Two-Factor Authentication (2FA)

The Dealers Site supports Two-Factor Authentication for all dealer accounts, adding an extra layer of security beyond username and password.

Plugin: WP Simple Firewall

2FA and broader account security are handled by the WP Simple Firewall plugin (plugins/wp-simple-firewall/).

Method	Description
Email OTP	A one-time code is sent to the account's email on login
Authenticator App (TOTP)	Time-based OTP via Google Authenticator, Authy, etc.
Backup Codes	Pre-generated single-use backup codes

2FA can be enforced by user role. For the Dealers Site, 2FA is strongly recommended for all dealer accounts and required for admin accounts.

Configuration: WP Admin → Shield Security → Login Protection → Two-Factor Auth.

Beyond 2FA, Shield Security provides:

Login Brute Force Protection — lockout after repeated failed login attempts
IP Block List — block known malicious IPs
Username Enumeration Prevention — prevents attackers from discovering valid usernames
WordPress Vulnerability Scanning — checks plugins and themes for known vulnerabilities
Audit Trail — records all security events (logins, failed logins, settings changes)
Comment SPAM Protection — automated spam filtering
File Change Detection — alerts on unexpected changes to core WordPress files

The Dealers Site is served exclusively over HTTPS, enforced by:

Configure minimum password strength requirements under Shield Security → User Management.

Custom login page redirects are handled by Theme\Login (inc/class-login.php):