added plugin two factor 2fa

wp-content/plugins/two-factor/assets/icon.svg

+<svg xmlns="http://www.w3.org/2000/svg" width="256" height="256">
+  <g fill="none" fill-rule="evenodd">
+    <path fill="#CCC" d="M98 150a60 60 0 1 1 60 0v60a8 8 0 0 1-8 8h-44a8 8 0 0 1-8-8v-60z"/>
+    <path fill="#0073AA" d="M116 132a36 36 0 1 1 24 0v64.7a4 4 0 0 1-4 4h-16a4 4 0 0 1-4-4v-64-.7z"/>
+  </g>
+</svg>

wp-content/plugins/two-factor/includes/function.login-header.php

+<?php
+/**
+ * Extracted from wp-login.php since that file also loads WP core which we already have.
+ */
+
+/**
+ * Output the login page header.
+ *
+ * @param string   $title    Optional. WordPress login Page title to display in the `<title>` element.
+ *                           Default 'Log In'.
+ * @param string   $message  Optional. Message to display in header. Default empty.
+ * @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance.
+ */
+function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
+	global $error, $interim_login, $action;
+
+	// Don't index any of these forms
+	add_action( 'login_head', 'wp_no_robots' );
+
+	add_action( 'login_head', 'wp_login_viewport_meta' );
+
+	if ( ! is_wp_error( $wp_error ) ) {
+		$wp_error = new WP_Error();
+	}
+
+	// Shake it!
+	$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
+	/**
+	 * Filters the error codes array for shaking the login form.
+	 *
+	 * @since 3.0.0
+	 *
+	 * @param array $shake_error_codes Error codes that shake the login form.
+	 */
+	$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
+
+	if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
+		add_action( 'login_head', 'wp_shake_js', 12 );
+
+	$login_title = get_bloginfo( 'name', 'display' );
+
+	/* translators: Login screen title. 1: Login screen name, 2: Network or site name */
+	$login_title = sprintf( __( '%1$s &lsaquo; %2$s &#8212; WordPress' ), $title, $login_title );
+
+	/**
+	 * Filters the title tag content for login page.
+	 *
+	 * @since 4.9.0
+	 *
+	 * @param string $login_title The page title, with extra context added.
+	 * @param string $title       The original page title.
+	 */
+	$login_title = apply_filters( 'login_title', $login_title, $title );
+
+	?><!DOCTYPE html>
+	<!--[if IE 8]>
+		<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
+	<![endif]-->
+	<!--[if !(IE 8) ]><!-->
+		<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
+	<!--<![endif]-->
+	<head>
+	<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
+	<title><?php echo $login_title; ?></title>
+	<?php
+
+	wp_enqueue_style( 'login' );
+
+	/*
+	 * Remove all stored post data on logging out.
+	 * This could be added by add_action('login_head'...) like wp_shake_js(),
+	 * but maybe better if it's not removable by plugins
+	 */
+	if ( 'loggedout' == $wp_error->get_error_code() ) {
+		?>
+		<script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
+		<?php
+	}
+
+	/**
+	 * Enqueue scripts and styles for the login page.
+	 *
+	 * @since 3.1.0
+	 */
+	do_action( 'login_enqueue_scripts' );
+
+	/**
+	 * Fires in the login page header after scripts are enqueued.
+	 *
+	 * @since 2.1.0
+	 */
+	do_action( 'login_head' );
+
+	if ( is_multisite() ) {
+		$login_header_url   = network_home_url();
+		$login_header_title = get_network()->site_name;
+	} else {
+		$login_header_url   = __( 'https://wordpress.org/' );
+		$login_header_title = __( 'Powered by WordPress' );
+	}
+
+	/**
+	 * Filters link URL of the header logo above login form.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param string $login_header_url Login header logo URL.
+	 */
+	$login_header_url = apply_filters( 'login_headerurl', $login_header_url );
+
+	/**
+	 * Filters the title attribute of the header logo above login form.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param string $login_header_title Login header logo title attribute.
+	 */
+	$login_header_title = apply_filters( 'login_headertitle', $login_header_title );
+
+	/*
+	 * To match the URL/title set above, Multisite sites have the blog name,
+	 * while single sites get the header title.
+	 */
+	if ( is_multisite() ) {
+		$login_header_text = get_bloginfo( 'name', 'display' );
+	} else {
+		$login_header_text = $login_header_title;
+	}
+
+	$classes = array( 'login-action-' . $action, 'wp-core-ui' );
+	if ( is_rtl() )
+		$classes[] = 'rtl';
+	if ( $interim_login ) {
+		$classes[] = 'interim-login';
+		?>
+		<style type="text/css">html{background-color: transparent;}</style>
+		<?php
+
+		if ( 'success' ===  $interim_login )
+			$classes[] = 'interim-login-success';
+	}
+	$classes[] =' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
+
+	/**
+	 * Filters the login page body classes.
+	 *
+	 * @since 3.5.0
+	 *
+	 * @param array  $classes An array of body classes.
+	 * @param string $action  The action that brought the visitor to the login page.
+	 */
+	$classes = apply_filters( 'login_body_class', $classes, $action );
+
+	?>
+	</head>
+	<body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
+	<?php
+	/**
+	 * Fires in the login page header after the body tag is opened.
+	 *
+	 * @since 4.6.0
+	 */
+	do_action( 'login_header' );
+	?>
+	<div id="login">
+		<h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>" tabindex="-1"><?php echo $login_header_text; ?></a></h1>
+	<?php
+
+	unset( $login_header_url, $login_header_title );
+
+	/**
+	 * Filters the message to display above the login form.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param string $message Login message text.
+	 */
+	$message = apply_filters( 'login_message', $message );
+	if ( !empty( $message ) )
+		echo $message . "\n";
+
+	// In case a plugin uses $error rather than the $wp_errors object
+	if ( !empty( $error ) ) {
+		$wp_error->add('error', $error);
+		unset($error);
+	}
+
+	if ( $wp_error->get_error_code() ) {
+		$errors = '';
+		$messages = '';
+		foreach ( $wp_error->get_error_codes() as $code ) {
+			$severity = $wp_error->get_error_data( $code );
+			foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
+				if ( 'message' == $severity )
+					$messages .= '	' . $error_message . "<br />\n";
+				else
+					$errors .= '	' . $error_message . "<br />\n";
+			}
+		}
+		if ( ! empty( $errors ) ) {
+			/**
+			 * Filters the error messages displayed above the login form.
+			 *
+			 * @since 2.1.0
+			 *
+			 * @param string $errors Login error message.
+			 */
+			echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
+		}
+		if ( ! empty( $messages ) ) {
+			/**
+			 * Filters instructional messages displayed above the login form.
+			 *
+			 * @since 2.5.0
+			 *
+			 * @param string $messages Login messages.
+			 */
+			echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
+		}
+	}
+} // End of login_header()
+
+function wp_login_viewport_meta() {
+	?>
+	<meta name="viewport" content="width=device-width" />
+	<?php
+}

wp-content/plugins/two-factor/providers/class.two-factor-backup-codes.php

+<?php
+/**
+ * Class for creating a backup codes provider.
+ *
+ * @since 0.1-dev
+ *
+ * @package Two_Factor
+ */
+class Two_Factor_Backup_Codes extends Two_Factor_Provider {
+
+	/**
+	 * The user meta backup codes key.
+	 *
+	 * @type string
+	 */
+	const BACKUP_CODES_META_KEY = '_two_factor_backup_codes';
+
+	/**
+	 * The number backup codes.
+	 *
+	 * @type int
+	 */
+	const NUMBER_OF_CODES = 10;
+
+	/**
+	 * Ensures only one instance of this class exists in memory at any one time.
+	 *
+	 * @since 0.1-dev
+	 */
+	static function get_instance() {
+		static $instance;
+		$class = __CLASS__;
+		if ( ! is_a( $instance, $class ) ) {
+			$instance = new $class;
+		}
+		return $instance;
+	}
+
+	/**
+	 * Class constructor.
+	 *
+	 * @since 0.1-dev
+	 */
+	protected function __construct() {
+		add_action( 'two-factor-user-options-' . __CLASS__, array( $this, 'user_options' ) );
+		add_action( 'admin_notices', array( $this, 'admin_notices' ) );
+		add_action( 'wp_ajax_two_factor_backup_codes_generate', array( $this, 'ajax_generate_json' ) );
+
+		return parent::__construct();
+	}
+
+	/**
+	 * Displays an admin notice when backup codes have run out.
+	 *
+	 * @since 0.1-dev
+	 */
+	public function admin_notices() {
+		$user = wp_get_current_user();
+
+		// Return if the provider is not enabled.
+		if ( ! in_array( __CLASS__, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ) ) ) {
+			return;
+		}
+
+		// Return if we are not out of codes.
+		if ( $this->is_available_for_user( $user ) ) {
+			return;
+		}
+		?>
+		<div class="error">
+			<p>
+				<span>
+					<?php
+					printf( // WPCS: XSS OK.
+						__( 'Two-Factor: You are out of backup codes and need to <a href="%s">regenerate!</a>', 'two-factor' ),
+						esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' )
+					);
+					?>
+				<span>
+			</p>
+		</div>
+		<?php
+	}
+
+	/**
+	 * Returns the name of the provider.
+	 *
+	 * @since 0.1-dev
+	 */
+	public function get_label() {
+		return _x( 'Backup Verification Codes (Single Use)', 'Provider Label', 'two-factor' );
+	}
+
+	/**
+	 * Whether this Two Factor provider is configured and codes are available for the user specified.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @return boolean
+	 */
+	public function is_available_for_user( $user ) {
+		// Does this user have available codes?
+		if ( 0 < self::codes_remaining_for_user( $user ) ) {
+			return true;
+		}
+		return false;
+	}
+
+	/**
+	 * Inserts markup at the end of the user profile field for this provider.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 */
+	public function user_options( $user ) {
+		$ajax_nonce = wp_create_nonce( 'two-factor-backup-codes-generate-json-' . $user->ID );
+		$count = self::codes_remaining_for_user( $user );
+		?>
+		<p id="two-factor-backup-codes">
+			<button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
+				<?php esc_html_e( 'Generate Verification Codes', 'two-factor' ); ?>
+			</button>
+			<span class="two-factor-backup-codes-count"><?php
+				echo esc_html( sprintf(
+					/* translators: %s: count */
+					_n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ),
+					$count
+				) );
+				?></span>
+		</p>
+		<div class="two-factor-backup-codes-wrapper" style="display:none;">
+			<ol class="two-factor-backup-codes-unused-codes"></ol>
+			<p class="description"><?php esc_html_e( 'Write these down!  Once you navigate away from this page, you will not be able to view these codes again.', 'two-factor' ); ?></p>
+			<p>
+				<a class="button button-two-factor-backup-codes-download button-secondary hide-if-no-js" href="javascript:void(0);" id="two-factor-backup-codes-download-link" download="two-factor-backup-codes.txt"><?php esc_html_e( 'Download Codes', 'two-factor' ); ?></a>
+			<p>
+		</div>
+		<script type="text/javascript">
+			( function( $ ) {
+				$( '.button-two-factor-backup-codes-generate' ).click( function() {
+					$.ajax( {
+						method: 'POST',
+						url: ajaxurl,
+						data: {
+							action: 'two_factor_backup_codes_generate',
+							user_id: '<?php echo esc_js( $user->ID ); ?>',
+							nonce: '<?php echo esc_js( $ajax_nonce ); ?>'
+						},
+						dataType: 'JSON',
+						success: function( response ) {
+							var $codesList = $( '.two-factor-backup-codes-unused-codes' );
+
+							$( '.two-factor-backup-codes-wrapper' ).show();
+							$codesList.html( '' );
+
+							// Append the codes.
+							for ( i = 0; i < response.data.codes.length; i++ ) {
+								$codesList.append( '<li>' + response.data.codes[ i ] + '</li>' );
+							}
+
+							// Update counter.
+							$( '.two-factor-backup-codes-count' ).html( response.data.i18n.count );
+
+							// Build the download link
+							var txt_data = 'data:application/text;charset=utf-8,' + '\n';
+							txt_data += response.data.i18n.title.replace( /%s/g, document.domain ) + '\n\n';
+
+							for ( i = 0; i < response.data.codes.length; i++ ) {
+								txt_data += i + 1 + '. ' + response.data.codes[ i ] + '\n';
+							}
+
+							$( '#two-factor-backup-codes-download-link' ).attr( 'href', encodeURI( txt_data ) );
+						}
+					} );
+				} );
+			} )( jQuery );
+		</script>
+		<?php
+	}
+
+	/**
+	 * Generates backup codes & updates the user meta.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param array   $args Optional arguments for assinging new codes.
+	 * @return array
+	 */
+	public function generate_codes( $user, $args = '' ) {
+		$codes = array();
+		$codes_hashed = array();
+
+		// Check for arguments.
+		if ( isset( $args['number'] ) ) {
+			$num_codes = (int) $args['number'];
+		} else {
+			$num_codes = self::NUMBER_OF_CODES;
+		}
+
+		// Append or replace (default).
+		if ( isset( $args['method'] ) && 'append' === $args['method'] ) {
+			$codes_hashed = (array) get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
+		}
+
+		for ( $i = 0; $i < $num_codes; $i++ ) {
+			$code = $this->get_code();
+			$codes_hashed[] = wp_hash_password( $code );
+			$codes[] = $code;
+			unset( $code );
+		}
+
+		update_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, $codes_hashed );
+
+		// Unhashed.
+		return $codes;
+	}
+
+	/**
+	 * Generates a JSON object of backup codes.
+	 *
+	 * @since 0.1-dev
+	 */
+	public function ajax_generate_json() {
+		$user = get_user_by( 'id', sanitize_text_field( $_POST['user_id'] ) );
+		check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' );
+
+		// Setup the return data.
+		$codes = $this->generate_codes( $user );
+		$count = self::codes_remaining_for_user( $user );
+		$i18n = array(
+			/* translators: %s: count */
+			'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ),
+			/* translators: %s: the site's domain */
+			'title' => esc_html__( 'Two-Factor Backup Codes for %s', 'two-factor' ),
+		);
+
+		// Send the response.
+		wp_send_json_success( array( 'codes' => $codes, 'i18n' => $i18n ) );
+	}
+
+	/**
+	 * Returns the number of unused codes for the specified user
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @return int $int  The number of unused codes remaining
+	 */
+	public static function codes_remaining_for_user( $user ) {
+		$backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
+		if ( is_array( $backup_codes ) && ! empty( $backup_codes ) ) {
+			return count( $backup_codes );
+		}
+		return 0;
+	}
+
+	/**
+	 * Prints the form that prompts the user to authenticate.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 */
+	public function authentication_page( $user ) {
+		require_once( ABSPATH .  '/wp-admin/includes/template.php' );
+		?>
+		<p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
+		<p>
+			<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
+			<input type="tel" name="two-factor-backup-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
+		</p>
+		<?php
+		submit_button( __( 'Submit', 'two-factor' ) );
+	}
+
+	/**
+	 * Validates the users input token.
+	 *
+	 * In this class we just return true.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @return boolean
+	 */
+	public function validate_authentication( $user ) {
+		return $this->validate_code( $user, $_POST['two-factor-backup-code'] );
+	}
+
+	/**
+	 * Validates a backup code.
+	 *
+	 * Backup Codes are single use and are deleted upon a successful validation.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param int     $code The backup code.
+	 * @return boolean
+	 */
+	public function validate_code( $user, $code ) {
+		$backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
+
+		if ( is_array( $backup_codes ) && ! empty( $backup_codes ) ) {
+			foreach ( $backup_codes as $code_index => $code_hashed ) {
+				if ( wp_check_password( $code, $code_hashed, $user->ID ) ) {
+					$this->delete_code( $user, $code_hashed );
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * Deletes a backup code.
+	 *
+	 * @since 0.1-dev
+	 *
+	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param string  $code_hashed The hashed the backup code.
+	 */
+	public function delete_code( $user, $code_hashed ) {
+		$backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
+
+		// Delete the current code from the list since it's been used.
+		$backup_codes = array_flip( $backup_codes );
+		unset( $backup_codes[ $code_hashed ] );
+		$backup_codes = array_values( array_flip( $backup_codes ) );
+
+		// Update the backup code master list.
+		update_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, $backup_codes );
+	}
+}

wp-content/plugins/two-factor/providers/class.two-factor-dummy.php

+<?php
+/**
+ * Class for creating a dummy provider.
+ *
+ * @since 0.1-dev
+ *
+ * @package Two_Factor
+ */
+class Two_Factor_Dummy extends Two_Factor_Provider {
+
+	/**
+	 * Ensures only one instance of this class exists in memory at any one time.
+	 *
+	 * @since 0.1-dev
+	 */
+	static function get_instance() {
+		static $instance;
+		$class = __CLASS__;
+		if ( ! is_a( $instance, $class ) ) {
+			$instance = new $class;