=== Configify 2FA ===
Contributors: configify, bhumiitpath
Tags: two-factor authentication, 2fa, security, login, woocommerce
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Flexible Two-Factor Authentication for WordPress. Choose Google Authenticator (TOTP), Math CAPTCHA, or Google reCAPTCHA — with a security audit log.

== Description ==

Configify 2FA adds Two-Factor Authentication to every important action on your WordPress site, all configurable from a single settings page.

Choose the method that fits your audience:

* Google Authenticator (TOTP) — RFC 6238 compliant. Works with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and any TOTP app.
* Math CAPTCHA — Server-side arithmetic challenge. No external dependencies. Works offline.
* Google reCAPTCHA — v2 (checkbox) or v3 (invisible, score-based).

Protect any combination of:

* Login (wp-login.php + WooCommerce)
* Registration (WordPress + WooCommerce)
* Forgot Password
* Change / Reset Password
* Comment Submission

= What makes Configify 2FA different =

Security Audit Dashboard — Every 2FA event (success, failure, lockout, setup, method change) is recorded with username, IP address, user agent, and timestamp. Filter, search, and export to CSV directly from your admin panel.

Trusted Device Memory — After verifying, users can choose to trust their current device for a set number of days. Subsequent logins from that device skip the 2FA step. Tokens are cryptographically random and bound to the user agent. Admins can revoke trusted devices per user from the profile screen.

Brute-Force Lockout — Repeated 2FA failures trigger a configurable lockout by user and IP address to stop automated attacks.

Email OTP Fallback — When TOTP is active but a user has not yet set up their authenticator app, a 6-digit one-time code is sent to their email address as a fallback.

Per-Role Enforcement — Require 2FA only for Administrators, Editors, or any custom role. Leave all unchecked to apply to every role.

WooCommerce Support — Hooks into WooCommerce login, registration, lost password, and account password change, not just the default WordPress forms.

= Security Details =

* TOTP implementation is pure PHP with no third-party library dependency. Secrets are stored in WordPress user-meta and never exposed in plain text.
* Math CAPTCHA answers are stored in server-side transients with a 10-minute TTL and consumed on first use.
* Pending login sessions are stored in a custom database table, expire after 10 minutes, and are purged daily via WP-Cron.
* Trusted device tokens are cryptographically random (48 characters), hashed with wp_hash() before storage, and bound to the user agent string.
* All form submissions require a WordPress nonce in addition to the 2FA challenge.
* TOTP verification includes a clock-skew tolerance of plus or minus two 30-second windows to account for imprecise device clocks.

== External Services ==

This plugin connects to the following external services. No data is ever sent to Configify servers.

= Google reCAPTCHA =

This plugin can use Google reCAPTCHA to protect forms. It is only active when the admin selects reCAPTCHA as the 2FA method.

It sends the user's IP address and a browser interaction token to Google's servers each time a protected form is submitted.

This service is provided by Google LLC: [Terms of Service](https://policies.google.com/terms), [Privacy Policy](https://policies.google.com/privacy).

= goQR.me QR Code API =

This plugin uses the goQR.me API (api.qrserver.com) to generate QR code images for Google Authenticator setup. It is only used when a user clicks "Generate QR Code" on the Settings page while TOTP is the active method.

It sends the TOTP URI — which contains the site name, the user's email address, and the TOTP secret — to api.qrserver.com to generate the QR code image. The service does not store or log QR code contents. The generated image is cached for approximately 30 seconds and then deleted.

This service is provided by goQR.me: [Terms of Service](https://goqr.me/legal/tos-api.html), [Privacy Policy](https://goqr.me/privacy-safety-security/).

= WooCommerce Compatibility =

Configify 2FA integrates with WooCommerce out of the box with no additional configuration. It hooks into:

* woocommerce_process_login_errors
* woocommerce_process_registration_errors
* woocommerce_lostpassword_form
* woocommerce_edit_account_form
* woocommerce_save_account_details_errors

= Privacy =

Configify 2FA stores the following data locally on your server:

* A TOTP secret and confirmation flag in wp_usermeta.
* Trusted device token hashes and expiry timestamps in wp_usermeta.
* Pending session tokens in a custom table (wp_c2fa_sessions) — deleted automatically after 10 minutes.
* Security audit log entries in a custom table (wp_c2fa_audit_log) — pruned automatically after the configured retention period (default 90 days).

All data is removed when the plugin is deleted (via uninstall.php).

== Installation ==

1. Upload the configify-2fa folder to /wp-content/plugins/, or install via the WordPress admin plugin uploader.
2. Activate the plugin via Plugins > Installed Plugins.
3. Go to Settings > Configify 2FA and choose your 2FA method.
4. Enable the actions you want to protect and click Save Settings.

= Google Authenticator Setup =

1. Select Google Authenticator (TOTP) as the active method.
2. Users visit their Profile page, scroll to the Two-Factor Authentication section, and click Set up Authenticator App.
3. They scan the QR code with any TOTP-compatible app and enter the first 6-digit code to confirm.
4. Future logins will require the 6-digit code from the app.

= Google reCAPTCHA Setup =

1. Obtain a free site key and secret key at https://www.google.com/recaptcha/admin/create
2. Select Google reCAPTCHA as the active method.
3. Enter your keys under the Google reCAPTCHA Options section and save.

== Frequently Asked Questions ==

= Can I use multiple 2FA methods at once? =

No. One method is active site-wide. This keeps the user experience consistent. Different methods per role may be considered for a future release.

= What happens if a user loses their phone or authenticator app? =

An admin can go to Users > Edit User > Two-Factor Authentication and click Reset TOTP. The user will then receive an email one-time code on their next login if the email fallback option is enabled.

= Does TOTP work offline? =

Yes. TOTP codes are generated locally in the authenticator app using a shared secret and the current time. No internet connection is needed after the initial setup scan.

= Does it work with WooCommerce? =

Yes. All five protected actions (login, registration, forgot password, change password, comment submission) hook into WooCommerce equivalents automatically.

= Is it compatible with caching plugins? =

Yes. The 2FA verification pages are handled dynamically and are not cached. Math CAPTCHA tokens are stored server-side, not in the page output.

= Will activating this plugin lock me out? =

No. The plugin only activates 2FA on the specific actions you enable. If you accidentally lock yourself out with TOTP, an administrator can reset TOTP for any user from Users > Edit User.

= Is Google reCAPTCHA GDPR compliant? =

Google reCAPTCHA sends the user's IP address and browser data to Google. You may need to disclose this in your site's privacy policy. The Math CAPTCHA method involves no external data transfers.

= Does the plugin send data to Configify servers? =

No. No data of any kind is sent to Configify servers. See the External Services section above for full details on what external connections the plugin can make.

== Screenshots ==

1. Settings page — method selection
2. Protected actions and role restrictions
3. Google Authenticator (TOTP) setup
4. Google reCAPTCHA setup
5. Math CAPTCHA setup
6. Backup codes
7. Security audit log dashboard with search and export
8. 2FA verification screen on wp-login.php
9. Trusted device option on the verification screen

== Changelog ==

= 1.0.0 =
* Initial release.
* Google Authenticator (TOTP), Math CAPTCHA, and Google reCAPTCHA v2/v3 methods.
* Protects login, registration, forgot password, change password, and comment submission.
* WooCommerce integration for all protected actions.
* Security audit log with CSV export.
* Trusted device memory — remember a verified device for a configurable number of days.
* Brute-force lockout after configurable failed attempts.
* Email OTP fallback for TOTP when app not yet configured.
* Per-role enforcement.
* Branding options with opt-in credit display.
* Full uninstall cleanup.

== Upgrade Notice ==

= 1.0.0 =
Initial release.
