跳至内容
WordPress.org

China 简体中文

  • 主题
  • 插件
  • 新闻
    • 文档
    • 论坛
  • 关于
  • 获取 WordPress
获取 WordPress
WordPress.org

Plugin Directory

Digipacket Login Security with Two-Factor Authentication

  • 提交插件
  • 我的收藏
  • 登录
  • 提交插件
  • 我的收藏
  • 登录

Digipacket Login Security with Two-Factor Authentication

作者:digipacket
下载
  • 详情
  • 评价
  • 安装
  • 开发进展
支持

描述

Digipacket Login Security adds strong, standards-based two-factor authentication to any WordPress site. It uses the TOTP algorithm (RFC 6238), so it works with Google Authenticator, Authy, Microsoft Authenticator, FreeOTP and any standard authenticator app — with no external service or cloud dependency. Everything runs on your own server.

Key features

  • TOTP compatible with Google Authenticator and all standard apps.
  • Choice of method — each user picks an authenticator app (TOTP) or a one-time code sent by e-mail at login.
  • QR Code enrolment rendered locally on the user profile screen (no external image service).
  • Mandatory code verification after every login.
  • Single-use backup codes for account recovery if the device is lost.
  • Brute-force protection — lock an account after a configurable number of failed attempts, for a configurable duration. Blocks further sign-ins even with the correct password during the lockout window.
  • Security e-mail alerts — notify the account owner when repeated wrong-password attempts or too many incorrect 2FA codes are detected.
  • Login notifications — e-mail the user and/or the administrator (per selected roles) with sign-in details (user, date, IP, browser).
  • Login screen warning — optional full-screen security notice that visitors must accept before signing in.
  • Enforce 2FA by role with a configurable grace period.
  • Admin reset of a user’s 2FA from the Users list, plus a 2FA status column.
  • Audit log of all security events with filtering by role or user.
  • Modern admin interface — dashboard, focused settings tabs and an About page.
  • Translatable — ships with French (fr_FR) and English.

Privacy & external services

By default, Digipacket Login Security does not send any data to external services. All secrets, codes and logs are stored in your own WordPress database, and e-mails are sent through your site’s standard wp_mail() function.

Optional Telegram notifications (disabled by default): if you enable them and provide your own bot token and chat ID, the plugin sends security-event details (event type, username, IP address, date) to the Telegram Bot API at https://api.telegram.org so the message can be delivered to your chosen Telegram chat. This only happens while the feature is enabled and configured.

  • Telegram Bot API: https://core.telegram.org/bots/api
  • Telegram Privacy Policy: https://telegram.org/privacy

屏幕截图

Security dashboard with 2FA adoption statistics.
Security dashboard with 2FA adoption statistics.
Access Policy settings — enforce 2FA by role and configure brute-force lockout.
Access Policy settings — enforce 2FA by role and configure brute-force lockout.
Notifications settings — security alerts and login notifications.
Notifications settings — security alerts and login notifications.
Audit log with filtering by role or user.
Audit log with filtering by role or user.
Two-factor enrolment on the user profile screen.
Two-factor enrolment on the user profile screen.

安装

  1. In WordPress, go to Plugins → Add New → Upload Plugin.
  2. Select digipacket-login-security.zip, click Install Now, then Activate.
  3. Go to Users → Profile and enable 2FA on your own account first.
  4. Configure site-wide options under Digipacket Login Security in the admin menu.

Manual installation: copy the digipacket-login-security folder into wp-content/plugins/ and activate it from the Plugins screen.

常见问题

Which authenticator apps are supported?

Any standard TOTP (RFC 6238) app: Google Authenticator, Authy, Microsoft Authenticator, FreeOTP, 1Password, and more.

Does it work without sending data to a third party?

Yes. Core 2FA has no external service or cloud dependency — the QR code is generated locally and all data stays on your server. The only optional exception is Telegram notifications, which are disabled by default and only contact api.telegram.org when you enable them with your own bot token (see Privacy & external services).

A user is locked out. How do I help them?

Administrators can reset a user’s 2FA from the Users list (the “Reset 2FA” row action), allowing them to enrol again.

My notification e-mails land in spam.

This is a mail-deliverability matter, not a plugin issue. Configure an SMTP plugin and set up SPF/DKIM/DMARC for your domain so messages are authenticated.

Does 2FA apply to REST API / XML-RPC / Application Passwords?

The interactive second factor applies to the browser login form. Non-interactive API authentication intentionally bypasses it — use Application Passwords for programmatic access.

评价

此插件暂无评价。

贡献者及开发者

「Digipacket Login Security with Two-Factor Authentication」是开源软件。 以下人员对此插件做出了贡献。

贡献者
  • digipacket

帮助将「Digipacket Login Security with Two-Factor Authentication」翻译成简体中文。

对开发感兴趣吗?

您可以浏览代码,查看SVN仓库,或通过RSS订阅开发日志。

更新日志

1.0.1

  • Fix: on a fresh install, the very first time the settings were saved the values were silently discarded (roles, brute-force options, Telegram token, etc.). Settings now save correctly from the first save.

1.0.0

  • Initial public release.
  • TOTP two-factor authentication (RFC 6238) compatible with Google Authenticator and all standard apps, plus an e-mail one-time-code method.
  • Local QR-code enrolment and single-use backup codes.
  • Enforce 2FA by role with a configurable grace period.
  • Configurable brute-force lockout (number of attempts and duration) with real sign-in enforcement.
  • Security e-mail alerts for repeated wrong-password attempts and 2FA lockouts.
  • Login notifications with sign-in details (user, date, IP, browser), scoped by role, to the user and/or administrator.
  • Optional login-screen security warning popup with a customizable message.
  • Audit log of security events with filtering by role or user.
  • Admin Dashboard “Security Overview” widget.
  • Reset 2FA and Ban / Unban actions from the Users list, with status badges.
  • Optional Telegram notifications for audit-log events, scoped by role/user, with one-click logout/ban response links.

额外信息

  • 版本 1.0.1
  • 最后更新:2 周前
  • 活跃安装数量 不到10
  • WordPress 版本 6.0 或更高版本
  • 已测试的最高版本为 7.0
  • PHP 版本 8.2 或更高版本
  • 语言
    English (US)
  • 标签
    2FABrute Forcelogin securitytotptwo factor authentication
  • 高级视图

评级

尚未提交反馈。

Your review

查看全部评论

贡献者

  • digipacket

支持

有话要说吗?是否需要帮助?

查看支持论坛

  • 关于
  • 新闻
  • 主机
  • 隐私
  • 陈列窗
  • 主题
  • 插件
  • 区块样板
  • 学习
  • 支持
  • 开发者
  • WordPress.tv ↗︎
  • 参与
  • 活动
  • 捐赠 ↗
  • 未来五分计划
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org

China 简体中文

  • 关注我们的 X(原 Twitter)账号
  • 访问我们的 Bluesky 账号
  • 关注我们的 Mastodon 账号
  • 访问我们的 Threads 账号
  • 访问我们的 Facebook 公共主页
  • 关注我们的 Instagram 账号
  • 关注我们的 LinkedIn 主页
  • 访问我们的 TikTok 账号
  • 访问我们的 YouTube 频道
  • 访问我们的 Tumblr 账号
代码如诗
The WordPress® trademark is the intellectual property of the WordPress Foundation.