XeroWP
Super Duper Two-Factor Login
Super Duper Two-Factor Login

Super Duper Two-Factor Login

0/5 (0 ratings) 10 active installs Updated May 20, 2026
2FAAuthenticatorsecuritytwo factorwoocommerce
Download v2.5.14 Plugin Website
Admin notice prompting users to set up 2FA

Admin notice prompting users to set up 2FA

Super Duper Two-Factor Login adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.

🇨🇭🇩🇪🇦🇹 Hinweis für DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz/Deutschland/Österreich) verfügbar. Alle Texte und Einstellungen sind vollständig auf Deutsch übersetzt.

Fully translated out of the box in German (Switzerland, Germany, Austria), English, French, Spanish, Italian and Dutch – no separate language pack required.

PHP 8.2 or higher required (for security reasons)

This plugin requires PHP 8.2 or higher. PHP 8.0 and 8.1 have both reached End of Life and no longer receive security updates – running a 2FA plugin on an unmaintained PHP version would defeat its purpose. PHP 8.2 lets us use modern security primitives (immutable configuration, type-safe method handling, strict return contracts) that make the plugin harder to attack.

Don’t have PHP 8.2 yet? Most hosting providers let you switch the PHP version with a single click in the control panel (Plesk, cPanel, Hostpoint, all-inkl, Cyon, raidboxes, etc.). It usually takes less than a minute and does not require any downtime. If in doubt, ask your hoster’s support – they help with PHP upgrades for free.

Two Verification Methods

  • TOTP (Authenticator App) – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
  • Email – Receive a 6-digit code via email on every login. No smartphone required.

Comprehensive Fallback System

  • 10 Backup Codes – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
  • Administrator Recovery Key – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
  • FTP Emergency Recovery – As a last resort, create an empty file named .sdtfa-recovery in wp-content/ via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.

Enforcement & Trust

  • Role-Based Enforcement – Require 2FA for administrators, editors, subscribers, or any role.
  • Grace Period – Set a deadline so users have time to set up 2FA before enforcement kicks in.
  • Hard Enforcement – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
  • Enforcement Areas – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
  • Trust This Device – Users can save their computer so the 2FA code isn’t required on every login. Configurable duration (1–365 days).

Integration

  • WooCommerce – Adds a “Two-Factor Authentication” tab to the My Account page. Enforce 2FA for the account area and checkout.
  • Shortcode – Display the user’s 2FA status anywhere with [sdtfa_status].
  • Setup Reminder – A dismissable admin notice with a “Set up now” button. No auto-popups; users open the setup flow only by clicking.

Security

  • AES-256-GCM encryption for TOTP secrets at rest
  • Secure HttpOnly cookies for trusted devices
  • Hashed token storage (never stored in plain text)
  • No external dependencies – everything runs locally in pure PHP
  • No external API calls, no tracking, no data collection

Privacy & Hardening (optional)

  • Hide user data in REST API – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names. Uses a strict whitelist that automatically drops any extra fields injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO, Elementor, WooCommerce, …). Example response for an anonymous visitor on /wp-json/wp/v2/users/1:

    {“id”:1,”name”:”Author”,”url”:””,”description”:””,”link”:”https:\/\/example.com\/”,”slug”:”author”,”avatar_urls”:{}}

  • Block author archives – Redirect unauthenticated visitors away from ?author=N and /author/<slug>/ to prevent user enumeration.

  • Disable password reset – Disable the “Lost your password?” function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
  • Users list column – A clean “SDTFA” column on Users All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.