外掛標籤
開發者團隊
② 後台搜尋「Super Duper Two-Factor Login」→ 直接安裝(推薦)
原文外掛簡介
Super Duper Two-Factor Login adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.
🇨🇭🇩🇪🇦🇹 Hinweis für DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz/Deutschland/Österreich) verfügbar. Alle Texte und Einstellungen sind vollständig auf Deutsch übersetzt.
Fully translated out of the box in German (Switzerland, Germany, Austria), English, French, Spanish, Italian and Dutch – no separate language pack required.
PHP 8.2 or higher required (for security reasons)
This plugin requires PHP 8.2 or higher. PHP 8.0 and 8.1 have both reached End of Life and no longer receive security updates – running a 2FA plugin on an unmaintained PHP version would defeat its purpose. PHP 8.2 lets us use modern security primitives (immutable configuration, type-safe method handling, strict return contracts) that make the plugin harder to attack.
Don’t have PHP 8.2 yet? Most hosting providers let you switch the PHP version with a single click in the control panel (Plesk, cPanel, Hostpoint, all-inkl, Cyon, raidboxes, etc.). It usually takes less than a minute and does not require any downtime. If in doubt, ask your hoster’s support – they help with PHP upgrades for free.
Two Verification Methods
TOTP (Authenticator App) – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
Email – Receive a 6-digit code via email on every login. No smartphone required.
Comprehensive Fallback System
10 Backup Codes – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
Administrator Recovery Key – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
FTP Emergency Recovery – As a last resort, create an empty file named .sdtfa-recovery in wp-content/ via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.
Enforcement & Trust
Role-Based Enforcement – Require 2FA for administrators, editors, subscribers, or any role.
Grace Period – Set a deadline so users have time to set up 2FA before enforcement kicks in.
Hard Enforcement – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
Enforcement Areas – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
Trust This Device – Users can save their computer so the 2FA code isn’t required on every login. Configurable duration (1–365 days).
Integration
WooCommerce – Adds a “Two-Factor Authentication” tab to the My Account page. Enforce 2FA for the account area and checkout.
Shortcode – Display the user’s 2FA status anywhere with [sdtfa_status].
Setup Reminder – A dismissable admin notice with a “Set up now” button. No auto-popups; users open the setup flow only by clicking.
Security
AES-256-GCM encryption for TOTP secrets at rest
Secure HttpOnly cookies for trusted devices
Hashed token storage (never stored in plain text)
No external dependencies – everything runs locally in pure PHP
No external API calls, no tracking, no data collection
Privacy & Hardening (optional)
Hide user data in REST API – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names. Uses a strict whitelist that automatically drops any extra fields injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO, Elementor, WooCommerce, …). Example response for an anonymous visitor on /wp-json/wp/v2/users/1:
{“id”:1,”name”:”Author”,”url”:””,”description”:””,”link”:”https:\/\/example.com\/”,”slug”:”author”,”avatar_urls”:{}}
Block author archives – Redirect unauthenticated visitors away from ?author=N and /author/
Disable password reset – Disable the “Lost your password?” function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
Users list column – A clean “SDTFA” column on Users → All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.
