=== Two-Factor Email ===
Contributors: snehalpancholi
Tags: security, two-factor, 2fa, authentication, email, login
Requires at least: 6.0
Tested up to: 6.7
Requires PHP: 8.1
Stable tag: 1.0.0
License: GPL-2.0+
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Secure your WordPress login with email-based two-factor authentication. After entering their password, users receive a 6-digit code by email.

== Description ==

Two-Factor Email adds a second layer of protection to your WordPress login. When a user successfully enters their password, they are immediately logged out and prompted to enter a 6-digit one-time code that was sent to their registered email address.

**Features:**

* 6-digit time-limited OTP code (default: 10 minute validity)
* Per-role enable/disable configuration
* Per-user override (always enable / always disable / follow role)
* Customisable email subject and body with placeholders
* Rate-limited code entry (max 5 attempts per token)
* Cryptographically secure random token and code generation
* Native WordPress login page integration — no custom page needed

== Installation ==

1. Upload the `two-factor-email` folder to `/wp-content/plugins/`
2. Activate the plugin through the 'Plugins' menu
3. Go to Settings → Two-Factor Email to configure which roles require 2FA

== Frequently Asked Questions ==

= What if a user doesn't receive the code? =
They should check their spam folder. The code is sent via wp_mail(). Ensure your site has a properly configured SMTP plugin for reliable delivery.

= Can I bypass 2FA for specific users? =
Yes. Edit any user's profile and set the "2FA Override" field to "Never require 2FA".

= Is the OTP stored securely? =
The code is hashed using wp_hash() before being stored in a transient. Only the hash is retained, not the plaintext code.

== Changelog ==

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.0.0 =
Initial release.
