MFA is the simplest plugin in the ecosystem but possibly the most important. Security shouldn't require a 50MB plugin with a subscription and a cloud dashboard. MFA is, and always will be, completely free.
I tried every WordPress MFA plugin and they were all either bloated, unreliable, or required external services. So I wrote a pure-PHP RFC 6238 TOTP engine with zero dependencies. 30 seconds to set up, works with every authenticator app, never phones home. Always free, no Pro tier, no upsell. Now with hardening checks, Nginx directives generator, and IP rate limiting.
MFA is the simplest plugin in the ecosystem but possibly the most important. Security shouldn't require a 50MB plugin with a subscription and a cloud dashboard. MFA is, and always will be, completely free.
Pure-PHP RFC 6238. 160-bit Base32 secrets, 6-digit codes, ±1 step tolerance, 30-second periods. No external API, no CDN, no third-party dependency. The entire TOTP implementation is one class.
Enforce for admins, editors, all users, or custom roles. Grace period (default 7 days) for new users. Because forcing MFA on day one causes support tickets.
"Remember this device", cookie-based with SHA-256 hashed tokens. Configurable expiry. Individual revocation. Because entering a code every single time is annoying.
Moves wp-login.php to a secret URL. Original returns 404. Combined with MFA, this eliminates 99% of brute-force attacks before they even reach the login form.
Every MFA event tracked, success, failure, setup, reset, recovery code used, lockout, device changes. IP and user-agent. Filterable viewer with purge.
8 one-time codes, password-hashed. For when your phone is dead and you need to get in. Regeneratable from the user profile.
Transient-based IP rate limiter on the authenticate hook. 5 failed attempts triggers 15-minute lockout (configurable). Also blocks XML-RPC when 2FA is active to prevent the bypass most MFA plugins ignore.
10+ security scans: file permissions, debug log exposure, database prefix, SSL enforcement, PHP version, REST user enumeration, XML-RPC status, .htaccess integrity. One-click remediation.
Visual configurator that scans the server, detects installed AJT plugins, and generates production-ready Plesk nginx directives. Because the AJT stack runs on Nginx and .htaccess is useless.
Email notification on new device login. Instant awareness if someone authenticates from a device you don't recognise.
When MSP Hub is active, MFA challenges redirect to the branded login page instead of wp-login.php. Customers get MFA without seeing WordPress.
QR code setup, verification, recovery code regeneration, trusted device management, all in the WordPress user profile. Admins can reset any user.
Adoption stats, per-user status table, settings tabs, activity log viewer. Know exactly how many users have MFA enabled and who's holding out.
No Composer packages. No npm. No CDN. QR codes generated client-side. The entire plugin is 17 files and works completely offline.
Every AJT plugin shares the same security model, UX system, and licensing infrastructure. They're designed as one architecture that ships as independent packages. Back to the full ecosystem →
I'm always interested in challenging WordPress architecture problems. If you need a plugin built properly, let's talk.