How I evolved a single-provider WordPress 2FA plugin into a comprehensive, developer-friendly authentication system
The Problem ๐
WordPress powers 43% of the web, but most sites still rely on password-only authentication. While there are 2FA plugins available, they're often:
- Limited to specific providers
- Hard to extend or customize
- Not developer-friendly
- Missing modern authentication methods
The Journey ๐
AuthPress started as a simple idea: "What if I could get my WordPress 2FA codes via Telegram?" Three years and multiple iterations later, it's become a comprehensive authentication platform.
Version 4.0: The Extensible Platform
Now it supports multiple providers through a clean architecture:
// Modern extensible system
abstract class Abstract_Provider {
abstract public function send_code($user_id, $code);
abstract public function verify_code($user_id, $code);
abstract public function render_user_settings($user_id);
}
// Register custom providers
add_filter('authpress_register_providers', function($providers) {
$providers['my_sms'] = 'MyPlugin\\SMS_Provider';
$providers['push_notification'] = 'MyPlugin\\Push_Provider';
return $providers;
});
Technical Architecture ๐๏ธ
Core Features
- Multi-Provider Support: Telegram, Email, TOTP, Recovery Codes
- Extensible API: Clean interfaces for custom providers
- Professional Logging: WordPress-native admin tables
- Security First: Rate limiting, encrypted storage, brute force protection
The Provider System
Each authentication method is a provider class:
class Telegram_Provider extends Abstract_Provider {
public function send_code($user_id, $code) {
// Telegram API integration
return $this->send_telegram_message($user_id, $code);
}
public function verify_code($user_id, $submitted_code) {
// Validate against stored code
return $this->validate_stored_code($user_id, $submitted_code);
}
public function render_user_settings($user_id) {
// User configuration interface
include 'templates/telegram-settings.php';
}
}
Developer Experience ๐จโ๐ป
Creating Custom Providers
Want SMS via Twilio? Here's how simple it is:
class Twilio_SMS_Provider extends Abstract_Provider {
private $twilio_client;
public function __construct() {
$this->twilio_client = new Twilio\Rest\Client($sid, $token);
}
public function send_code($user_id, $code) {
$phone = get_user_meta($user_id, 'phone_number', true);
return $this->twilio_client->messages->create($phone, [
'from' => '+1234567890',
'body' => "Your WordPress login code: {$code}"
]);
}
public function verify_code($user_id, $code) {
return parent::verify_stored_code($user_id, $code);
}
}
WordPress Integration
Follows WordPress best practices:
- Uses hooks and filters extensively
- Proper nonce verification
- WP_List_Table for admin interfaces
- Standard WordPress coding standards
What's Next? ๐ฎ
Working on:
- Passkey/WebAuthn integration (already in beta)
- Hardware token support (YubiKey, etc.)
Open Source & Community ๐
AuthPress is GPL-licensed and available on:
- WordPress.org: Official plugin directory
- GitHub: dueclic/authpress
Contributing
We welcome contributions! Especially:
- New provider implementations
- Security audits
- Documentation improvements
- Translation updates
Lessons Learned ๐
- Start simple, architect for growth - The extensible design saved massive refactoring
- Security can't be an afterthought - Built-in from day one
- Developer experience matters - Clean APIs lead to better ecosystem
- WordPress standards exist for a reason - Following them made everything easier
Try AuthPress on your WordPress site and let me know what custom providers you'd build! The extensibility system makes it possible to integrate with virtually any authentication service.
What 2FA method would you want to see next? Drop your ideas in the comments! ๐
Top comments (0)