=== LoginPlus ===
Contributors: milan1750
Tags: security, login, two-factor-authentication, brute-force, google-login
Requires at least: 6.0
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Brute force lockouts, two-factor authentication (TOTP), login activity logging, email alerts, and Google social login for WordPress.

== Description ==

LoginPlus secures the WordPress login page with four independent features — enable only what you need.

**Brute-Force Protection**

Locks out IP addresses after a configurable number of failed login attempts. The attempt limit, lockout duration, and an IP allowlist are all adjustable from the settings panel. Every lockout is logged and can trigger an admin email notification.

**Two-Factor Authentication (2FA)**

Users enable TOTP-based two-factor authentication from their WordPress profile page by scanning a QR code with any standard authenticator app — Google Authenticator, Authy, 1Password, and others. Three methods are supported:

* **Authenticator app** — 6-digit TOTP code with auto-submit on the login page.
* **Email OTP** — a one-time code sent to the account's registered email, valid for 10 minutes.
* **Recovery codes** — 8 single-use backup codes generated at setup time.

**Google Login**

Adds a "Continue with Google" button to the WordPress login page using the Google OAuth 2.0 protocol. The plugin links the Google account to an existing WordPress user by matching email addresses. If no matching account exists, login is rejected — Google Login cannot be used to register a new account. A Google Cloud project with an OAuth 2.0 Client ID is required.

**Login Activity Log**

Records every login attempt — successful, failed, or blocked — with the timestamp, IP address, username, and outcome. The dashboard shows a summary of total logins, failures, lockouts, and currently blocked IPs, plus a paginated activity table. Entries older than a configurable retention period (90 days by default) are purged automatically every day — no manual cleanup needed.

**Email Alerts**

Sends an admin notification email when a brute-force lockout is triggered.

**Plugin highlights:**

* All CSS and JavaScript assets are served locally — no external CDN.
* 2FA QR codes are generated entirely on your own server — the TOTP secret is never sent to a third-party image service.
* No user tracking, analytics, or background requests (Google Login data is only sent when a user actively clicks the button).
* Each of the four features can be enabled or disabled independently.
* Admin UI matches the native WordPress design.

== Installation ==

**From the WordPress plugin directory**

1. Go to **Plugins → Add New** in your WordPress admin.
2. Search for **LoginPlus**.
3. Click **Install Now**, then **Activate Plugin**.
4. Navigate to **LoginPlus** in the admin sidebar to configure.

**Manual upload**

1. Download the plugin zip.
2. Go to **Plugins → Add New → Upload Plugin**.
3. Upload the zip, click **Install Now**, then **Activate Plugin**.
4. Navigate to **LoginPlus** in the admin sidebar to configure.

**Setting up Two-Factor Authentication**

1. Go to **Users → Your Profile**.
2. Scroll to the **Two-Factor Authentication** section.
3. Click **Generate QR Code** and scan it with your authenticator app.
4. Enter the 6-digit code from the app to confirm, then click **Enable 2FA**.
5. Save the 8 recovery codes shown — store them somewhere safe offline.

**Setting up Google Login**

1. Create an OAuth 2.0 Client ID in the Google Cloud Console (console.cloud.google.com).
2. Set your site's home URL as an Authorised JavaScript origin.
3. Set `https://yoursite.com/?lp_oauth=google` as an Authorised redirect URI.
4. Enter the Client ID and Client Secret in **LoginPlus → Settings → Google Login**.

== Frequently Asked Questions ==

= Does LoginPlus work with WooCommerce, bbPress, or custom login pages? =

LoginPlus hooks into the WordPress `authenticate` filter, so brute-force protection applies to any login that uses the core `wp_signon()` function, including WooCommerce. The 2FA challenge and Google button are rendered on `wp-login.php` only.

= What should I do if I lose access to my 2FA device? =

You have three options: enter one of your 8 recovery codes, use the email OTP option to receive a code at your account's email address, or ask a site administrator to disable 2FA from your user profile.

= Can I make sure I'm never locked out by the brute-force protection? =

Yes. Add your IP address to the allowlist under **LoginPlus → Settings → Brute-Force Protection**. Individual IPv4 or IPv6 addresses are supported.

= I'm behind Cloudflare or another reverse proxy — does brute-force protection still see the right IP? =

Yes. LoginPlus checks `CF-Connecting-IP`, then `X-Real-IP`, then falls back to the direct connection's IP. `X-Forwarded-For` is deliberately not used, since on a server without a properly validated proxy that header can be set by the client itself to spoof an IP and dodge a lockout.

= How is the Google OAuth client secret stored? =

The client secret is stored AES-256-CBC encrypted in the WordPress database, keyed from WordPress's own `AUTH_KEY` and `SECURE_AUTH_KEY` constants. Each user's TOTP secret is encrypted the same way. This requires the `openssl` PHP extension — if it isn't available, both fall back to being stored base64-encoded only, which is *not* encryption, just obfuscation.

= Does LoginPlus affect site performance? =

No. All CSS and JavaScript are loaded on the login page only — nothing is added to the front end or other admin pages. All data is stored in standard WordPress database tables.

= Does the plugin store any personal data? =

The login activity log stores IP addresses, usernames, and user agent strings associated with login attempts, all in your own WordPress database. If you'd rather not keep IP addresses in plain text, turn on **Anonymise IP addresses** in **LoginPlus → Settings → Logging** to store them as one-way SHA-256 hashes instead. Log entries are also purged automatically after the configured retention period. No data is sent to external servers except when Google Login is used — see the Third-Party Services section below.

== Third-Party Services ==

This plugin optionally uses Google OAuth 2.0 for the "Continue with Google" login feature. This external service is used **only** when:

1. Google Login is enabled and configured with a Client ID and Secret in the plugin settings, **and**
2. A user actively clicks the "Continue with Google" button on the login page.

During this flow, the following happens:

* The user's browser is redirected to Google's login page at accounts.google.com.
* Google returns an authorisation code to your site.
* Your site sends that code to oauth2.googleapis.com to exchange it for an access token.
* Your site uses the access token to retrieve the user's name and email from www.googleapis.com.

No data is sent to Google during normal WordPress operation. Google Login can be left disabled if you do not wish to use this feature.

**Google LLC**
Service: https://accounts.google.com
Privacy Policy: https://policies.google.com/privacy
Terms of Service: https://policies.google.com/terms

== Screenshots ==

1. Dashboard with login summary stats and recent activity log.
2. Settings — brute-force protection configuration.
3. Settings — two-factor authentication.
4. Settings — Google login setup.
5. Login page — 2FA challenge with individual digit entry boxes.
6. Login page — "Continue with Google" button.

== Changelog ==

= 1.0.0 =
* Initial release.
* Brute-force protection with configurable attempt limit, lockout duration, and IP allowlist.
* TOTP two-factor authentication with email OTP fallback and recovery codes.
* Google OAuth 2.0 login.
* Login activity log with dashboard stats and paginated table.
* Admin email alerts on lockout.

== Upgrade Notice ==

= 1.0.0 =
Initial release. No action required.
