-
Improvements
- The default "From email address" used by the plugin now uses the website's domain, thus improving email deliverability. Previously the plugin used the admin notifications email address configured in the WordPress settings.
- All one-time codes generated by the plugin are now 6 digits long.
- Applied some coding best practices in some sections to ensure better protection against timing base attacks.
-
Security fix
- Fixed a sensitive information disclosure issue - users' salts can only be potentially exposed if debug is enabled and the web server is not Apache.
-
Bug fixes
- Fixed: Text changes in the "logged out users trying to access 2FA config" setting not saved.
- Fixed: User not redirected to the URL configured in the settings when all backup codes are disabled.
- Fixed: Formatting / layout of advert in the configuration, which in some cases it was showing over some of the help text.