Right... I've got this working π
Bear with me - the process is quite convoluted. There are a couple of choices here, but to complete this exercise, you will need
- Two Factor Authentication WordPress plugin from https://wordpress.org/plugins/two-factor-authentication/
- A legacy copy of Theme My Login (TML) from https://downloads.wordpress.org/plugin/theme-my-login.6.4.17.zip
Important note: TML v6 is abandoned, but the code is still very well written, and works fine with the latest version of WordPress. There are also no security concerns - I've performed a full code review, and the functions are in fact extensions of wp_login_form() which is a standard WordPress hook. TML is now on v7, which does NOT work, so don't even bother.
- Install and activate the Two Factor Authentication Plugin. Configure as required - I won't provide instructions here as this is beyond the scope of what I am looking to include
- Install and activate the TML plugin. The additional settings really depend on you, but are not necessary for this exercise.
- If you are using another profile plugin (as I am), you'll need place the below code in your theme's functions.php file - note that you'll need to modify it to suit your environment
function theme_action_url_redirect( $url, $action, $instance ) {
// useful if you're in sub-domain, you can also change a bit more like using get_permalink( $page_id )
$site_url = get_bloginfo( 'url' );
switch ( $action ) {
case 'register' :
$url = $home_url . '/session/register/';
break;
case 'lostpassword' :
$url = $home_url . '/session/resetpassword/';
//$url = get_permalink( 3809 ); // where 10 is the new lost password page
break;
}
return $url;
}
add_filter( 'tml_action_url', 'theme_action_url_redirect', 10, 3 );
function tml_title( $title, $action ) {
if ( is_user_logged_in() ) {
$user = wp_get_current_user;
if ( 'profile' == $action )
$title = 'Your Profile';
} else {
switch ( $action ) {
case 'register' :
$title = 'Register';
break;
case 'lostpassword':
case 'retrievepassword':
case 'resetpass':
case 'rp':
$title = 'Forgot Password ?';
break;
case 'login':
default:
$title = '';
}
}
return $title;
}
add_filter( 'tml_title', 'tml_title', 11, 2 );
Once you have this finalised, you can then use TML as the login page, and provided you've completed the necessary steps for Two Factor Authentication, when you login, you'll be prompted to enter the 2FA code. The real bonus here is that the session token is NOT passed to flarum until you complete this step π
What is ironic.... I wrote about this same issue some time ago, but for a different purpose. That thread is here in case anyone can benefit from it - https://wordpress.org/support/topic/support-for-ultimate-member/
Suggestions - for those of you who don't know me, I'm a security and infrastructure expert (CISO), and believe that security should be at the forefront of everything we do. Based on this, I'd strongly recommend using this plugin - https://en-gb.wordpress.org/plugins/wp-simple-firewall/ as it offers superb security, and most functions are free. The premium version is also very competitively priced π
A final note, that WP Shield also has it's own 2FA module which needs to be disabled. Whilst this works, it does not halt the login process like the above mechanism does, meaning that if you enter the 2FA code incorrectly, you still have access to Flarum.
And we can't have that, can we !
Hope this is of some use for those on a similar journey
