Description
Digipacket Login Security adds strong, standards-based two-factor authentication to any WordPress site. It uses the TOTP algorithm (RFC 6238), so it works with Google Authenticator, Authy, Microsoft Authenticator, FreeOTP and any standard authenticator app — with no external service or cloud dependency. Everything runs on your own server.
Key features
- TOTP compatible with Google Authenticator and all standard apps.
- Choice of method — each user picks an authenticator app (TOTP) or a one-time code sent by e-mail at login.
- QR Code enrolment rendered locally on the user profile screen (no external image service).
- Mandatory code verification after every login.
- Single-use backup codes for account recovery if the device is lost.
- Brute-force protection — lock an account after a configurable number of failed attempts, for a configurable duration. Blocks further sign-ins even with the correct password during the lockout window.
- Security e-mail alerts — notify the account owner when repeated wrong-password attempts or too many incorrect 2FA codes are detected.
- Login notifications — e-mail the user and/or the administrator (per selected roles) with sign-in details (user, date, IP, browser).
- Login screen warning — optional full-screen security notice that visitors must accept before signing in.
- Enforce 2FA by role with a configurable grace period.
- Admin reset of a user’s 2FA from the Users list, plus a 2FA status column.
- Audit log of all security events with filtering by role or user.
- Modern admin interface — dashboard, focused settings tabs and an About page.
- Translatable — ships with French (fr_FR) and English.
Privacy & external services
By default, Digipacket Login Security does not send any data to external services. All secrets, codes and logs are stored in your own WordPress database, and e-mails are sent through your site’s standard wp_mail() function.
Optional Telegram notifications (disabled by default): if you enable them and provide your own bot token and chat ID, the plugin sends security-event details (event type, username, IP address, date) to the Telegram Bot API at https://api.telegram.org so the message can be delivered to your chosen Telegram chat. This only happens while the feature is enabled and configured.
- Telegram Bot API: https://core.telegram.org/bots/api
- Telegram Privacy Policy: https://telegram.org/privacy
Screenshots
Installation
- In WordPress, go to Plugins Add New Upload Plugin.
- Select
digipacket-login-security.zip, click Install Now, then Activate. - Go to Users Profile and enable 2FA on your own account first.
- Configure site-wide options under Digipacket Login Security in the admin menu.
Manual installation: copy the digipacket-login-security folder into wp-content/plugins/ and activate it from the Plugins screen.
FAQ
-
Which authenticator apps are supported?
-
Any standard TOTP (RFC 6238) app: Google Authenticator, Authy, Microsoft Authenticator, FreeOTP, 1Password, and more.
-
Does it work without sending data to a third party?
-
Yes. Core 2FA has no external service or cloud dependency — the QR code is generated locally and all data stays on your server. The only optional exception is Telegram notifications, which are disabled by default and only contact api.telegram.org when you enable them with your own bot token (see Privacy & external services).
-
A user is locked out. How do I help them?
-
Administrators can reset a user’s 2FA from the Users list (the “Reset 2FA” row action), allowing them to enrol again.
-
My notification e-mails land in spam.
-
This is a mail-deliverability matter, not a plugin issue. Configure an SMTP plugin and set up SPF/DKIM/DMARC for your domain so messages are authenticated.
-
Does 2FA apply to REST API / XML-RPC / Application Passwords?
-
The interactive second factor applies to the browser login form. Non-interactive API authentication intentionally bypasses it — use Application Passwords for programmatic access.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Digipacket Login Security with Two-Factor Authentication” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Digipacket Login Security with Two-Factor Authentication” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.1
- Fix: on a fresh install, the very first time the settings were saved the values were silently discarded (roles, brute-force options, Telegram token, etc.). Settings now save correctly from the first save.
1.0.0
- Initial public release.
- TOTP two-factor authentication (RFC 6238) compatible with Google Authenticator and all standard apps, plus an e-mail one-time-code method.
- Local QR-code enrolment and single-use backup codes.
- Enforce 2FA by role with a configurable grace period.
- Configurable brute-force lockout (number of attempts and duration) with real sign-in enforcement.
- Security e-mail alerts for repeated wrong-password attempts and 2FA lockouts.
- Login notifications with sign-in details (user, date, IP, browser), scoped by role, to the user and/or administrator.
- Optional login-screen security warning popup with a customizable message.
- Audit log of security events with filtering by role or user.
- Admin Dashboard “Security Overview” widget.
- Reset 2FA and Ban / Unban actions from the Users list, with status badges.
- Optional Telegram notifications for audit-log events, scoped by role/user, with one-click logout/ban response links.