: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
update_option('limit_login_retries', $retries);
$allowSeparatePrompt = ini_get('output_buffering') > 0;
if (wfConfig::get('loginSec_enableSeparateTwoFactor') && $allowSeparatePrompt) {
remove_action('login_errors', 'limit_login_fixup_error_messages'); //We're forced to do this because limit-login-attempts does not have any allowances for legitimate error messages
self::$authError = new WP_Error('twofactor_required', wp_kses(__('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Enter it below to sign in.', 'wordfence'), array('strong'=>array())) . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
remove_action('login_errors', 'limit_login_fixup_error_messages'); //We're forced to do this because limit-login-attempts does not have any allowances for legitimate error messages
self::$authError = new WP_Error('twofactor_required', wp_kses(__('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Please sign in again and add a space, the letters <code>wf</code>, and the code to the end of your password (e.g., <code>wf123456</code>).', 'wordfence'), array('strong'=>array(), 'code'=>array())));
else { //oops, our API returned an error.
$requireAdminTwoFactor = false;
//Let them sign in without two factor because the API is broken and we don't want to lock users out of their own systems.
error_log('TOTP SMS error: ' . $e->getMessage());
$requireAdminTwoFactor = false;
// Couldn't connect to noc1, let them sign in since the password was correct.
else { //Old method phone authentication
$api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion());
$codeResult = $api->call('twoFactor_verification', array(), array('phone' => $twoFactorRecord[1]));
if (isset($codeResult['notPaid']) && $codeResult['notPaid']) {
$requireAdminTwoFactor = false;
//Let them sign in without two factor if their API key has expired or they're not paid and for some reason they have this set up.
if (isset($codeResult['ok']) && $codeResult['ok']) {
$twoFactorRecord[2] = $codeResult['code'];
$twoFactorRecord[4] = time() + 1800; //30 minutes until code expires
wfConfig::set_ser('twoFactorUsers', $twoFactorUsers); //save the code the user needs to enter and return an error.
if (self::hasGDLimitLoginsMUPlugin() && function_exists('limit_login_get_address')) {
$retries = get_option('limit_login_retries', array());
$ip = limit_login_get_address();
if (!is_array($retries)) {
if (isset($retries[$ip]) && is_int($retries[$ip])) {
update_option('limit_login_retries', $retries);
$allowSeparatePrompt = ini_get('output_buffering') > 0;
if (wfConfig::get('loginSec_enableSeparateTwoFactor') && $allowSeparatePrompt) {
remove_action('login_errors', 'limit_login_fixup_error_messages'); //We're forced to do this because limit-login-attempts does not have any allowances for legitimate error messages
self::$authError = new WP_Error('twofactor_required', wp_kses(__('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Enter it below to sign in.', 'wordfence'), array('strong'=>array())) . '<!-- wftwofactornonce:' . $userDat->ID . '/' . $loginNonce . ' -->');
remove_action('login_errors', 'limit_login_fixup_error_messages'); //We're forced to do this because limit-login-attempts does not have any allowances for legitimate error messages
self::$authError = new WP_Error('twofactor_required', wp_kses(__('<strong>CHECK YOUR PHONE</strong>: A code has been sent to your phone and will arrive within 30 seconds. Please sign in again and add a space and the code to the end of your password (e.g., <code>wfABCD</code>).', 'wordfence'), array('strong'=>array(), 'code'=>array())));
else { //oops, our API returned an error.
$requireAdminTwoFactor = false;
//Let them sign in without two factor because the API is broken and we don't want to lock users out of their own systems.
$requireAdminTwoFactor = false;
// Couldn't connect to noc1, let them sign in since the password was correct.
} //end: Old method phone authentication
else if ($usingBreachedPassword) {
if (wfCredentialsController::hasPreviousLoginFromIP($authUser, wfUtils::getIP())) {
wfAdminNoticeQueue::removeAdminNotice(false, '2faBreachPassword', array($authUser->ID));
wfAdminNoticeQueue::addAdminNotice(wfAdminNotice::SEVERITY_CRITICAL, sprintf(__('<strong>WARNING: </strong>Your login has been allowed because you have previously logged in from the same IP, but you will be blocked if your IP changes. The password you are using exists on lists of passwords leaked in data breaches. Attackers use such lists to break into sites and install malicious code. Please <a href="%1$s">change your password</a>. <a href="%2$s" target="_blank" rel="noopener noreferrer">Learn More<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'), self_admin_url('profile.php'), wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD)), 'previousIPBreachPassword', array($authUser->ID));
$username = $authUser->user_login;
self::getLog()->logLogin('loginFailValidUsername', 1, $username);
$alertCallback = array(new wfBreachLoginAlert($username, wp_lostpassword_url(), wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD), wfUtils::getIP()), 'send');
do_action('wordfence_security_event', 'breachLogin', array(
'resetPasswordURL' => wp_lostpassword_url(),
'supportURL' => wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD),
'ip' => wfUtils::getIP(),
remove_action('login_errors', 'limit_login_fixup_error_messages'); //We're forced to do this because limit-login-attempts does not have any allowances for legitimate error messages
self::$authError = new WP_Error('breached_password', sprintf(
/* translators: 1. Reset password URL. 2. Support URL. */
wp_kses(__('<strong>INSECURE PASSWORD:</strong> Your login attempt has been blocked because the password you are using exists on lists of passwords leaked in data breaches. Attackers use such lists to break into sites and install malicious code. Please <a href="%1$s">reset your password</a> to reactivate your account. <a href="%2$s" target="_blank" rel="noopener noreferrer">Learn More<span style="font-size:0;"> (opens in new tab)</span></a>', 'wordfence'), array('strong'=>array(), 'a'=>array('href'=>array(), 'target'=>array(), 'rel'=>array()), 'span'=>array('style'=>array()))), wp_lostpassword_url(), wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD)));
if ($requireAdminTwoFactor && wfUtils::isAdmin($authUser)) {
$username = $authUser->user_login;
self::getLog()->logLogin('loginFailValidUsername', 1, $username);
wordfence::alert(__("Admin Login Blocked", 'wordfence'), sprintf(/* translators: WordPress username. */__("A user with username \"%s\" who has administrator access tried to sign in to your WordPress site. Access was denied because all administrator accounts are required to have Cellphone Sign-in enabled but this account does not.", 'wordfence'), $username), wfUtils::getIP());
self::$authError = new WP_Error('twofactor_disabled_required', wp_kses(__('<strong>Cellphone Sign-in Required</strong>: Cellphone Sign-in is required for all administrator accounts. Please contact the site administrator to enable it for your account.', 'wordfence'), array('strong'=>array())));
//User is not configured for two factor. Sign in without two factor.
} //End: if ($checkTwoFactor)
else if ($usingBreachedPassword) {
if (wfCredentialsController::hasPreviousLoginFromIP($authUser, wfUtils::getIP())) {
wfAdminNoticeQueue::removeAdminNotice(false, '2faBreachPassword', array($authUser->ID));
wfAdminNoticeQueue::addAdminNotice(wfAdminNotice::SEVERITY_CRITICAL, sprintf(/* translators: 1. Reset password URL. 2. Support URL. */ __('<strong>WARNING: </strong>Your login has been allowed because you have previously logged in from the same IP, but you will be blocked if your IP changes. The password you are using exists on lists of passwords leaked in data breaches. Attackers use such lists to break into sites and install malicious code. Please <a href="%1$s">change your password</a>. <a href="%2$s" target="_blank" rel="noopener noreferrer">Learn More<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'), self_admin_url('profile.php'), wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD)), 'previousIPBreachPassword', array($authUser->ID));
$username = $authUser->user_login;
self::getLog()->logLogin('loginFailValidUsername', 1, $username);
$alertCallback = array(new wfBreachLoginAlert($username, wp_lostpassword_url(), wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD), wfUtils::getIP()), 'send');
do_action('wordfence_security_event', 'breachLogin', array(
'resetPasswordURL' => wp_lostpassword_url(),
'supportURL' => wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD),
'ip' => wfUtils::getIP(),
remove_action('login_errors', 'limit_login_fixup_error_messages'); //We're forced to do this because limit-login-attempts does not have any allowances for legitimate error messages
self::$authError = new WP_Error('breached_password', sprintf(
/* translators: 1. Reset password URL. 2. Support URL. */
wp_kses(__('<strong>INSECURE PASSWORD:</strong> Your login attempt has been blocked because the password you are using exists on lists of passwords leaked in data breaches. Attackers use such lists to break into sites and install malicious code. Please <a href="%1$s">reset your password</a> to reactivate your account. <a href="%2$s" target="_blank" rel="noopener noreferrer">Learn More<span style="font-size:0;"> (opens in new tab)</span></a>', 'wordfence'), array('strong'=>array(), 'a'=>array('href'=>array(), 'target'=>array(), 'rel'=>array()), 'span'=>array('style'=>array()))), wp_lostpassword_url(), wfSupportController::esc_supportURL(wfSupportController::ITEM_USING_BREACH_PASSWORD)));
return self::processBruteForceAttempt($authUser, $username, $passwd);
public static function checkSecurityNetwork($endpointType = null) {
if (wfConfig::get('other_WFNet')) {
if ($maxBlockTime = self::wfsnIsBlocked($IP, 'brute', $endpointType)) {
$secsToGo = ($maxBlockTime ? $maxBlockTime : wfBlock::blockDuration());
$reason = __('Blocked by Wordfence Security Network', 'wordfence');
wfBlock::createWFSN($reason, $IP, $secsToGo, time(), time(), 1);
wfActivityReport::logBlockedIP($IP, null, 'brute');
self::getLog()->tagRequestForBlock($reason, true);
self::getLog()->getCurrentRequest()->action = 'blocked:wfsn';
self::getLog()->do503($secsToGo, $reason); //exits
public static function processBruteForceAttempt($authUser, $username, $passwd) {
$secEnabled = wfConfig::get('loginSecurityEnabled');
if (wfBlock::isWhitelisted($IP)) {
$failureErrorCodes = array('invalid_username', 'invalid_email', 'incorrect_password', 'twofactor_invalid', 'authentication_failed', 'wfls_twofactor_invalid', 'wfls_twofactor_failed', 'wfls_twofactor_blocked');
if (is_wp_error($authUser) && in_array($authUser->get_error_code(), $failureErrorCodes)) {
self::checkSecurityNetwork(); //May exit
if(is_wp_error($authUser) && ($authUser->get_error_code() == 'invalid_username' || $authUser->get_error_code() == 'invalid_email')){
if($blacklist = wfConfig::get('loginSec_userBlacklist')){
$users = explode("\n", wfUtils::cleanupOneEntryPerLine($blacklist));
foreach($users as $user){
if(strtolower($username) == strtolower($user)){
$secsToGo = wfBlock::blockDuration();
$reason = __('Blocked by login security setting', 'wordfence');
wfBlock::createIP($reason, $IP, $secsToGo, time(), time(), 1, wfBlock::TYPE_IP_AUTOMATIC_TEMPORARY);
wfActivityReport::logBlockedIP($IP, null, 'brute');
self::getLog()->tagRequestForBlock($reason);
self::getLog()->do503($secsToGo, $reason); //exits
if(wfConfig::get('loginSec_lockInvalidUsers')){
if(strlen($username) > 0 && preg_match('/[^\r\s\n\t]+/', $username)){
self::lockOutIP($IP, sprintf(/* translators: WordPress username. */ __("Used an invalid username '%s' to try to sign in", 'wordfence'), $username));
self::getLog()->logLogin('loginFailInvalidUsername', true, $username);
$customText = wpautop(wp_strip_all_tags(wfConfig::get('blockCustomText', '')));
require(dirname(__FILE__) . '/wfLockedOut.php');
$tKey = self::getLoginFailureCountTransient($IP);
if(is_wp_error($authUser) && in_array($authUser->get_error_code(), $failureErrorCodes)) {
$tries = get_transient($tKey);
if($tries >= wfConfig::get('loginSec_maxFailures')){
/* translators: 1. Login attempt limit. 2. WordPress username. */
__('Exceeded the maximum number of login failures which is: %1$s. The last username they tried to sign in with was: \'%2$s\'', 'wordfence'),
wfConfig::get('loginSec_maxFailures'),
$customText = wpautop(wp_strip_all_tags(wfConfig::get('blockCustomText', '')));
require(dirname(__FILE__) . '/wfLockedOut.php');
set_transient($tKey, $tries, wfConfig::get('loginSec_countFailMins') * 60);
if(is_wp_error($authUser)){
if($authUser->get_error_code() == 'invalid_username' || $authUser->get_error_code() == 'invalid_email'){
self::getLog()->logLogin('loginFailInvalidUsername', 1, $username);
self::getLog()->logLogin('loginFailValidUsername', 1, $username);
if(is_wp_error($authUser) && ($authUser->get_error_code() == 'invalid_username' || $authUser->get_error_code() == 'invalid_email' || $authUser->get_error_code() == 'incorrect_password') && wfConfig::get('loginSec_maskLoginErrors')){
return new WP_Error( 'incorrect_password', sprintf(
/* translators: 1. WordPress username. 2. Reset password URL. */
wp_kses(__( '<strong>ERROR</strong>: The username or password you entered is incorrect. <a href="%2$s" title="Password Lost and Found">Lost your password</a>?', 'wordfence' ), array('strong'=>array(), 'a'=>array('href'=>array(), 'title'=>array()))), $username, wp_lostpassword_url() ) );
public static function wfsnBatchReportBlockedAttempts() {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
$threshold = wfConfig::get('lastBruteForceDataSendTime', 0);;
$table_wfHits = wfDB::networkTable('wfHits');
$rawBlocks = $wfdb->querySelect("SELECT IP, ctime, actionData FROM {$table_wfHits} WHERE ctime > %f AND action = 'blocked:wfsnrepeat' ORDER BY ctime ASC LIMIT 100", sprintf('%.6f', $threshold));
$totalRows = $wfdb->querySingle("SELECT COUNT(*) FROM {$table_wfHits} WHERE ctime > %f AND action = 'blocked:wfsnrepeat'", sprintf('%.6f', $threshold));
foreach ($rawBlocks as $record) {
$maxctime = max($maxctime, $record['ctime']);
if (!empty($record['actionData'])) {
$actionData = wfRequestModel::unserializeActionData($record['actionData']);
if (isset($actionData['type'])) {
$endpointType = $actionData['type'];
if (isset($ipCounts[$record['IP']])) {
$ipCounts[$record['IP']] = array();
if (isset($ipCounts[$record['IP']][$endpointType])) {
$ipCounts[$record['IP']][$endpointType]++;
$ipCounts[$record['IP']][$endpointType] = 1;
foreach ($ipCounts as $IP => $endpoints) {
foreach ($endpoints as $endpointType => $count) {
$toSend[] = array('IP' => base64_encode($IP), 'count' => $count, 'blocked' => 1, 'type' => $endpointType);
$response = wp_remote_post(WORDFENCE_HACKATTEMPT_URL_SEC . 'multipleHackAttempts/?k=' . rawurlencode(wfConfig::get('apiKey')) . '&t=brute', array(
'user-agent' => "Wordfence.com UA " . (defined('WORDFENCE_VERSION') ? WORDFENCE_VERSION : '[Unknown version]'),
'body' => 'IPs=' . rawurlencode(json_encode($toSend)),
'headers' => array('Referer' => false),
if (!is_wp_error($response)) {
self::wfsnScheduleBatchReportBlockedAttempts();
wfConfig::set('lastBruteForceDataSendTime', $maxctime);
self::wfsnScheduleBatchReportBlockedAttempts();
private static function wfsnScheduleBatchReportBlockedAttempts($timeToSend = null) {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
if ($timeToSend === null) {
$timeToSend = time() + 30;
$notMainSite = is_multisite() && !is_main_site();
switch_to_blog($current_site->blog_id);
if (!wp_next_scheduled('wordfence_batchReportBlockedAttempts')) {
wp_schedule_single_event($timeToSend, 'wordfence_batchReportBlockedAttempts');
public static function wfsnReportBlockedAttempt($IP, $type){
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
self::wfsnScheduleBatchReportBlockedAttempts();
$endpointType = self::wfsnEndpointType();
self::getLog()->getCurrentRequest()->actionData = wfRequestModel::serializeActionData(array('type' => $endpointType));
public static function wfsnBatchReportFailedAttempts() {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
$table_wfSNIPCache = wfDB::networkTable('wfSNIPCache');
$rawRecords = $wfdb->querySelect("SELECT id, IP, type, count, 1 AS failed FROM {$table_wfSNIPCache} WHERE count > 0 AND expiration < FROM_UNIXTIME(%d) LIMIT 100", $threshold);
if (count($rawRecords)) {
foreach ($rawRecords as $record) {
$toDelete[] = $record['id'];
$record['IP'] = base64_encode(filter_var($record['IP'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ? wfUtils::inet_aton($record['IP']) : wfUtils::inet_pton($record['IP']));
$key = $record['IP'] . $record['type']; //Aggregate multiple records if for some reason there are multiple for an IP/type combination
if (!isset($toSend[$key])) {
$toSend[$key]['count'] += $record['count'];
$toSend = array_values($toSend);
$response = wp_remote_post(WORDFENCE_HACKATTEMPT_URL_SEC . 'multipleHackAttempts/?k=' . rawurlencode(wfConfig::get('apiKey')) . '&t=brute', array(
'user-agent' => "Wordfence.com UA " . (defined('WORDFENCE_VERSION') ? WORDFENCE_VERSION : '[Unknown version]'),
'body' => 'IPs=' . rawurlencode(json_encode($toSend)),
'headers' => array('Referer' => false),
if (is_wp_error($response)) {
self::wfsnScheduleBatchReportFailedAttempts();
array_unshift($toDelete, $threshold);
$wfdb->queryWriteIgnoreError("DELETE FROM {$table_wfSNIPCache} WHERE (expiration < FROM_UNIXTIME(%d) AND count = 0)" . (count($toDelete) > 1 ? " OR id IN (" . rtrim(str_repeat('%d, ', count($toDelete) - 1), ', ') . ")" : ""), $toDelete);
$remainingRows = $wfdb->querySingle("SELECT COUNT(*) FROM {$table_wfSNIPCache}");
if ($remainingRows > 0) {
self::wfsnScheduleBatchReportFailedAttempts();
private static function wfsnScheduleBatchReportFailedAttempts($timeToSend = null) {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
if ($timeToSend === null) {
$timeToSend = time() + 30;
$notMainSite = is_multisite() && !is_main_site();
switch_to_blog($current_site->blog_id);
if (!wp_next_scheduled('wordfence_batchReportFailedAttempts')) {
wp_schedule_single_event($timeToSend, 'wordfence_batchReportFailedAttempts');
public static function wfsnIsBlocked($IP, $hitType, $endpointType = null) {
if (!defined('DONOTCACHEDB')) { define('DONOTCACHEDB', true); }
if ($endpointType === null) { $endpointType = self::wfsnEndpointType(); }
$table_wfSNIPCache = wfDB::networkTable('wfSNIPCache');
$cachedRecord = $wfdb->querySingleRec("SELECT id, body FROM {$table_wfSNIPCache} WHERE IP = '%s' AND type = %d AND expiration > NOW()", $IP, $endpointType);
if (isset($cachedRecord)) {
$wfdb->queryWriteIgnoreError("UPDATE {$table_wfSNIPCache} SET count = count + 1 WHERE id = %d", $cachedRecord['id']);
if (preg_match('/BLOCKED:(\d+)/', $cachedRecord['body'], $matches) && (!wfBlock::isWhitelisted($IP))) {
$backoff = get_transient('wfsn_backoff');
$result = wp_remote_get(WORDFENCE_HACKATTEMPT_URL_SEC . 'hackAttempt/?k=' . rawurlencode(wfConfig::get('apiKey')) .
'&IP=' . rawurlencode(filter_var($IP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ? wfUtils::inet_aton($IP) : wfUtils::inet_pton($IP)) .
'&t=' . rawurlencode($hitType) .
'&type=' . $endpointType,
'user-agent' => "Wordfence.com UA " . (defined('WORDFENCE_VERSION') ? WORDFENCE_VERSION : '[Unknown version]'),
'headers' => array('Referer' => false),
if (is_wp_error($result)) {
set_transient('wfsn_backoff', 1, WORDFENCE_NOC3_FAILED_BACKOFF_TIME);
$wfdb->queryWriteIgnoreError("INSERT INTO {$table_wfSNIPCache} (IP, type, expiration, body) VALUES ('%s', %d, DATE_ADD(NOW(), INTERVAL %d SECOND), '%s')", $IP, $endpointType, 30, $result['body']);
self::wfsnScheduleBatchReportFailedAttempts();
if (preg_match('/BLOCKED:(\d+)/', $result['body'], $matches) && (!wfBlock::isWhitelisted($IP))) {
} catch (Exception $err) {
set_transient('wfsn_backoff', 1, WORDFENCE_NOC3_FAILED_BACKOFF_TIME);
public static function wfsnEndpointType() {
if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) {
else if (defined('DOING_AJAX') && DOING_AJAX) {
if (isset($_REQUEST['action']) && ($_REQUEST['action'] == 'wordfence_ls_authenticate' || $_REQUEST['action'] == 'nopriv_wordfence_ls_authenticate')) {
else if (strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) {
public static function logoutAction(){
$userID = self::getLog()->getCurrentRequest()->userID;
$userDat = get_user_by('id', $userID);
self::getLog()->logLogin('logout', 0, $userDat->user_login);
// Unset the roadblock cookie
if (!WFWAF_SUBDIRECTORY_INSTALL) {
wfUtils::setcookie(wfWAF::getInstance()->getAuthCookieName(), ' ', time() - (86400 * 365), '/', null, wfUtils::isFullSSL(), true);
public static function loginInitAction() {
$lockout = wfBlock::lockoutForIP(wfUtils::getIP());
if ($lockout !== false) {
$customText = wpautop(wp_strip_all_tags(wfConfig::get('blockCustomText', '')));
require(dirname(__FILE__) . '/wfLockedOut.php');
self::doEarlyAccessLogging(); //Rate limiting
public static function authAction(&$username, &$passwd){
$lockout = wfBlock::lockoutForIP(wfUtils::getIP());
if ($lockout !== false) {
$customText = wpautop(wp_strip_all_tags(wfConfig::get('blockCustomText', '')));
require(dirname(__FILE__) . '/wfLockedOut.php');
if (isset($_POST['wordfence_twoFactorUser'])) { //Final stage of login -- get and verify 2fa code, make sure we load the appropriate user
$userID = intval($_POST['wordfence_twoFactorUser']);
$twoFactorNonce = preg_replace('/[^a-f0-9]/i', '', $_POST['wordfence_twoFactorNonce']);
if (self::verifyTwoFactorIntermediateValues($userID, $twoFactorNonce)) {
$user = get_user_by('ID', $userID);
$username = $user->user_login;
$passwd = $twoFactorNonce;
if (is_array($username) || is_array($passwd)) { return; }
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
