Fixes #846

What?

Adds a Two-Factor Enforcement section to the plugin's settings page that lets administrators require 2FA for specific user roles.

Why?

There is no built-in way to mandate Two-Factor authentication for all users in a given role. Site owners — especially those running membership or multi-user sites — need a way to enforce 2FA for existing users and automatically enroll new users without requiring each user to opt in manually.

See: https://wordpress.org/support/topic/can-i-by-default-turn-on-this-feature-for-all-my-existing-and-for-new-user/ or #307

How?

Three files were changed:

settings/class-two-factor-settings.php

• Saves a new two_factor_enforced_roles option (array of role slugs) alongside the existing provider option.
• Renders a new "Two-Factor Enforcement" section below "Enabled Providers" with a checkbox per registered role (including custom roles).
• Shows an admin notice warning when enforcement is active but the Email provider has been disabled site-wide, because enforcement cannot safely fall back to providers like TOTP that require prior per-user setup (e.g. scanning a QR code) before they can authenticate.

two-factor.php

• two_factor_enforce_for_user() — hooked on two_factor_enabled_providers_for_user at priority 20. If a user belongs to an enforced role but has no provider configured, the Email provider is injected at runtime so they are challenged on their next login without any manual setup. If the Email provider is disabled site-wide, the function returns unchanged (fails closed) rather than injecting a provider the user has not configured.
• two_factor_force_on_user_register() — hooked on user_register. Writes _two_factor_enabled_providers meta immediately for new users in an enforced role, so enforcement applies from their very first login. Skipped if the Email provider is disabled site-wide.

class-two-factor-core.php

• uninstall() now also deletes two_factor_enabled_providers and two_factor_enforced_roles so no orphaned options are left behind when the plugin is removed.

Testing Instructions

1. Install and activate the plugin on a site with multiple user roles.
2. Go to Settings → Two-Factor and confirm the new "Two-Factor Enforcement" section appears below "Enabled Providers".
3. Check one or more roles (e.g. Subscriber) and click Save Settings.
4. Confirm the checkboxes persist after saving.
5. Log in as a user in an enforced role who has not configured 2FA — confirm they are challenged for an email verification code.
6. Create a brand-new user in an enforced role and verify that their _two_factor_enabled_providers user meta is set to ["Two_Factor_Email"] immediately after registration.
7. Log in as that new user and confirm the 2FA challenge appears.
8. Uncheck a role, save, and confirm users in that role are no longer challenged.
9. Disable the Email provider under "Enabled Providers" while keeping a role enforced — confirm the admin notice warning appears and that users in the enforced role are not challenged (no silent fail-open).
10. Uninstall the plugin and confirm neither two_factor_enabled_providers nor two_factor_enforced_roles remain in the options table.

Screenshots or screencast

Changelog Entry

Added - New "Two-Factor Enforcement" settings section allowing administrators to require 2FA for specific user roles, with automatic Email-provider enrolment for existing users at login and for new users at registration. An admin notice is shown if enforcement is active but the Email provider is disabled.