2FA TOTP Plugin for Bludit – Where It's At (and Why It Doesn't Quite Work Yet)

Post Reply
kbeezie
Ssr. Bludit
Posts: 22
Joined: Sun May 03, 2026 9:20 pm
Location: Grand Rapids, Michigan, USA
Has thanked: 2 times
Been thanked: 3 times
Contact:
Contact kbeezie

After I patched some bugs and security vunerabilities in my copy of 3.22.0 I decided I would try to create a TOTP based 2FA plugin since I already do that for my own wordpress sites, I spent some time building one for Bludit Pro 3.22.0. The idea was to have a proper second factor using any authenticator app (Google Authenticator, Authy, etc.) for the admin login.

What's working:
  • The plugin has its own self‑contained TOTP library – no external dependencies.
  • There's an admin page where each user can generate a secret, scan a QR code, and enable/disable 2FA for their account.
  • The secret is generated using a cryptographically secure random source, so it's unique per user (no weird global salts needed – each user gets their own base32 secret).
  • If you submit a TOTP code, the plugin verifies it correctly against that stored secret.
So the setup side is functional. If it worked end‑to‑end, you'd log in with your password, then get prompted for your authenticator code before you see the dashboard.

Where it falls apart:

Bludit's authentication flow creates the session the instant your password is verified. There is no hook between “password correct” and “session created” – the login just finishes before any plugin can intervene. Every attempt I made to block the admin pages after login ended up either:
  • Letting you bypass the 2FA entirely (opening a new tab while sitting on the 2FA prompt would show you already logged in), or
  • Getting stuck in a loop between the 2FA code and the login form, or
  • Breaking the session/cookie handling in weird ways.
In short, a pure‑plugin 2FA can't work without touching core files. The login flow would need a small modification – maybe a beforeLogin hook that lets a plugin deny the session, or a built‑in TOTP challenge step in the core login controller.

What's left:

The plugin still needs some UI polish to look like the polished 2FA plugins you see in other CMSes, but the core logic (secret generation, QR codes, code verification) is there. If anyone wants to take a stab at it – or if a future version of Bludit adds the right hook – all the guts seem to be there for the most part.

Happy to share the code if there's interest. It's a good starting point, just can't cross the finish line without some core modifications.
totp.tgz
(5.43 KiB) Not downloaded yet
Top
Post Reply

Return to “Plugins”