Wo WooCommerce Intermediate

DataFirefly 2FA Fortress — Complete guide

Install, configure and operate two-factor authentication for the WordPress back office and WooCommerce customer accounts: TOTP, email, backup codes, per-role enforcement and grace period.

Updated Module version 1.0.0

DataFirefly 2FA Fortress adds complete two-factor authentication to the WordPress back office and to WooCommerce customer accounts. You decide, role by role, whether 2FA is disabled, optional or mandatory, with a grace period before lockout. Three methods are available: authenticator app (TOTP), email code and single-use backup codes. This guide covers installation, settings, user and customer activation, login, administration and troubleshooting.

Installation

  1. Download the df-twofactor.zip archive from your DataFirefly account.
  2. WordPress admin → PluginsAdd NewUpload Plugin → send the ZIP, then Activate.
  3. On activation, the plugin creates its security-log table, generates a dedicated encryption key and adds the DataFirefly 2FA menu.

Compatible with WordPress 6.0 to 7.x and PHP 8.1 to 8.3. Compatible with WooCommerce HPOS (High-Performance Order Storage) and Cart/Checkout Blocks, multisite and multilingual. No Composer dependency.

Quick start in three minutes

  1. Open DataFirefly 2FA → Settings and choose the mode per role (at least Mandatory for administrators).
  2. Set a grace period (7 days by default) to give everyone time to configure their 2FA.
  3. Go to your profile and enable the TOTP app: scan the QR code, enter the 6-digit code, then download your backup codes.
  4. Log out and back in: a code is now requested after the password.

Always enable at least one recovery method (backup codes or email) before making 2FA mandatory: this is what prevents lockout if a phone is lost.

General settings (back office)

All settings are under DataFirefly 2FA → Settings.

Per-role enforcement

For each role (administrator, editor, shop manager, customer…), choose one of three modes:

  • Disabled: 2FA is neither offered nor required for this role.
  • Optional: users can enable it if they wish.
  • Mandatory: the user must configure it; beyond the grace period, access is blocked until it is active.

When a user has several roles, the strictest level applies.

Grace period

The grace period (in days) applies to users subject to mandatory 2FA who have not yet configured it. During this window, a reminder shows the number of days remaining. At 0 days, configuration is required from the first login.

Allowed methods

Enable the methods offered to your users: TOTP app, email code and backup codes. TOTP is recommended as the primary method; backup codes act as a safety net. The Display name (issuer) field sets the label shown in the authenticator app (the site name by default).

Trusted devices

The Remember browser setting (in days) lets a user skip the challenge on a validated device for the chosen duration. A value of 0 disables this feature entirely.

Brute-force protection

Set the number of attempts allowed before a temporary lockout and the lockout duration. The TOTP tolerance compensates for slightly out-of-sync clocks: 1 accepts the previous and next code. Increasing it lowers security.

Email code

Set how long the emailed code stays valid and the minimum delay between two sends (anti-spam). The code is single-use and expires automatically.

Customers and notifications

  • Customer opt-in: lets customers enable 2FA from “My Account” in WooCommerce.
  • New device: sends an informational email on a validated login from a never-seen device.

Enable your 2FA (administrators and staff)

Each user configures their 2FA from their profile (UsersProfile), in the “Two-factor authentication” section.

Authenticator app (TOTP)

  1. Click Set up under “Authenticator app”.
  2. Scan the QR code with Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc. If the QR cannot be scanned, manually enter the key shown below it.
  3. Enter the 6-digit code generated by the app, then click Confirm & enable.

The TOTP secret is encrypted server-side (AES-256-GCM) before being stored. It is never shown in clear text once setup is complete.

Email code

Click Enable under “Email code”: a verification code is sent to your address. Enter it to confirm. If the code has expired, use Resend a new code.

Backup codes

As soon as a method is enabled, ten single-use backup codes are generated and shown once. Use the Download (.txt) or Copy buttons to keep them safe. Each code works only once; you can regenerate them at any time (the old ones are then invalidated).

Enable 2FA for customers (WooCommerce)

When customer opt-in is enabled, your customers get a Security (2FA) tab in “My Account”. There they enable the TOTP app or the email code, exactly as in the back office, and keep their own backup codes. You can also make 2FA mandatory for the customer role.

Logging in with two-factor authentication

Once 2FA is active, login happens in two steps: your usual username and password, then a verification screen asking for the primary method’s code.

Switch method or resend a code

On the verification screen, links let you switch to another enabled method (for example from TOTP to the email code) or use a backup code. For the email method, a link lets you resend a code if needed.

Remember the device

If trusted devices are enabled, a “Remember this device” checkbox avoids asking for a code again on this browser for the configured duration. Avoid it on a shared computer.

Forced setup (mandatory 2FA)

If 2FA is mandatory for the role and the grace period has passed, the user must configure it right on the login screen: they enter their password, then enable the TOTP app before reaching the site. Their backup codes are shown immediately after.

Before switching a role to “Mandatory” with a short grace period, warn the affected users and make sure a recovery method is available. In case of lockout, an administrator can always reset an account’s 2FA.

Backup codes: use, download, regenerate

Backup codes let you log in when the primary device is unavailable. On the verification screen, choose “Use a backup code” and enter one of your unused codes. From the profile, the “Backup codes” card shows the number of remaining codes and lets you regenerate them. When generated, codes can be downloaded as a .txt file (header with site, account and date) or copied to the clipboard.

Managing users’ 2FA (administrator)

2FA column and reset

The Users list shows a 2FA column indicating each user’s two-factor status (Enabled, Pending, Blocked or Inactive). The Manage link opens the user’s 2FA panel, where an administrator can reset their configuration (for example after a lost device).

Security log

The DataFirefly 2FA → Security log menu keeps the last 200 events: successful and failed logins, enables and disables, backup-code use, brute-force lockouts and admin resets. Entries older than 180 days are pruned automatically.

Security and data storage

  • TOTP secrets are encrypted with AES-256-GCM using a dedicated key generated at activation, independent of the WordPress salt keys.
  • Backup codes are hashed (never stored in clear) and invalidated after use.
  • Brute-force protection temporarily locks an account after too many failures.
  • Trusted devices rely on a random token, stored hashed server-side.

Compatibility and technical notes

  • WordPress 6.0 to 7.x, PHP 8.1 to 8.3, multisite.
  • WooCommerce: HPOS and Cart/Checkout Blocks compatibility declared.
  • Multilingual: a .pot translation template is provided (compatible with Polylang, WPML, Loco Translate).
  • Architecture extensible through method providers (see the developer section), ready for adding WebAuthn / passkeys later.

For developers (hooks and filters)

  • df2fa_providers (filter): add or remove verification methods.
  • df2fa_ip_headers (filter): customise the headers used to determine the client IP.
  • df2fa_email_code_message (filter): customise the email message containing the code.
  • df2fa_event_logged (action): fired on every record written to the security log.
  • df2fa_login_success (action): fired after a login validated by 2FA.

Uninstallation

Deleting the plugin from the Plugins screen runs a full cleanup: the security-log table is dropped, options and all users’ 2FA metadata are erased, and scheduled tasks are removed. Simply deactivating keeps the data.

FAQ and troubleshooting

The QR code does not appear. Force-reload the page (browser cache). You can also configure the app manually by entering the key shown below the QR. Check that no JavaScript minification/blocking plugin prevents scripts from loading.

A user lost their phone. They can use a backup code, or the email method if enabled. Otherwise, an administrator resets their 2FA from the users list.

The emailed code is rejected. Check that it has not expired and use “Resend a new code”. Also check the site’s email sending configuration (SMTP).

I am locked out after making 2FA mandatory. Log in with another administrator account to reset the affected account, or adjust the role’s mode in the settings.

Are passkeys / WebAuthn supported? Not in version 1.0.0. The provider architecture will allow them to be added later without a rewrite.

Was this page helpful?

Still stuck? Contact support