Skip to content

fix misleading notice #855#858

Open
masteradhoc wants to merge 1 commit intoWordPress:masterfrom
masteradhoc:855-optimize-notice
Open

fix misleading notice #855#858
masteradhoc wants to merge 1 commit intoWordPress:masterfrom
masteradhoc:855-optimize-notice

Conversation

@masteradhoc
Copy link
Copy Markdown
Collaborator

@masteradhoc masteradhoc commented Mar 28, 2026

What?

Show a generic fallback notice when the Two_Factor_Backup_Codes provider has been removed via the two_factor_providers filter, instead of always referencing "Recovery Codes" regardless of whether that provider is available.

Why?

When sites use the two_factor_providers filter to remove Two_Factor_Backup_Codes, the notice still tells users to enable "Recovery Codes" — a method that doesn't exist in their setup. This is misleading and confusing.

Fixes #855.

How?

The existing condition already correctly uses the filtered $providers array to determine whether there are multiple providers available (count( $providers ) > 1). The fix adds a simple isset( $providers['Two_Factor_Backup_Codes'] ) check on the message string itself:

  • If Two_Factor_Backup_Codes is present → show the existing specific message referencing Recovery Codes.
  • If Two_Factor_Backup_Codes is absent → show a generic message encouraging the user to enable any additional method.

No new filters or structural changes are needed.

Testing Instructions

  1. Install the Two-Factor plugin.
  2. Add the following to your theme's functions.php or a mu-plugin:
add_filter( 'two_factor_providers', function( $providers ) {
    unset( $providers['Two_Factor_Backup_Codes'] );
    return $providers;
});
  1. Enable a single primary 2FA method (e.g. TOTP) for a user.
  2. Visit the user's profile page.
  3. Before this fix: the notice references "Recovery Codes" even though that provider is unavailable.
  4. After this fix: the notice shows the generic message: "To prevent being locked out of your account, consider enabling an additional two-factor method in case you lose access to your primary authentication method."
  5. Remove the filter and repeat — confirm the original specific message referencing Recovery Codes still appears.

Changelog Entry

Fixed - Notice suggesting Recovery Codes no longer appears when the Backup Codes provider has been removed via the two_factor_providers filter.

@masteradhoc masteradhoc added this to the 0.17.0 milestone Mar 28, 2026
@masteradhoc masteradhoc self-assigned this Mar 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @christofervas.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: christofervas.

Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@masteradhoc masteradhoc mentioned this pull request Mar 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasparsd kasparsd Awaiting requested review from kasparsd

@georgestephanis georgestephanis Awaiting requested review from georgestephanis

Assignees

@masteradhoc masteradhoc

Labels

None yet

Projects

None yet

Milestone

0.17.0

Development

Successfully merging this pull request may close these issues.

Misleading notice

1 participant

@masteradhoc