FAQ

How do I exclude a user from 2FA?

Navigate to Settings > AV 2FA. In the “Excluded User IDs” box, enter the numeric User ID of the user you wish to exclude. For multiple users, separate their IDs with a comma. You can find a user’s ID by going to the “Users” list and hovering over their “Edit” link; the ID will be visible in the URL in your browser’s status bar.

Can I change how long the code is valid for?

Yes. On the Settings > AV 2FA page, you can set the “Code Validity” in seconds. The default is 60 seconds. We recommend a value between 30 and 120 seconds.

What if emails are not being sent or received?

This plugin uses WordPress’s built-in wp_mail() function. This means it relies on your server’s email configuration or any SMTP plugin you have installed (like WP Mail SMTP). If emails are not arriving, please check your spam folder first, then ensure your WordPress site is configured to send emails correctly.

How does the Custom Login URL feature work?

When you set a custom login slug (e.g., “my-secret-login”), your login page will be accessible at yoursite.com/my-secret-login instead of yoursite.com/wp-login.php. The default wp-login.php and wp-admin (for non-logged-in users) will return a 404 error, hiding your login page from bots and attackers.

What happens if I forget my custom login URL?

You can recover access by adding define('AV_2FA_DISABLE_CUSTOM_LOGIN', true); to your wp-config.php file. This will temporarily disable the custom login feature and restore access to wp-login.php. Once you’ve logged in, you can view or change your custom login slug in the settings.

Can I set the custom login slug via wp-config.php for maximum security?

Yes! For maximum security, you can define the slug directly in wp-config.php using define('AV_2FA_LOGIN_SLUG', 'your-secret-slug');. When set this way, the slug is never stored in the database, making it impossible to discover even with database access.

How does the rate limiting work?

The plugin tracks failed 2FA code attempts on a per-user basis. After reaching the configured maximum (default: 5 attempts), the account is temporarily locked. The plugin also tracks attempts by IP address to prevent distributed attacks.

What is progressive lockout?

Progressive lockout automatically increases the lockout duration for users who repeatedly trigger lockouts. The first lockout lasts 15 minutes (default), the second lasts 30 minutes (2x), the third lasts 60 minutes (4x), and so on, up to 8x the base duration. This helps deter persistent attackers while being lenient with occasional mistakes.

How can I unlock a user who has been locked out?

Navigate to Settings > AV 2FA and scroll to the “Currently Locked Accounts” section. You’ll see a list of all locked users with an “Unlock” button next to each. Click the button to immediately unlock the account. Lockouts also expire automatically after the configured duration.

Will users be notified when their account is locked?

Yes, by default users receive an email notification when their account is locked. This helps legitimate users understand why they can’t log in and alerts them to potential security threats. You can disable this in Settings > AV 2FA if desired.

How long is security data kept?

Failed attempt records are automatically cleaned up after 24 hours. Lockout counts are reset after 30 days of no violations. The plugin runs a daily cleanup task to remove old data and prevent database bloat.

Does the lockout affect excluded users?

No, users in the exclusion list bypass all 2FA checks, including rate limiting and lockout mechanisms.