Two factor authentication plugin – FAQs

Questions applying to all our commercial WordPress plugins

How long do you provide access to new plugin releases and support for?

All plugin purchases come with included access to support and access to downloads for 12 months. After 12 months, you can renew access if you want to.

If you do not want to renew, then your existing plugin will not be de-installed or de-activated or changed in any other way. Of course, we cannot guarantee what level of compatibility it will have with future releases of WordPress or (if relevant) WooCommerce.

Do you have a trial version of your plugins available / what is your refund policy?

We do not have trial versions of our plugins available, or refund trial purchases. However, we are committed to providing support for any technical issues you have with any of our plugins, and all plugins include 12 months of support. If the plugin does not do what the product description says it does, then you can have a refund (this should be requested within 10 days of purchase), subject to allowing us to investigate the problem.

This policy specifically excludes third-party failures; for example, if a plugin depends upon a third-party service which malfunctions or closes down, you will not be eligible for any refund for the plugin purchase. It also explicitly excludes failed attempts by the customer to implement PHP code customisations to the plugin, and faults in third-party code. Refunds are not offered for “speculative” purchases where the customer is hoping that the software can do something which is not advertised; plugins are priced cheaply and you should check your requirements before purchase. This policy allows us to keep prices down for our customers (i.e. means they don’t subsidise the support and non-refundable-to-us transaction fees for speculative purchases that get refunded).

For EU customers, your right to a refund of digital goods that you have not requested a download of remain intact. You can request a refund of goods that have not yet been downloaded for up to 14 days after purchase. These requests will be verified using our download logs.

How can I download a PDF invoice/receipt for my purchase?

You can download a PDF invoice/receipt for plugins purchases from your account page, here.

How many licences should I buy?

You will need a separate licence for each WordPress installation which you wish to receive plugin updates (i.e. future releases), or to request support for.

A WordPress Network is a single installation of WordPress, so only requires one licence, regardless of how many blogs you have on the network.

What is your support and updates policy?

All customers will have access to future releases of the plugin, and for support to help with trouble-shooting, for 12 months.

Whilst we are happy to give general advice as part of support, support has reasonable limits. For example, hiring a developer (if one is available) to extend or customise the plugin for you, or trouble-shooting problems in other plugins on your site (or other things beyond scope – e.g. problems in your printer, or other third-party products), is not included in the purchase price.

Note that this does not affect your ability to continue using an installed plugin. Your installed plugins will remain installed forever. What is limited to 12 months is access to our future work on the plugin and support.

Can you write some code for me, to customise the plugin?

Plugin purchase prices do not include hand-written code, even if it is only a few lines.

At commodity prices, and including 12 months of updates to new versions (including compatibility with future releases of WordPress and (where relevant) WooCommerce), and personal support, the margins when selling plugins are small. As a result, plugin sellers rely upon selling to many customers – and personal customisations are not economic (even if potentially useful for other customers).

You are, of course, welcome to send in ideas for new features. If you need a developer to customise for you, though, then we suggest Codeable – – where there is a large marketplace of WordPress and WooCommerce experts offering their services.

Where can I download my plugin purchase?

After purchasing one of our WordPress plugins, you can download from any of three or four places:

  1. The “thank you” page in your web browser, that appears immediately after completing payment.
  2. From your Simba account, here.
  3. Using the link in your order confirmation email.
  4. If you have already installed and begun using the plugin, you can obtain updates (when available) from the “Plugins” page in your WordPress dashboard.

How do I install my plugin?

If you’ve purchased one of our WordPress plugins, then thank you! Here’s how to install…

1. Go to the “Plugins” page in your WordPress dashboard, and press “Add New”

Add a new plugin

2. Press the “Upload Plugin” button

Upload a plugin

3. Press the button to select a zip file. Select the zip file for your plugin. Then press “Install Now”.

Uploading the zip file

4. When the plugin has uploaded, press the “Activate” button.

N.B. If you have the free version of any of our plugins (e.g. WooCommerce EU VAT Compliance, or Two Factor Authentication), then you should also de-activate and de-install the free version. Your settings will be retained by the paid version. It does not matter whether you de-activate and de-install before, or after, installing the paid version.

When buying a plugin, what is the difference between manual or automatic renewal?

All our plugins come with included access to personal support and updates (new versions of the software) for 12 months (more information). After this 12 months, you can keep on using the software, without any restrictions. However, if you want to renew, you can either do so manually (i.e. come back to the shop and make a fresh purchase) or automatically (i.e. an order will automatically be created and emailed to you, and payment taken if you have a payment method on your account). We offer a discount to those who choose automatic renewal. You can cancel a subscription at any time (yes, even 5 minutes after you purchased it).

Where can I see the plugin changelog?

For a plugin that you have purchased, the changelog is in the file “readme.txt” in the plugin zip.

For our current on-sale version (i.e. the latest version), you can see the changelog by going to the shop, and then going to the product page, and then clicking the link “Plugin changelog” from the left-hand side of the page.

How do I change which site is using a licence?

If you wish to stop using one of your plugin licences on one site, and instead use it on another, then do this:

1. Disconnect the “old” site.

Go to the “Plugins” page in the WordPress dashboard, and find the plugin’s entry. Press the “Disconnect” button.


2. Connect the “new” site.

Go to the “Plugins” page in the WordPress dashboard on the new site, and connect.


I have found a problem in the plugin, or a question not answered here. Where do I get personal support?

Please go here and open a support ticket. (Or, if you forgot your login details for your account with us, then please go here).

Is this plugin still supported and maintained?

Yes. If it ever stops being, then we would withdraw it from sale.

Two Factor Authentication

What are the shortcodes available in the two factor authentication plugin?

The following short-codes are available:

twofactor_user_settings : This short-code will display the whole user configuration. Use this to allow your users to get/set their TFA settings. Alternatively, to design the page yourself, you can use the individual short-codes, following:

twofactor_user_settings_enabled : Display the option to turn TFA on or off. If you supply the parameter style=”require_current” then the user will have to enter the current code correctly to be allowed to activate TFA.

twofactor_user_qrcode : Display the user’s QR code for scanning.

twofactor_user_emergencycodes : Display the user’s emergency codes.

twofactor_user_advancedsettings : Display the user’s advanced settings (e.g. selecting TOTP or HOTP).

twofactor_user_privatekeys : Display the user’s private keys. Use the ‘type’ parameter, with values ‘full’ (default), ‘plain’, ‘base32’ or ‘base64’ to control exactly what is displayed.

twofactor_user_privatekeys_reset : Display a link for the user to reset (change) their private key.

twofactor_user_currentcode : Display the current TFA code.

twofactor_user_presstorefresh : Wrap this shortcode around any HTML that you want to cause the current TFA code (displayed by the twofactor_user_currentcode shortcode) to refresh when clicked. i.e. Use both an opening and closing shortcode tag; and whatever you put inside will cause an update if the user clicks on it. Example:

Example short-code usage

twofactor_conditional : Wrap this shortcode around any content that you wish to be displayed only if the condition is met. The condition is specified by the “onlyif” parameter, with valid values: active, inactive, available, unavailable. The content will be shown depending on whether the user has TFA available (i.e. the administrator has allowed it for their user level)/activated. You can use this, for example, to display notices to your users to suggest that they activate TFA, or to remind them that it is available, etc.

Here are a couple of screenshots of examples of using these shortcodes. In the first, the site owner is using the WordPress page editor to design his own TFA-setup page for users, using short-codes:

Designing your own page for users, using short-codes

In the second is an example of the twofactor_conditional shortcode (make sure that you do not have anything cacheing a page it is used on):

Conditional shortcode example

What is two factor authentication?

Basically, it’s to do with securing your logins, so that there’s more than one link in the chain needing to be broken before an unwanted intruder can get in your website.

By default, your WordPress accounts are protected by only one thing: your password. If that’s broken, then everything’s wide open.

“Two factor” means adding a second requirement. Usually, this is a code that comes to a device you own (e.g. phone, tablet) – so, someone can’t get into your website without getting hold of your device. You can get a longer answer from Wikipedia.

Sometimes it is also called multi-factor authentication instead of two-factor – because someone could secure their systems with as many factors as they like.

How does two factor authentication work?

Since “two factor authentication” just means “a second something is necessary to get in”, this answer depends upon the particular set-up. In the most common case, a numeric code is shown on your phone, tablet or other device. This code could be sent via an SMS, but this depends on the mobile phone network working, and is technically easy to hijack (and so is not recommended by security professionals). So, this plugin does not uses that method. Instead, it uses a standard mathematical algorithm to generate codes that are only valid once each, or for only for 30 seconds (depending on which algorithm you choose). Your phone or tablet can know the code after it has been set up once (often, by just scanning a bar-code off the screen).

What do I need to set up on my phone/tablet (etc.) in order to generate the codes?

This depends on your particular make of phone, and your preferences. Google have produced a popular app called “Google Authenticator”, which is a preferred option for many people because it is easy to use and can be set up via just scanning a bar code off your screen – follow this link, and ignore the first paragraph that is talking about 2FA on your Google account (rather than being relevant to this plugin).

What if I do not have a phone or tablet?

Many and various devices and programs can generate the codes. One option is an add-on for your web browser; for example, here are some apps and add-ons for Google Chrome. Wikipedia lists various programs for different computers.

I lost my device that has pass-codes – or, they don’t work. What to do?

If your pass-code used to work, but no longer does, then check that the time on your device that generates them is accurate (it needs to agree with the webserver within around 30 seconds; note that time zones are irrelevant to this – what they need to agree on is how many seconds have passed since it became the year 1970 in London).

If you cannot get in and need to disable two-factor authentication, then add this to your wp-config.php file, using FTP, SFTP, shell access or the file manager in your hosting control panel:

define('TWO_FACTOR_DISABLE', true);

Add it next to where any other line beginning with “define” is.

Alternatively, if you have FTP, SFTP, shell access or cPanel access to your web hosting space, you can de-activate the plugin; see this article:

Not long after installing, I find that a user is not asked for a TFA code – they are told that they failed to enter one

The cause of this is that the user managed to visit a cached version of the login page. As a result, the TFA plugin’s JavaScript code was not present on the page, and so the login form was submitted without that code being run and a TFA code being requested.

If your login page is cached by any page cache in your WordPress install, or cacheing on your hosting company or cloud proxy (e.g. Cloudflare), empty (flush) these caches. If the problem persists, then the page is likely cached by the user’s web browser; encourage them to empty their web browser, and to press the “reload” button in their web browser whilst holding the “shift” key on their keyboard (which will tell their web browser to bypass its cacheing). Or you can temporarily ask them to try in a different web browser or “incognito / private” window until the problem passes when the cache expires.

Alternatively, until the problem clears, tell them to add their TFA code on the end of their password. i.e. If their password is some7$Xthing (please don’t use passwords as weak as that one!), and the TFA code is 123456, then they should enter the password as some7$thing123456.

N.B. If this problem happens always for everyone, then you have a faulty component on the login page which is causing a JavaScript error and preventing other components (such as our plugin) from being able to run their own code. To identify it, you should deactivate other WordPress plugins and browser extensions in your browser, reload the page, and confirm that the problem is gone. Then you should begin selectively re-activating those components (and reloading the page), a few at a time, to narrow down which one is causing the problem. You can also open your web browser’s JavaScript console (in its developer tools) to see what errors are there to see if you can identify the component from the its filename.

What are HOTP and TOTP?

These are the names of the two mathematical algorithms that are used to create the special codes. These are industry-standard algorithms, devised by expert cryptographers. HOTP is less popular, but the device that generates the codes does not need to know the correct time (instead, the codes are generated in a precise sequence). TOTP is much more popular, and generates codes that are only valid for 30 seconds (and so your device needs to know the time). I’d recommend TOTP, as HOTP can be annoying if something causes the sequences to get out of sync.

How can I trigger an action when the user saves their TFA settings on the front-end?

When settings are successfully saved, the plugin triggers a jQuery event upon the document:

jQuery(document).trigger('tfa_settings_saved', resp);

So, you just need to add some JavaScript to your site (e.g. using one of the popular plugins for doing this, or using your own hand-coding) to hook that event.

For example, to reload the page after the settings are saved:

jQuery(document).on('tfa_settings_saved', function() {

Can the two-factor code be sent by email?

Our two-factor authentication plugin does not support sending codes by email, because this is not secure. This is because WordPress also sends password reset links by email (via the link on the login form for people who have forgotten their password). Thus, the email account would have access to both the ability to set passwords and read two-factor codes, meaning that it was not truly a second factor. This would be mitigated somewhat if the email itself was protected by two-factor authentication via another mechanism – but in this case a) users are already being expected to use something other than email, so that shouldn’t be a problem for WordPress either, and b) it is outside of the control of the administrator of the WordPress website, which would nullify the plugin’s features for handing them this control.

Email delivery is also unreliable and often unencrypted, which makes it an unsuitable communications channel to rely upon for time-dependent (two factor codes are time-limited) and security-related functions.

Is any user personal information processed (for GDPR etc.) purposes by the plugin?

No. Logging in, setting up TFA, and all other operations of plugin functionality do not send any data to any remote service.

If you connect the plugin to receive plugin updates using the WordPress plugin update mechanism, then it will periodically request information on update availability from our servers. The information contained in this update check (e.g. the identifier for your account with us, the WordPress and PHP version the plugin is running on) is not processed by us for any further purpose. It does not contain any information on how or by whom the plugin is used (i.e. “telemetrics”) beyond the URL of the website it is installed upon. The HTTP request as logged by our webserver may remain in our webserver logs until they are periodically and automatically rotated, up to 6 months later.

I deliberately entered a wrong password, and the Two Factor Authentication plugin let me log in

You have a password manager extension installed in your web browser, with the correct password entered in it. It has automatically replaced your wrong password with the right one from its saved store. This behaviour has been observed and confirmed by several users. You can verify it by using the web developer tools in your browser to look at the HTTP data sent to WordPress, and observe which password is actually in it. You can also open a fresh web browser with no such extension in it to re-test.

Note that the two factor authentication plugin has no mechanism to compare or approve passwords; this is done by WordPress core. If the wrong password is sent, then this is handled by WordPress, and the login will not proceed.