What's Changed

Breaking Changes

• Remove legacy FIDO U2F provider support by #439 from @georgestephanis.

New Features

• Add a dedicated settings page for plugin configuration in wp-admin by #764 from @masteradhoc.
• Add a new support links filter so consumers can customize contextual recovery/help links by #615 from @StevenDufresne.
• Refresh backup codes UI styling and behavior by #804 from @masteradhoc.

Bug Fixes

• Delete stored TOTP secrets when the TOTP provider is disabled by #802 from @sjinks.
• Harden provider handling so login/settings checks do not fail open when expected providers disappear by #586 from @georgestephanis.
• Ensure only configured providers are saved and enabled in user settings by #798 from @kasparsd.
• Improve settings-page accessibility and fix profile settings link behavior by #828 and #830 from @masteradhoc.
• Resolve PHPCS violations in provider files by #851 from @masteradhoc.

Development Updates

• Move login styles and provider scripts from inline output to enqueued/external assets by #807 and #814 from @masteradhoc and @aslamdoctor.
• Improve inline docs and static-analysis compatibility (WPCS/phpstan) by #810, #815, and #817 from @masteradhoc and @aslamdoctor.
• Improve unit test reliability and integrate CI code coverage reporting by #825, #841, and #842 from @nimesh-xecurify.
• Update readme docs and modernize CI workflow infrastructure by #835, #837, #843, and #849, and #843 from @masteradhoc and @jeffpaul.

Dependency Updates

• Bump qs from 6.14.1 to 6.14.2 by #794.
• Bump basic-ftp from 5.0.5 to 5.2.0 by #816.
• Apply automatic lint/format updates and associated Composer package refreshes by #799 from @kasparsd.

New Contributors

• @aslamdoctor made their first contribution in #817
• @StevenDufresne made their first contribution in #615
• @nimesh-xecurify made their first contribution in #825

Full Changelog: 0.15.0...0.16.0

Breaking Changes

• Trigger two-factor flow only when expected by @kasparsd in #660 and #793.

New Features

• Include user IP address and contextual warning in two-factor code emails by @todeveni in #728
• Consistent user experience for TOTP setup by @kasparsd in #792
• Optimize email text for TOTP by @masteradhoc in #789
• Add "Settings" action link to plugin list for quick access to profile by @hardikRathi in #740
• Additional form hooks by @eric-michel in #742
• Full RFC6238 Compatibility by @ericmann in #656

Documentation

• @since docs by @masteradhoc in #781
• Update user and admin docs, prepare for more screenshots by @jeffpaul in #701
• Add changelog & credits, update release notes by @jeffpaul in #696
• Clear readme.txt by @masteradhoc in #785
• Add date and time information above TOTP setup instructions by @masteradhoc in #772
• Clarify TOTP setup instructions by @masteradhoc in #763
• Update RELEASING.md by @jeffpaul in #787

Development Updates

• Pause deploys to SVN trunk for merges to master by @kasparsd in #738
• Fix CI checks for PHP compatability by @kasparsd in #739
• Fix Playground refs by @kasparsd in #744
• Persist existing translations when introducing new helper text in emails by @kasparsd in #745
• Fix missing_direct_file_access_protection by @masteradhoc in #760
• Fix mismatched_plugin_name by @masteradhoc in #754
• Introduce Props Bot workflow by @jeffpaul in #749
• Plugin Check: Fix Missing $domain parameter by @masteradhoc in #753
• Tests: Update to supported WP version 6.8 by @masteradhoc in #770
• Fix PHP 8.5 deprecated message by @masteradhoc in #762
• Exclude 7.2 and 7.3 checks against trunk by @masteradhoc in #769
• Fix Plugin Check errors: MissingTranslatorsComment & MissingSingularPlaceholder by @masteradhoc in #758
• Add PHP 8.5 tests for latest and trunk version of WP by @masteradhoc in #771
• Add phpcs:ignore for falsepositives by @masteradhoc in #777
• Fix(totp): otpauth link in QR code URL by @sjinks in #784
• Update deploy.yml by @masteradhoc in #773
• Update required WordPress Version by @masteradhoc in #765
• Fix: ensure execution stops after redirects by @sjinks in #786
• Fix WordPress.Security.EscapeOutput.OutputNotEscaped errors by @masteradhoc in #776

Dependency Updates

• Bump qs and express by @dependabot[bot] in #746
• Bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #750
• Bump lodash-es from 4.17.21 to 4.17.23 by @dependabot[bot] in #748
• Bump phpunit/phpunit from 8.5.44 to 8.5.52 by @dependabot[bot] in #755
• Bump symfony/process from 5.4.47 to 5.4.51 by @dependabot[bot] in #756
• Bump qs and body-parser by @dependabot[bot] in #782
• Bump webpack from 5.101.3 to 5.105.0 by @dependabot[bot] in #780

New Contributors

• @hardikRathi made their first contribution in #740
• @eric-michel made their first contribution in #742
• @masteradhoc made their first contribution in #754
• @ericmann made their first contribution in #656

Full Changelog: 0.14.2...0.15.0

What's Changed

New Features

• Add filter for rest_api_can_edit_user_and_update_two_factor_options by @gutobenn in #689

Development Updates

• Remove Coveralls tooling and add inline coverage report by @kasparsd in #717
• Update blueprint path to pull from main branch instead of a deleted f… by @georgestephanis in #719
• Fix blueprint and wporg asset deploys by @kasparsd in #734
• Upload release only on tag releases by @kasparsd in #735
• Bump playwright and @playwright/test by @dependabot[bot] in #721
• Bump tar-fs from 3.1.0 to 3.1.1 by @dependabot[bot] in #720
• Bump node-forge from 1.3.1 to 1.3.2 by @dependabot[bot] in #724
• Bump js-yaml by @dependabot[bot] in #725
• Mark as tested with the latest WP core version by @kasparsd in #730

New Contributors

• @gutobenn made their first contribution in #689

Full Changelog: 0.14.1...0.14.2

What's Changed

• Don't URI encode the TOTP url for display. by @dd32 in #711
• Removed the duplicate Security.md by @slvignesh05 in #712
• Fixed linting issues by @sudar in #707
• Update development dependencies and fix failing QR unit test by @kasparsd in #714
• Trigger checkbox js change event by @gedeminas in #688

New Contributors

• @slvignesh05 made their first contribution in #712
• @sudar made their first contribution in #707
• @gedeminas made their first contribution in #688

Full Changelog: 0.14.0...0.14.1

Changelog

Features:

• Enable Application Passwords for REST API and XML-RPC authentication (by default) by @joostdekeijzer in #697 and #698. Previously this required two_factor_user_api_login_enable filter to be set to true which is now the default during application password auth. XML-RPC login is still disabled for regular user passwords.
• Label recommended methods to simplify the configuration by @kasparsd in #676 and #675

Documentation:

• Add WP.org plugin demo by @kasparsd in #667
• Document supported versions of WP core and PHP by @jeffpaul in #695
• Document the release process by @jeffpaul in #684

Tooling:

• Remove duplicate WP.org screenshots and graphics from SVN trunk by @jeffpaul in #683

New Contributors

• @joostdekeijzer made their first contribution in #697

Full Changelog: 0.13.0...0.14.0

What's Changed

• Add two_factor_providers_for_user filter to limit two-factor providers available to each user by @kasparsd in #669
• Update automated testing to cover PHP 8.4 and default to PHP 8.3 by @BrookeDot in #665

Full Changelog: 0.12.0...0.13.0

What's Changed

• Simplify the Two Factor settings in user profile by @kasparsd in #654
• Fix PHP 8.4 Implicitly marking parameter $previous as nullable is deprecated by @BrookeDot in #664

Full Changelog: 0.11.0...0.12.0

What's Changed

• Remove duplicate two_factor_providers filter calls to allow disabling core providers by @kasparsd in #651
• Encourage setting up a second recovery method by @kasparsd in #642
• Focus in code input when totp is checked by @thrijith in #645
• Add autocomplete "one-time-code" attribute by @stefanmomm in #657
• Add filters for email token and backup code length by @kasparsd in #653
• Enable TOTP method when method is configured by @kasparsd in #643

New Contributors

• @stefanmomm made their first contribution in #657

Full Changelog: 0.10.0...0.11.0

What's Changed

Major Changes

• Bump minimum WP to 6.3, minimum PHP to 7.2. by @dd32 in #625

Fixes and Features

• Rely on just-in-time translation loading by @swissspidy in #608
• Update/headers by @jeffpaul in #610
• Update short description by @jeffpaul in #612
• Fix typos by @szepeviktor in #617
• Bump tested upto version to WP 6.6 by @mehul0810 in #616
• Fire an action when a user revalites their 2FA session. by @dd32 in #620
• Remove old grunt deploy related code. See #543 by @dd32 in #627
• Fix Action unit testing by @dd32 in #624
• Update two factor options layout by @thrijith in #623
• Bump send and express by @dependabot in #634
• Accessibility for options page by @dd32 in #632
• Fix errors reported by PHPStan by @szepeviktor in #619
• Fix failing unit test by @kasparsd in #639
• Add basic PHPStan linter by @kasparsd in #638
• Update screenshots to match the current UI by @kasparsd in #636
• Improve discoverability by @kasparsd in #635
• Delete user meta on plugin uninstall by @kasparsd in #637
• Release 0.10.0 by @kasparsd in #640

Dependency Updates

• Bump axios from 1.6.8 to 1.7.4 by @dependabot in #626
• Bump braces from 3.0.2 to 3.0.3 by @dependabot in #613
• Bump webpack from 5.91.0 to 5.94.0 by @dependabot in #628
• Bump symfony/process from 5.4.40 to 5.4.46 by @dependabot in #649

New Contributors

• @szepeviktor made their first contribution in #617
• @mehul0810 made their first contribution in #616
• @thrijith made their first contribution in #623

Full Changelog: 0.9.1...0.10.0

What's Changed

• Remove trailing commas in parameters to avoid syntax error with some PHP versions (ex. 7.2.x) by @KZeni in #604
• Ensure PHP 5.6+ support during CI to avoid breaking changes by @kasparsd in #605

Full Changelog: 0.9.0...0.9.1