WordPress.org

Should the pass-phrase be equal to my main password?

No, but it could be.

Should I remember the pass-phrase?

No, if you plan to use a printed one-time password list only.

Yes, if you plan to use a one-time password generator, on your iPhone (not tried) or on Android (tried with success) or on mobile phones that support JavaME, for example using j2me-otp (not tried) or OTPGen (tried with success).

If you are using a one-time password generator, you can safely generate a new password list using a one-time password by entering this password in the pass-phrase field and by checking Pass-phrase is a One-Time Password. The sequence number should be entered into the Count/sequence field. In this case no password list will be displayed.

Are pass-phrases to generate one-time password lists stored?

No.

What should I do when I have lost my one-time password list?

Revoke it as soon as possible. Generating a new one-time password list will revoke the existing list automatically. Do not generate a new one-time password list with the same pass-phrase, seed and algorithm (at least one should be different).

Can I generate a one-time password list again?

Yes, if you remember the pass-phrase, seed and algorithm, but the one-time password sequence will be reset.

Are one-time passwords case sensitive?

No.

How do I choose between logging-in using a one-time password or my main WordPress password?

Simply enter the password of your choice into the WordPress password box.

How can I change the styling?

1. Copy wp-otp.css to your theme directory to prevent it from being overwritten by an update
2. Change the style sheet to your wishes; the style sheet contains documentation

Why does this plugin require at least WordPress version 2.8?

Because the new authenticate filter is used. See this article for more details.

Is this plugin multi-user?

Yes, since version 0.5.

Will this plugin work with WordPress MU?

Yes, since version 1.2.

Why does this plugin require at least PHP version 5.0.0?

Because this is a requirement of the PHP One-Time Passwords class and because the try-catch construction is used as a fail-safe for the login screen.

Who can modify the one-time password options?

Users with manage_options capability, normally only administrators.

What is the scope of the one-time password options?

Site wide.

How does the integration with the http:BL plugin work?

First of all the integration with the http:BL plugin has to be enabled using the settings menu. If enabled, you can navigate to the login url of your blog, even if http:BL would normally block it. A warning indication the age, level and threat type is displayed above the login window. You can login only using a one-time password, not with your user name and password. After logging in, you can navigate to any part of your weblog, until you sign out. Note that before logging in only wp-login.php is available and no other addresses like /wp-admin/.

I recommend installing Invalidate Logged Out Cookies for more security.

How does the integration with Bad Behavior work?

If you enable the option to disable Bad Behavior on the login page using the settings menu the Bad Behavior plugin will be disabled. To re-enabled the Bad Behavior plugin you have to disable this option first. When this option is enabled the one-time password plugin will load the Bad Behavior plugin instead of WordPress, except for the login page and for every other page when you are logged in using a one-time password. Unfortunately it is not possible (yet) to display a warning on the login page that Bad Behavior would block access.

Will RFC 4226 be supported?

No, RFC 4226 requires a symmetric key, which should be stored. WordPress does not provide a safe way to store keys.

Where can I ask questions, report bugs and request features?

You can write a comment on the support page.