Hello @rhuberus,
Thank you for reaching out — and I really appreciate your kind words about the plugin!
I’m sorry to hear about the issue you’re experiencing with multiple 2FA codes being sent via email. I’ll be happy to assist you in getting to the bottom of this.
Just to clarify, our plugin is designed to only send a new 2FA code when:
- A previously submitted code was invalid, or
- The user refreshes the 2FA code entry page.
This mechanism acts as an anti–brute force safeguard, which helps prevent attackers from repeatedly submitting invalid codes. That said, it can be disabled if needed (though we don’t recommend it for security reasons). You can find this setting under the plugin’s settings here: screenshot.
Since you mentioned seeing 2 or 3 different emails — and the number varies — it’s likely this mechanism is being triggered possibly due failed OTPs attempts, and/or a possible interaction with another plugin/theme which occurs during the login process.
To better understand the behavior, could you please confirm the following:
- Are you using the latest version of the plugin 2.8.0 when this occurs?
- Are you using a custom login form (e.g., via a theme or third-party plugin), or the default WordPress login?
- Does this happen to all users in all cases? Are you able to constantly reproduce this even when a correct OTP code is used (this is also to confirm that it’s not the case described my explanation of the anti brute force attack feature described above)?
- Let’s try a quick test just to better understand when and how the emails are being fired:
A) access login page (try on both: native login forms and custom login form if you also have a custom one)
B) add user credentials and log in
C) wait until the code arrives via email – can you confirm that at this stage, without doing anything else on the site (e.g. to refresh the page or submit the code multiple times), there is only 1 email received?
D) what happens when entering the OTP code received via email, does everything work as expected or do you get another email/code etc?
NOTE: It might be also worth trying the same on different browsers / incognito sessions just to avoid any possible caching that can pollute the above tests.
These details will help us narrow down whether this is specific to your site’s setup, a browser-related behavior, or a plugin interaction.
Looking forward to your reply!
I’m also seeing this actually. I thought it was just my local set up but in mailtrap, I’m seeing 2 come in.
I was going to get it into an environment to see if it happened there too but glad to see that it’s not just me with this issue
Thanks for the detailed response. I’ll follow your suggestions as soon as I have an opportunity.
