WP 2FA – On Every Login
-
I have installed WP 2FA and it works great with the exception that I need it to trigger on every login and it only seems to be triggering on the first login.
-
Hello @jester48 !
Thanks for your message and glad to hear WP 2FA is working well overall!
Just to better understand your case I will have some questions:
Can you tell me if you are using the latest 2.9.3 version of the plugin when this occurs? If not, make sure you update the plugin to it’s latest version.
Also, when you say it only triggers on the “first login,”:- can you tell me what 2FA method are you using (OTP via email or via authenticator app) and if this does happen for all users and all 2FA methods?
- does this happen on the native WordPress log in form as well? If you are using a custom log in form, I suggest trying both and check where this happens and where it’s not.
- does the behavior “2FA only asked on first login” does get reset at any point (e.g. after some time, or after clearing cookies or changing your browser)? I would like to understand if 2FA is only asked once in total, or once per browser session etc, therefore trying to find a pattern.
Normally, WP 2FA should be triggered on each login, not just the very first login, so your input here will help us understand what’s happening in your case, and what element of your setup might be interfering with the login process.
Looking forward to your reply so we can guide you further.
Can you tell me if you are using the latest 2.9.3 version of the plugin when this occurs? If not, make sure you update the plugin to it’s latest version.
Yes, I have version 2.9.3
can you tell me what 2FA method are you using (OTP via email or via authenticator app) and if this does happen for all users and all 2FA methods?
currently using the authenticator as my test environment is not configured for sending emails, but live environment will be email only
does this happen on the native WordPress log in form as well? If you are using a custom log in form, I suggest trying both and check where this happens and where it’s not.
Yes, the bahaviour is in both the native form and the custom form.
does the behavior “2FA only asked on first login” does get reset at any point (e.g. after some time, or after clearing cookies or changing your browser)? I would like to understand if 2FA is only asked once in total, or once per browser session etc, therefore trying to find a pattern.
I use an incognito window each time I log in, i was prompted for the first login, but never again
Thanks
Thank you for the update @jester48!
A few more checks that might help us narrow this down:
- Can you try with OTP via email as well (once email sending is enabled on the site)? Even using an email log plugin for the test could confirm if the behavior is the same across methods.
- You mentioned using incognito – does the same happen in a regular browser session, or in another browser altogether?
- Since the test environment isn’t configured for email, is there anything else disabled or not configured yet, there that could affect logins (e.g. caching, security plugins)?
- Do you see any errors in the browser console or PHP logs when logging in?
- As a deeper test, could you try disabling all other plugins and switching to a default theme, leaving only WP 2FA active? Then re-enable things one by one to see if the issue reappears.
Also worth checking: sometimes must-use (MU) plugins interfere with the login flow on a lower level – if you have any of those, it’s good to test with them disabled too.
Looking forward to hearing what you find!
I am currently locked out, i need to re activate the auth app option, deleting the plugin does not delete the settings.
-
This reply was modified 8 months, 3 weeks ago by
jester48.
- Can you try with OTP via email as well (once email sending is enabled on the site)? Even using an email log plugin for the test could confirm if the behavior is the same across methods.
- I will request activation of email on the test server
- You mentioned using incognito – does the same happen in a regular browser session, or in another browser altogether?
- I tried in firefox, same issue, I primarily use chrome
- Since the test environment isn’t configured for email, is there anything else disabled or not configured yet, there that could affect logins (e.g. caching, security plugins)?
- no, i am on the staging site and, with the exception of the email, all settings match production
- Do you see any errors in the browser console or PHP logs when logging in?
- No errors in any logs
- As a deeper test, could you try disabling all other plugins and switching to a default theme, leaving only WP 2FA active? Then re-enable things one by one to see if the issue reappears.
- I will try this option
Also worth checking: sometimes must-use (MU) plugins interfere with the login flow on a lower level – if you have any of those, it’s good to test with them disabled too.
There are no plugins/code in the MU directory
I uninstalled the plugin, cleared all settings and reinstalled and reconfigured the plugin. Same issue, only asked for authentication on first login, tried with both an admin and basic user on standard browser and on incognito browser.
Thank you for reaching out and for the details @jester48 and sorry for the slight delay in getting back to you! We were actually busy on preparing the upcoming WP 2FA release 3.0.
Based on what we have so far, a few things you could check further:
- You mentioned that you were going to test if all methods are presenting the same behavior (OTP via email) – can you confirm if users using that method are also affected by this?
- Caching plugins – there are some case where aggressive page or object caching can interfere with login/session handling so can you confirm the same happens with all these plugins disabled?
- Custom themes or code snippets – does the same happens when also disabling the custom theme? Let’s see if disabling everything on the site produces the same outcome. That will help us narrow things down and help find the culprit.
- Lastly, are you aware on anything on your server where the site is hosted that can manipulate cookies? There might as well be something at server level which might be interfering, so maybe you can provide us with the full server specs/settings so we can investigate (as a last resort option). Make sure to censors any potential sensitive data/credentials etc.
Therefore, to conclude – as a first step, I’d suggest temporarily disabling all other plugins (especially security or caching plugins) and switching to a default theme, then testing again with WP 2FA only active. If 2FA is then required at every login, you can re-enable the plugins one by one to find out which one is causing the conflict.
Please give that a try and let us know what you find , this will help us narrow down the root cause.
I have disabled everything but the 2FA and received a critical error.
is it possible top flush the settings on logout ot after x minutes of inactivity so as to force 2fa?
Hello again @jester48,
Thanks for the update.
Regarding the error you mentioned – could you share the exact error message or code so we can analyze it properly? If your hosting provider can enable WP_DEBUG mode temporarily, that should help capture it. We’d like to confirm whether it’s originating from WP 2FA or elsewhere.
As for your question:
“Is it possible to flush the settings on logout or after X minutes of inactivity so as to force 2FA?”
At the moment, WP 2FA does not include a built-in option to automatically require re-authentication after logout or inactivity. However, your use case sounds interesting, so if you can share a bit more about how you expect this to work in practice, we can evaluate whether this is something that could spark any feature idea, or maybe a different tool/workaround.
Looking forward to your reply.
the organization wentr with the paid version of the plugin so I will be asking there for support on this issue.
Thank you for your time and support.
The topic ‘WP 2FA – On Every Login’ is closed to new replies.
