling: Twilio credentials are stored in WordPress options and used only when sending OTP messages
When sent: when OTP delivery method includes SMS and an OTP is generated for login, registration, password reset, or resend
Why sent: to deliver time-sensitive OTP codes to the user by SMS
Terms of Service: https://www.twilio.com/legal/tos
Privacy Policy: https://www.twilio.com/en-us/legal/privacy
SendGrid (Email Delivery)
Service: SendGrid Mail Send API
Purpose: Send OTP codes by email
Data sent: recipient email address, sender email/name, message subject, OTP message body, API key for authentication
Credential handling: SendGrid API key is stored in WordPress options and used only when sending OTP messages
When sent: when email provider is set to SendGrid and an OTP is generated for login, registration, password reset, or resend
Why sent: to deliver time-sensitive OTP codes to the user by email
Terms of Service: https://sendgrid.com/policies/terms/
Privacy Policy: https://sendgrid.com/policies/privacy/
Configuration
Set OTP length, type, expiry, retry limit, and lockout duration.
Choose delivery method: Email, SMS, or Both.
Configure provider credentials for SendGrid and/or Twilio if needed.
Enable or disable OTP on login, registration, and password reset flows.
