Configify 2FA

Configify 2FA adds Two-Factor Authentication to every important action on your WordPress site, all configurable from a single settings page.

Choose the method that fits your audience:

• Google Authenticator (TOTP) — RFC 6238 compliant. Works with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and any TOTP app.
• Math CAPTCHA — Server-side arithmetic challenge. No external dependencies. Works offline.
• Google reCAPTCHA — v2 (checkbox) or v3 (invisible, score-based).

Protect any combination of:

• Login (wp-login.php + WooCommerce)
• Registration (WordPress + WooCommerce)
• Forgot Password
• Change / Reset Password
• Comment Submission

What makes Configify 2FA different

Security Audit Dashboard — Every 2FA event (success, failure, lockout, setup, method change) is recorded with username, IP address, user agent, and timestamp. Filter, search, and export to CSV directly from your admin panel.

Trusted Device Memory — After verifying, users can choose to trust their current device for a set number of days. Subsequent logins from that device skip the 2FA step. Tokens are cryptographically random and bound to the user agent. Admins can revoke trusted devices per user from the profile screen.

Brute-Force Lockout — Repeated 2FA failures trigger a configurable lockout by user and IP address to stop automated attacks.

Email OTP Fallback — When TOTP is active but a user has not yet set up their authenticator app, a 6-digit one-time code is sent to their email address as a fallback.

Per-Role Enforcement — Require 2FA only for Administrators, Editors, or any custom role. Leave all unchecked to apply to every role.

WooCommerce Support — Hooks into WooCommerce login, registration, lost password, and account password change, not just the default WordPress forms.

Security Details

• TOTP implementation is pure PHP with no third-party library dependency. Secrets are stored in WordPress user-meta and never exposed in plain text.
• Math CAPTCHA answers are stored in server-side transients with a 10-minute TTL and consumed on first use.
• Pending login sessions are stored in a custom database table, expire after 10 minutes, and are purged daily via WP-Cron.
• Trusted device tokens are cryptographically random (48 characters), hashed with wp_hash() before storage, and bound to the user agent string.
• All form submissions require a WordPress nonce in addition to the 2FA challenge.
• TOTP verification includes a clock-skew tolerance of plus or minus two 30-second windows to account for imprecise device clocks.

External Services

This plugin connects to the following external services. No data is ever sent to Configify servers.

Google reCAPTCHA

This plugin can use Google reCAPTCHA to protect forms. It is only active when the admin selects reCAPTCHA as the 2FA method.

It sends the user’s IP address and a browser interaction token to Google’s servers each time a protected form is submitted.

This service is provided by Google LLC: Terms of Service, Privacy Policy.

goQR.me QR Code API

This plugin uses the goQR.me API (api.qrserver.com) to generate QR code images for Google Authenticator setup. It is only used when a user clicks “Generate QR Code” on the Settings page while TOTP is the active method.

It sends the TOTP URI — which contains the site name, the user’s email address, and the TOTP secret — to api.qrserver.com to generate the QR code image. The service does not store or log QR code contents. The generated image is cached for approximately 30 seconds and then deleted.

This service is provided by goQR.me: Terms of Service, Privacy Policy.

WooCommerce Compatibility

Configify 2FA integrates with WooCommerce out of the box with no additional configuration. It hooks into:

• woocommerce_process_login_errors
• woocommerce_process_registration_errors
• woocommerce_lostpassword_form
• woocommerce_edit_account_form
• woocommerce_save_account_details_errors

Privacy

Configify 2FA stores the following data locally on your server:

• A TOTP secret and confirmation flag in wp_usermeta.
• Trusted device token hashes and expiry timestamps in wp_usermeta.
• Pending session tokens in a custom table (wp_c2fa_sessions) — deleted automatically after 10 minutes.
• Security audit log entries in a custom table (wp_c2fa_audit_log) — pruned automatically after the configured retention period (default 90 days).

All data is removed when the plugin is deleted (via uninstall.php).