Fix: Datepicker for the enforcement deadline now opens directly below the input field instead of at the bottom of the page.
2.5.12 – 11.05.2026
Improvement: All plugin emails (login code, backup codes, recovery notifications) are now sent as properly formatted HTML with clear layout, code highlighting, and per-line backup code display.
Fix: No longer forces a From: header on outgoing emails so SMTP plugins can apply their SPF/DKIM-aligned sender address without conflict.
Debug: Added [SDTFA] entries to debug.log (when WP_DEBUG is on) to make email-delivery failures diagnosable.
i18n: 13 new mail-template strings translated to all eight locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL), including a plural form for the validity-minutes string.
2.5.11 – 05.05.2026
Fix: WooCommerce customer-logout endpoint is now explicitly excluded from 2FA enforcement so customers can always log out, even when wc_account or entire_site enforcement is active.
2.5.9 – 05.05.2026
Improved: forced 2FA setup screen on wp-login.php now uses larger, more readable fonts (warning text 16px, button 17px, content 15px) and a slightly wider login box.
i18n: translations completed for all eight supported locales (DE_CH, DE_DE, DE_AT, EN_US, FR_FR, ES_ES, IT_IT, NL_NL) – every string in the plugin is now fully translated. .pot template regenerated from current source.
2.5.8 – 05.05.2026
Fixed: forced 2FA setup AJAX calls returned HTTP 403 because the WordPress nonce check failed for unauthenticated users on the login page. The forced-setup token (already present in the request and validated against a server-side transient) is now accepted as the authorization for these AJAX calls, with the standard nonce check still applied for logged-in users.
2.5.7 – 05.05.2026
Fixed: forced 2FA setup screen on wp-login.php was unusable – clicking “Set up now” left the button stuck at “…”. The AJAX endpoints were registered for logged-in users only, but the forced-setup flow runs before the user is authenticated. Endpoints now also accept unauthenticated calls when a valid forced-setup token is supplied, and the JavaScript automatically passes that token along.
2.5.6 – 05.05.2026
Improved: REST API user-data hiding now uses a strict whitelist approach instead of a maintained block list. Only structurally-required fields (id, name, slug, link, avatar_urls, description, url) are kept in the response — everything else is dropped automatically, including fields from Yoast SEO (yoast_head, yoast_head_json), Rank Math, AIOSEO, SEOPress, Elementor, WooCommerce, and any future plugins that inject data into the user REST endpoint.
New: filter hook sdtfa_rest_user_allowed_keys to extend the whitelist for plugins or sites that have a legitimate need to expose additional public fields.
Fixed: the filter now runs at priority 999 so it executes after third-party plugins that register their own user REST fields.
Fixed: REST self/collection links (which expose the numeric user ID) are now removed from the response for unauthenticated requests when user-data hiding is enabled.
Fixed: “Set up now” button on the admin notice did not open the popup overlay because the script cached DOM selectors before the popup HTML was rendered. Selectors are now resolved after DOM-ready, with a fallback redirect to the profile page if the overlay is still missing.
2.5.5 – 01.05.2026
Fixed: SVN pre-commit hook on WordPress.org rejected the package because the email-sending method used a “true” return type (PHP 8.2+ feature). Replaced with the equivalent “bool” return type for broader compatibility while keeping identical behavior.
2.5.4 – 30.04.2026
Fixed: three strings in the en_US translation file contained German text instead of English (the shortcode description, the deadline notice, and the site-icon warning). Sites running with English locale will now correctly show English text.
Fixed: removed remaining German example text from the docblock of the shortcode class file (no functional impact, source-code cleanup only).
2.5.3 – 30.04.2026
Fixed: removed remaining hardcoded German strings from PHP source (3× “Nicht angemeldet.”, backup-codes email body, recovery-key label, backup-codes textarea header)
Fixed: removed hardcoded German “Bestätigen” button label from JavaScript (used after a failed verification attempt) – now uses the existing translatable string
i18n: all four cleaned-up strings translated for all eight supported locales (DE_CH/DE/AT, EN, FR, ES, IT, NL)
2.5.2 – 30.04.2026
Fixed: 2FA setup via email failed silently on hosts that reject mails without an explicit “From” header – the email now always carries a same-domain sender address
Improved: when sending the 2FA code fails, the actual underlying mail error (from PHPMailer / SMTP) is now surfaced in the setup dialog instead of a generic “please try again”
Fixed: send cooldown is now armed only after a successful send, so a failed delivery no longer blocks the next attempt for 60 seconds
Improved: graceful fallback for the email subject when the issuer/site name option is empty
2.5.1 – 30.04.2026
New: “SDTFA” column on Users → All Users showing the actual 2FA status (TOTP / Email / off) with green check or red ✗
New: Removes 2FA columns added by foreign 2FA plugins or host mu-plugins to avoid duplicate or misleading status indicators
New: Toggle in Privacy & Hardening section to disable the column behavior if not desired (enabled by default)
2.5.0 – 30.04.2026
New: Privacy & Hardening section with three optional features
New: Hide sensitive user data in REST API responses for unauthenticated visitors (REST endpoint stays reachable for SEO/import tools)
New: Block author archives (?author=N) for unauthenticated visitors to prevent user enumeration
New: Disable WordPress password reset for administrators and/or selected roles
Fixed: empty jQuery UI datepicker container no longer appears at the bottom of admin pages – it is now hidden by default and moved next to its input field on open
2.4.1 – 22.04.2026
Fixed: dismiss (×) button on the admin notice now correctly persists via AJAX so the notice doesn’t reappear on every page reload
2.4.0 – 22.04.2026
Renamed plugin to “Super Duper Two-Factor Login” (slug: super-duper-two-factor-login) for improved distinctiveness in the plugin directory
Replaced the setup popup with a WordPress-standard dismissable admin notice and a “Set up now” button – the modal opens only on user action
Moved the admin menu from position 3 to position 71 (after Users) to respect the WordPress admin hierarchy
Extracted all inline <style> and <script> output into enqueued assets (wp_enqueue_style, wp_enqueue_script, wp_add_inline_style)
Localized datepicker day and month names via wp_localize_script (English source, translations via .po)
Updated the plugin header description to English (source strings) with German translations moved to .po/.mo
Corrected the Contributors entry in readme.txt to the actual WordPress.org username
2.3.0 – 10.04.2026
First public release on WordPress.org
TOTP and email-based two-factor authentication
10 one-time backup codes with copy, download, print, and email
Personal recovery key for administrators
FTP emergency recovery via .sdtfa-recovery file
Trusted device feature (save this computer)
Role-based enforcement with optional grace period
Hard enforcement: 2FA setup required before login
Enforcement areas: admin, WooCommerce account, checkout, entire site
WooCommerce My Account integration
Setup popup reminder (dismissible)
Shortcode [sdtfa_status]
AES-256-GCM encryption for TOTP secrets
Translations: German (DE/AT/CH), English, French, Spanish, Italian, Dutch
