Two Factor

The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password. This helps protect against unauthorized access even if passwords are compromised.

設定說明

Important: Each user must individually configure their two-factor authentication settings.

個人使用者

1. Navigate to your profile: Go to “Users” → “Your Profile” in the WordPress admin
2. Find Two-Factor Options: Scroll down to the “Two-Factor Options” section
3. Choose your methods: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):
   • Authenticator App (TOTP) – Use apps like Google Authenticator, Authy, or 1Password
   • 透過電子郵件傳送驗證碼 – Receive one-time codes via email
   • Backup Codes – Generate one-time backup codes for emergencies
   • 測試模式 – For testing purposes only (requires WP_DEBUG)
4. Configure each method: Follow the setup instructions for each enabled provider
5. Set primary method: Choose which method to use as your default authentication
6. Save changes: Click “Update Profile” to save your settings

網站管理員

• Plugin settings: The plugin provides a settings page under “Settings → Two-Factor” to configure which providers should be disabled site-wide.
• User management: Administrators can configure 2FA for other users by editing their profiles
• Security recommendations: Encourage users to enable backup methods to prevent account lockouts

可用的驗證方法

驗證碼產生器 App (TOTP) – 建議使用

• Security: High – Time-based one-time passwords
• Setup: Scan QR code with authenticator app
• Compatibility: Works with Google Authenticator, Authy, 1Password, and other TOTP apps
• Best for: Most users, provides excellent security with good usability

備用驗證碼 – 建議使用

• Security: Medium – One-time use codes
• Setup: Generate 10 backup codes for emergency access
• Compatibility: Works everywhere, no special hardware needed
• Best for: Emergency access when other methods are unavailable

透過電子郵件傳送驗證碼

• Security: Medium – One-time codes sent via email
• Setup: Automatic – uses your WordPress email address
• Compatibility: Works with any email-capable device
• Best for: Users who prefer email-based authentication

FIDO U2F 安全金鑰

• Deprecated and removed due to loss of browser support.

測試模式

• Security: None – Always succeeds
• Setup: Only available when WP_DEBUG is enabled
• Purpose: Testing and development only
• Best for: Developers testing the plugin

重要注意事項

HTTPS 要求

• All methods work on both HTTP and HTTPS sites

瀏覽器相容性

• TOTP and email methods work on all devices and browsers

帳號復原

• Always enable backup codes to prevent being locked out of your account
• If you lose access to all authentication methods, contact your site administrator

安全性最佳做法

• Use multiple authentication methods when possible
• Keep backup codes in a secure location
• Regularly review and update your authentication settings

For more information about two-factor authentication in WordPress, see the WordPress Advanced Administration Security Guide.

如需進一步了解這個外掛的開發沿革，請參閱這篇文章。

動作及篩選器

以下所列為這個外掛提供的動作及篩選器勾點：

• two_factor_providers 篩選器：這個篩選器會覆寫如電子郵件及 TOTP 等兩步驟驗證方式。陣列值為兩步驟驗證方式的 PHP 類別名稱。
• two_factor_providers_for_user 篩選器：這個篩選器會覆寫已為特定使用者啟用的兩步驟驗證方式。陣列值的第一個引數是驗證方式類別的執行個體，第二個引數為使用者物件 WP_User。
• two_factor_enabled_providers_for_user 篩選器：這個篩選器會覆寫已為使用者啟用的兩步驟驗證方式清單。第一個引數是已啟用的功能提供程式類別名稱值陣列，第二個引數為使用者 ID。
• two_factor_user_authenticated 動作：這個動作會接收已登入的 WP_User 物件作為第一個引數，用於完成驗證工作流程後立即確定已登入的使用者。
• two_factor_user_api_login_enable 篩選器：這個篩選器會限制 REST API 及 XML-RPC 僅能使用應用程式密碼，第二個引數為使用者 ID。
• two_factor_email_token_ttl 篩選器：這個篩選器會覆寫電子郵件權杖產生後的使用期限 (以秒為單位)。接受第一個引數為以秒為單位的時間間隔設定後，才能驗證 WP_User 物件的 ID。
• two_factor_email_token_length 篩選器：這個篩選器會覆寫電子郵件權杖預設為 8 個字元的設定。
• two_factor_backup_code_length 篩選器：這個篩選器會覆寫備用代碼預設為 8 個字元的設定，提供與 WP_User 關聯的使用者作為第二個引數。
• two_factor_rest_api_can_edit_user 篩選器：這個篩選器會使用 REST API 覆寫使用者的 Two-Factor 外掛設定。第一個引數是目前的 $can_edit 布林值，第二個引數為使用者 ID。
• two_factor_before_authentication_prompt 動作：這個動作會接收提供者物件及並在驗證輸入表單顯示提示前觸發。
• two_factor_after_authentication_prompt 動作：這個動作會接收提供者物件及並在驗證輸入表單顯示提示後觸發。
• two_factor_after_authentication_input 動作：這個動作會接收提供者物件及並在驗證輸入表單輸入相關資料後觸發；如果表單中沒有任何輸入任何相關資料，這個動作會在 two_factor_after_authentication_prompt 後立即觸發。
• two_factor_login_backup_links filters the backup links displayed on the two-factor login form.

Redirect After the Two-Factor Challenge

To redirect users to a specific URL after completing the two-factor challenge, use WordPress Core built-in login_redirect filter. The filter works the same way as in a standard WordPress login flow: