Title: Super Duper Two-Factor Login
Author: Super Duper Plugins
Published: <strong>Méi 1, 2026</strong>
Last modified: Méi 13, 2026

---

Search plugins

![](https://ps.w.org/super-duper-two-factor-login/assets/banner-772x250.png?rev=
3520060)

![](https://ps.w.org/super-duper-two-factor-login/assets/icon-256x256.png?rev=3520060)

# Super Duper Two-Factor Login

 By [Super Duper Plugins](https://profiles.wordpress.org/rogerruckstuhl/)

[Download](https://downloads.wordpress.org/plugin/super-duper-two-factor-login.2.5.13.zip)

 * [Details](https://su.wordpress.org/plugins/super-duper-two-factor-login/#description)
 * [Reviews](https://su.wordpress.org/plugins/super-duper-two-factor-login/#reviews)
 *  [Installation](https://su.wordpress.org/plugins/super-duper-two-factor-login/#installation)
 * [Development](https://su.wordpress.org/plugins/super-duper-two-factor-login/#developers)

 [Support](https://wordpress.org/support/plugin/super-duper-two-factor-login/)

## Description

**Super Duper Two-Factor Login** adds robust two-factor authentication to your WordPress
site. Unlike many alternatives, this plugin is completely free – no hidden costs,
no premium tiers, no upsells. Every feature is included from the start.

🇨🇭🇩🇪🇦🇹 _Hinweis für DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz/Deutschland/
Österreich) verfügbar. Alle Texte und Einstellungen sind vollständig auf Deutsch
übersetzt._

**Fully translated out of the box** in German (Switzerland, Germany, Austria), English,
French, Spanish, Italian and Dutch – no separate language pack required.

#### Two Verification Methods

 * **TOTP (Authenticator App)** – Works with Google Authenticator, FreeOTP+, Authy,
   Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual
   key entry.
 * **Email** – Receive a 6-digit code via email on every login. No smartphone required.

#### Comprehensive Fallback System

 * **10 Backup Codes** – One-time emergency codes in case you lose your phone. Copy,
   download, print, or email them to yourself.
 * **Administrator Recovery Key** – Each admin receives a personal 32-character 
   key during setup. Works even when all backup codes are used up.
 * **FTP Emergency Recovery** – As a last resort, create an empty file named `.sdtfa-
   recovery` in `wp-content/` via FTP. Temporarily disables 2FA for all administrators.
   Admins are notified hourly by email.

#### Enforcement & Trust

 * **Role-Based Enforcement** – Require 2FA for administrators, editors, subscribers,
   or any role.
 * **Grace Period** – Set a deadline so users have time to set up 2FA before enforcement
   kicks in.
 * **Hard Enforcement** – Without a grace period, users must complete 2FA setup 
   on the login page before gaining any access.
 * **Enforcement Areas** – Choose where to enforce: admin area, WooCommerce account,
   checkout, or entire site.
 * **Trust This Device** – Users can save their computer so the 2FA code isn’t required
   on every login. Configurable duration (1–365 days).

#### Integration

 * **WooCommerce** – Adds a “Two-Factor Authentication” tab to the My Account page.
   Enforce 2FA for the account area and checkout.
 * **Shortcode** – Display the user’s 2FA status anywhere with `[sdtfa_status]`.
 * **Setup Reminder** – A dismissable admin notice with a “Set up now” button. No
   auto-popups; users open the setup flow only by clicking.

#### Security

 * AES-256-GCM encryption for TOTP secrets at rest
 * Secure HttpOnly cookies for trusted devices
 * Hashed token storage (never stored in plain text)
 * No external dependencies – everything runs locally in pure PHP
 * No external API calls, no tracking, no data collection

#### Privacy & Hardening (optional)

 * **Hide user data in REST API** – Replace sensitive user fields (name, slug, link,
   avatar) with neutral values for unauthenticated requests. The REST endpoint stays
   reachable for SEO and import tools, but anonymous visitors no longer see real
   display names. Uses a strict whitelist that automatically drops any extra fields
   injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO,
   Elementor, WooCommerce, …). Example response for an anonymous visitor on `/wp-
   json/wp/v2/users/1`:
 * {“id”:1,”name”:”Author”,”url”:””,”description”:””,”link”:”https:\/\/example.com\/”,”
   slug”:”author”,”avatar_urls”:{}}
 * **Block author archives** – Redirect unauthenticated visitors away from `?author
   =N` and `/author/<slug>/` to prevent user enumeration.
 * **Disable password reset** – Disable the “Lost your password?” function for administrators
   and/or selected roles. Useful when 2FA must be the only authentication path.
 * **Users list column** – A clean “SDTFA” column on Users  All Users that shows
   the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added
   by host mu-plugins or other 2FA plugins.

## Screenshots

 * [[
 * Admin notice prompting users to set up 2FA
 * [[
 * Setup prompt asking the user to start now or later
 * [[
 * Choosing the authentication method: email or authenticator app
 * [[
 * App-based authentication – FreeOTP recommended, with download links
 * [[
 * Email-based authentication
 * [[
 * Email confirmation step
 * [[
 * Backup codes – send by email, download, or print
 * [[
 * Shortcode displaying the 2FA status on any page
 * [[
 * 2FA status on the user’s My Account page – inactive
 * [[
 * 2FA status on the user’s My Account page – active, with the chosen method
 * [[
 * Backend admin view: per-account 2FA status and the method in use
 * [[
 * Settings: enforcement reminder, which roles must use 2FA, grace period, enforcement
   areas, validation strictness (strict / normal / tolerant), and trusted-device
   duration
 * [[
 * Shortcode for embedding the 2FA status indicator on any page
 * [[
 * Privacy & Hardening: hide user data in the REST API and disable password reset
   per role

## Installation

 1. Upload the plugin via **Plugins  Add New  Upload Plugin**, or install it directly
    from the WordPress plugin directory.
 2. Activate the plugin.
 3. Configure the main 2FA settings under **Two-Factor Login** in the admin menu. Optional**
    Privacy & Hardening** features (REST user-data masking, author-archive blocking,
    password-reset lock-down, users-list status column) are on the same settings page.
 4. Users can set up 2FA from their WordPress profile page or WooCommerce My Account.

## FAQ

### Which authenticator apps are supported?

Any TOTP-compatible app works, including Google Authenticator, FreeOTP+, Authy, 
Microsoft Authenticator, and many others. We recommend FreeOTP+ (Android) and FreeOTP(
iOS) as free, open-source options.

### What happens if I lose my phone?

You can log in using one of your 10 backup codes. If those are also gone, administrators
can use their personal recovery key on the login page. As a last resort, create 
an empty file named `.sdtfa-recovery` in `wp-content/` via FTP to temporarily disable
2FA.

### Can I enforce 2FA for all users?

Yes. Go to Two-Factor Login settings and select which roles must use 2FA. You can
set a grace period with a deadline, or enforce it immediately – users will then 
be required to complete 2FA setup on the login page before gaining any access.

### Does this plugin work with WooCommerce?

Yes. It adds a “Two-Factor Authentication” tab to the WooCommerce My Account page.
You can also enforce 2FA for the WooCommerce account area and checkout.

### What is the “Trust this device” feature?

When enabled by the admin, users can check “Save this computer” during login. The
2FA code won’t be required again on that device for the configured number of days.

### Are external services or images used?

No. Everything runs locally. QR codes are generated in PHP, TOTP calculations happen
on the server, and app store badges use local SVG files. No external images, scripts,
or API calls are made.

### What does the “Privacy & Hardening” section do?

It bundles four optional, independently toggleable features that close common WordPress
information-leak and lock-out paths. Hide user data (REST API) replaces sensitive
fields (name, slug, link, avatar) with neutral values for unauthenticated requests,
while keeping the endpoint reachable so SEO and import plugins still work. Block
author archives redirects unauthenticated visitors away from `?author=N` and `/author/
<slug>/` to prevent user enumeration. Disable password reset blocks the “Lost your
password?” function for administrators and/or selected roles. The users-list column
adds a clean “SDTFA” status indicator on Users  All Users. All four features are
off by default except the users-list column, which is on by default to clean up 
duplicate columns from other plugins.

### Why does the Users  All Users page show an “SDTFA” column instead of a generic “2FA” one?

Some hosts and other 2FA plugins inject their own “2FA” column on the users list.
When Super Duper Two-Factor Login is installed, those columns can show outdated 
or misleading status (for example a red ✗ even though 2FA is configured here). The
plugin replaces them with a single, accurate “SDTFA” column that reads the real 
status from this plugin’s own user meta. If you prefer the original column behavior,
you can disable this in the Privacy & Hardening section.

### Will this plugin conflict with other 2FA plugins?

It is not designed to run side-by-side with another active 2FA plugin – two plugins
both intercepting `wp-login.php` will produce unpredictable results. If you are 
migrating from another 2FA plugin, deactivate the other one first. The “SDTFA” users-
list column will hide a leftover column from a deactivated plugin only if that plugin
still injects it; in normal cases the foreign column simply disappears with the 
foreign plugin.

### Is this plugin really free?

Yes, completely. There is no premium version, no upsells, and no feature restrictions.
All features are available to everyone.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Super Duper Two-Factor Login” is open source software. The following people have
contributed to this plugin.

Contributors

 *   [ Super Duper Plugins ](https://profiles.wordpress.org/rogerruckstuhl/)

[Translate “Super Duper Two-Factor Login” into your language.](https://translate.wordpress.org/projects/wp-plugins/super-duper-two-factor-login)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/super-duper-two-factor-login/),
check out the [SVN repository](https://plugins.svn.wordpress.org/super-duper-two-factor-login/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/super-duper-two-factor-login/)
by [RSS](https://plugins.trac.wordpress.org/log/super-duper-two-factor-login/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 2.5.13 – 13.05.2026

 * Fix: Datepicker for the enforcement deadline now opens directly below the input
   field instead of at the bottom of the page.

#### 2.5.12 – 11.05.2026

 * Improvement: All plugin emails (login code, backup codes, recovery notifications)
   are now sent as properly formatted HTML with clear layout, code highlighting,
   and per-line backup code display.
 * Fix: No longer forces a `From:` header on outgoing emails so SMTP plugins can
   apply their SPF/DKIM-aligned sender address without conflict.
 * Debug: Added `[SDTFA]` entries to debug.log (when WP_DEBUG is on) to make email-
   delivery failures diagnosable.
 * i18n: 13 new mail-template strings translated to all eight locales (DE_CH, DE_DE,
   DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL), including a plural form for the validity-
   minutes string.

#### 2.5.11 – 05.05.2026

 * Fix: WooCommerce `customer-logout` endpoint is now explicitly excluded from 2FA
   enforcement so customers can always log out, even when `wc_account` or `entire_site`
   enforcement is active.

#### 2.5.9 – 05.05.2026

 * Improved: forced 2FA setup screen on wp-login.php now uses larger, more readable
   fonts (warning text 16px, button 17px, content 15px) and a slightly wider login
   box.
 * i18n: translations completed for all eight supported locales (DE_CH, DE_DE, DE_AT,
   EN_US, FR_FR, ES_ES, IT_IT, NL_NL) – every string in the plugin is now fully 
   translated. .pot template regenerated from current source.

#### 2.5.8 – 05.05.2026

 * Fixed: forced 2FA setup AJAX calls returned HTTP 403 because the WordPress nonce
   check failed for unauthenticated users on the login page. The forced-setup token(
   already present in the request and validated against a server-side transient)
   is now accepted as the authorization for these AJAX calls, with the standard 
   nonce check still applied for logged-in users.

#### 2.5.7 – 05.05.2026

 * Fixed: forced 2FA setup screen on wp-login.php was unusable – clicking “Set up
   now” left the button stuck at “…”. The AJAX endpoints were registered for logged-
   in users only, but the forced-setup flow runs before the user is authenticated.
   Endpoints now also accept unauthenticated calls when a valid forced-setup token
   is supplied, and the JavaScript automatically passes that token along.

#### 2.5.6 – 05.05.2026

 * Improved: REST API user-data hiding now uses a strict whitelist approach instead
   of a maintained block list. Only structurally-required fields (id, name, slug,
   link, avatar_urls, description, url) are kept in the response — everything else
   is dropped automatically, including fields from Yoast SEO (yoast_head, yoast_head_json),
   Rank Math, AIOSEO, SEOPress, Elementor, WooCommerce, and any future plugins that
   inject data into the user REST endpoint.
 * New: filter hook `sdtfa_rest_user_allowed_keys` to extend the whitelist for plugins
   or sites that have a legitimate need to expose additional public fields.
 * Fixed: the filter now runs at priority 999 so it executes after third-party plugins
   that register their own user REST fields.
 * Fixed: REST self/collection links (which expose the numeric user ID) are now 
   removed from the response for unauthenticated requests when user-data hiding 
   is enabled.
 * Fixed: “Set up now” button on the admin notice did not open the popup overlay
   because the script cached DOM selectors before the popup HTML was rendered. Selectors
   are now resolved after DOM-ready, with a fallback redirect to the profile page
   if the overlay is still missing.

#### 2.5.5 – 01.05.2026

 * Fixed: SVN pre-commit hook on WordPress.org rejected the package because the 
   email-sending method used a “true” return type (PHP 8.2+ feature). Replaced with
   the equivalent “bool” return type for broader compatibility while keeping identical
   behavior.

#### 2.5.4 – 30.04.2026

 * Fixed: three strings in the en_US translation file contained German text instead
   of English (the shortcode description, the deadline notice, and the site-icon
   warning). Sites running with English locale will now correctly show English text.
 * Fixed: removed remaining German example text from the docblock of the shortcode
   class file (no functional impact, source-code cleanup only).

#### 2.5.3 – 30.04.2026

 * Fixed: removed remaining hardcoded German strings from PHP source (3× “Nicht 
   angemeldet.”, backup-codes email body, recovery-key label, backup-codes textarea
   header)
 * Fixed: removed hardcoded German “Bestätigen” button label from JavaScript (used
   after a failed verification attempt) – now uses the existing translatable string
 * i18n: all four cleaned-up strings translated for all eight supported locales (
   DE_CH/DE/AT, EN, FR, ES, IT, NL)

#### 2.5.2 – 30.04.2026

 * Fixed: 2FA setup via email failed silently on hosts that reject mails without
   an explicit “From” header – the email now always carries a same-domain sender
   address
 * Improved: when sending the 2FA code fails, the actual underlying mail error (
   from PHPMailer / SMTP) is now surfaced in the setup dialog instead of a generic“
   please try again”
 * Fixed: send cooldown is now armed only after a successful send, so a failed delivery
   no longer blocks the next attempt for 60 seconds
 * Improved: graceful fallback for the email subject when the issuer/site name option
   is empty

#### 2.5.1 – 30.04.2026

 * New: “SDTFA” column on Users  All Users showing the actual 2FA status (TOTP /
   Email / off) with green check or red ✗
 * New: Removes 2FA columns added by foreign 2FA plugins or host mu-plugins to avoid
   duplicate or misleading status indicators
 * New: Toggle in Privacy & Hardening section to disable the column behavior if 
   not desired (enabled by default)

#### 2.5.0 – 30.04.2026

 * New: Privacy & Hardening section with three optional features
 * New: Hide sensitive user data in REST API responses for unauthenticated visitors(
   REST endpoint stays reachable for SEO/import tools)
 * New: Block author archives (?author=N) for unauthenticated visitors to prevent
   user enumeration
 * New: Disable WordPress password reset for administrators and/or selected roles
 * Fixed: empty jQuery UI datepicker container no longer appears at the bottom of
   admin pages – it is now hidden by default and moved next to its input field on
   open

#### 2.4.1 – 22.04.2026

 * Fixed: dismiss (×) button on the admin notice now correctly persists via AJAX
   so the notice doesn’t reappear on every page reload

#### 2.4.0 – 22.04.2026

 * Renamed plugin to “Super Duper Two-Factor Login” (slug: super-duper-two-factor-
   login) for improved distinctiveness in the plugin directory
 * Replaced the setup popup with a WordPress-standard dismissable admin notice and
   a “Set up now” button – the modal opens only on user action
 * Moved the admin menu from position 3 to position 71 (after Users) to respect 
   the WordPress admin hierarchy
 * Extracted all inline `<style>` and `<script>` output into enqueued assets (`wp_enqueue_style`,`
   wp_enqueue_script`, `wp_add_inline_style`)
 * Localized datepicker day and month names via `wp_localize_script` (English source,
   translations via .po)
 * Updated the plugin header description to English (source strings) with German
   translations moved to .po/.mo
 * Corrected the `Contributors` entry in readme.txt to the actual WordPress.org 
   username

#### 2.3.0 – 10.04.2026

 * First public release on WordPress.org
 * TOTP and email-based two-factor authentication
 * 10 one-time backup codes with copy, download, print, and email
 * Personal recovery key for administrators
 * FTP emergency recovery via .sdtfa-recovery file
 * Trusted device feature (save this computer)
 * Role-based enforcement with optional grace period
 * Hard enforcement: 2FA setup required before login
 * Enforcement areas: admin, WooCommerce account, checkout, entire site
 * WooCommerce My Account integration
 * Setup popup reminder (dismissible)
 * Shortcode [sdtfa_status]
 * AES-256-GCM encryption for TOTP secrets
 * Translations: German (DE/AT/CH), English, French, Spanish, Italian, Dutch

#### 1.0.0 – 2.2.x

 * Internal development and testing

## Meta

 *  Version **2.5.13**
 *  Last updated **6 jam ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.8 or higher **
 *  Tested up to **6.9.4**
 *  PHP version ** 8.0 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/super-duper-two-factor-login/)
 * Tags
 * [2FA](https://su.wordpress.org/plugins/tags/2fa/)[login](https://su.wordpress.org/plugins/tags/login/)
   [security](https://su.wordpress.org/plugins/tags/security/)[totp](https://su.wordpress.org/plugins/tags/totp/)
   [two factor](https://su.wordpress.org/plugins/tags/two-factor/)
 *  [Advanced View](https://su.wordpress.org/plugins/super-duper-two-factor-login/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/super-duper-two-factor-login/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/super-duper-two-factor-login/reviews/)

## Contributors

 *   [ Super Duper Plugins ](https://profiles.wordpress.org/rogerruckstuhl/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/super-duper-two-factor-login/)