From 57c26dd16526f4414197d54ab49972e69102e990 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:11:16 +0300
Subject: [PATCH 01/10] List the recommended methods first

---
 class-two-factor-core.php | 40 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 5eaa765a..fa507a88 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1901,13 +1901,46 @@ public static function user_two_factor_options( $user ) {
 		do_action( 'show_user_security_settings', $user, $providers );
 	}
 
+	/**
+	 * Get the recommended providers for a user.
+	 *
+	 * @param WP_User $user User instance.
+	 *
+	 * @return array List of provider keys.
+	 */
+	private static function get_recommended_providers( $user ) {
+		$providers = array(
+			'Two_Factor_Totp',
+			'Two_Factor_Backup_Codes',
+		);
+
+		/**
+		 * Set the keys of the recommended (secure) methods.
+		 *
+		 * @param array   $recommended_providers The recommended providers.
+		 * @param WP_User $user The user.
+		 */
+		return (array) apply_filters( 'two_factor_recommended_providers', $providers, $user );
+	}
+
+	/**
+	 * Render the user settings.
+	 *
+	 * @param WP_User $user User instance.
+	 * @param array $providers List of available providers.
+	 */
 	private static function render_user_providers_form( $user, $providers ) {
 		$primary_provider_key = self::get_primary_provider_key_selected_for_user( $user );
 		$enabled_providers = self::get_enabled_providers_for_user( $user );
+		$recommended_provider_keys = self::get_recommended_providers( $user );
+
+		// Move the recommended providers first.
+		$recommended_providers = array_intersect_key( $providers, array_flip( $recommended_provider_keys ) );
+		$providers = array_merge( $recommended_providers, $providers );
 
 		?>
 		<p>
-			<?php esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' ); ?>
+			<?php esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method. Methods marked as recommended are more secure and easier to use.', 'two-factor' ); ?>
 		</p>
 
 		<?php wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
@@ -1921,7 +1954,10 @@ private static function render_user_providers_form( $user, $providers ) {
 					<td>
 						<label class="two-factor-method-label">
 							<input id="enabled-<?php echo esc_attr( $provider_key ); ?>" type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $provider_key ); ?>" <?php checked( in_array( $provider_key, $enabled_providers, true ) ); ?> />
-							<?php echo esc_html( sprintf( __( 'Enable %s', 'two-factor' ), $object->get_label() ) ); ?>
+							<strong><?php echo esc_html( sprintf( __( 'Enable %s', 'two-factor' ), $object->get_label() ) ); ?></strong>
+							<?php if ( in_array( $provider_key, $recommended_provider_keys, true ) ) : ?>
+								<abbr title="<?php esc_attr_e( 'This method is more secure and easy to use', 'two-factor' ) ?>" class="two-factor-method-recommended"><?php esc_html_e( 'Recommended', 'two-factor' ); ?></abbr>
+							<?php endif; ?>
 						</label>
 						<?php
 						/**

From fdf21f5b20150375022b18c93741706e17ba40eb Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:11:27 +0300
Subject: [PATCH 02/10] Style the recommended label

---
 user-edit.css | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/user-edit.css b/user-edit.css
index 4280ce99..12a841da 100644
--- a/user-edit.css
+++ b/user-edit.css
@@ -7,3 +7,13 @@
 	display: block;
 	font-weight: 700;
 }
+
+.two-factor-methods-table .two-factor-method-recommended {
+	font-size: 0.8rem;
+	line-height: 1;
+	font-weight: normal;
+	border: 1px solid;
+	border-radius: 0.15rem;
+	padding: 0.1rem 0.25rem;
+	margin: 0 0.15rem;
+}

From c20681be24707153f681868d5ff19d7b9eceb336 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:12:18 +0300
Subject: [PATCH 03/10] Use dotted to seperate from solid buttons and match the
 default abbr style

---
 user-edit.css | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user-edit.css b/user-edit.css
index 12a841da..c5f3d463 100644
--- a/user-edit.css
+++ b/user-edit.css
@@ -12,7 +12,7 @@
 	font-size: 0.8rem;
 	line-height: 1;
 	font-weight: normal;
-	border: 1px solid;
+	border: 1px dotted;
 	border-radius: 0.15rem;
 	padding: 0.1rem 0.25rem;
 	margin: 0 0.15rem;

From b91faacc7309ee4bed6e9da64219d426ff446c10 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:21:24 +0300
Subject: [PATCH 04/10] Per linter

---
 class-two-factor-core.php | 12 ++++++------
 user-edit.css             |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index fa507a88..56d6e4bc 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1837,7 +1837,7 @@ public static function manage_users_custom_column( $output, $column_name, $user_
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public static function user_two_factor_options( $user ) {
-		$notices = [];
+		$notices = array();
 
 		$providers = self::get_supported_providers_for_user( $user );
 
@@ -1927,16 +1927,16 @@ private static function get_recommended_providers( $user ) {
 	 * Render the user settings.
 	 *
 	 * @param WP_User $user User instance.
-	 * @param array $providers List of available providers.
+	 * @param array   $providers List of available providers.
 	 */
 	private static function render_user_providers_form( $user, $providers ) {
-		$primary_provider_key = self::get_primary_provider_key_selected_for_user( $user );
-		$enabled_providers = self::get_enabled_providers_for_user( $user );
+		$primary_provider_key      = self::get_primary_provider_key_selected_for_user( $user );
+		$enabled_providers         = self::get_enabled_providers_for_user( $user );
 		$recommended_provider_keys = self::get_recommended_providers( $user );
 
 		// Move the recommended providers first.
 		$recommended_providers = array_intersect_key( $providers, array_flip( $recommended_provider_keys ) );
-		$providers = array_merge( $recommended_providers, $providers );
+		$providers             = array_merge( $recommended_providers, $providers );
 
 		?>
 		<p>
@@ -1956,7 +1956,7 @@ private static function render_user_providers_form( $user, $providers ) {
 							<input id="enabled-<?php echo esc_attr( $provider_key ); ?>" type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $provider_key ); ?>" <?php checked( in_array( $provider_key, $enabled_providers, true ) ); ?> />
 							<strong><?php echo esc_html( sprintf( __( 'Enable %s', 'two-factor' ), $object->get_label() ) ); ?></strong>
 							<?php if ( in_array( $provider_key, $recommended_provider_keys, true ) ) : ?>
-								<abbr title="<?php esc_attr_e( 'This method is more secure and easy to use', 'two-factor' ) ?>" class="two-factor-method-recommended"><?php esc_html_e( 'Recommended', 'two-factor' ); ?></abbr>
+								<abbr title="<?php esc_attr_e( 'This method is more secure and easy to use', 'two-factor' ); ?>" class="two-factor-method-recommended"><?php esc_html_e( 'Recommended', 'two-factor' ); ?></abbr>
 							<?php endif; ?>
 						</label>
 						<?php
diff --git a/user-edit.css b/user-edit.css
index c5f3d463..badb1eea 100644
--- a/user-edit.css
+++ b/user-edit.css
@@ -11,7 +11,7 @@
 .two-factor-methods-table .two-factor-method-recommended {
 	font-size: 0.8rem;
 	line-height: 1;
-	font-weight: normal;
+	font-weight: 400;
 	border: 1px dotted;
 	border-radius: 0.15rem;
 	padding: 0.1rem 0.25rem;

From 2c4db5b5593f7b7b91cdca2f7c323f220f19b3cc Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:34:33 +0300
Subject: [PATCH 05/10] Help guide the user through setup

---
 providers/class-two-factor-totp.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index d29d1eae..9f7e1d65 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -290,7 +290,7 @@ public function user_two_factor_options( $user ) {
 			?>
 
 			<p>
-				<?php esc_html_e( 'Please scan the QR code or manually enter the key, then enter an authentication code from your app in order to complete setup.', 'two-factor' ); ?>
+				<?php esc_html_e( 'Please scan the QR code or manually copy the shared secret key from below to your Authenticator app:', 'two-factor' ); ?>
 			</p>
 			<p id="two-factor-qr-code">
 				<a href="<?php echo $totp_url; ?>">
@@ -343,7 +343,11 @@ public function user_two_factor_options( $user ) {
 			</script>
 
 			<p>
-				<code><?php echo esc_html( $key ); ?></code>
+				<?php esc_html_e( 'Shared secret key:', 'two-factor' ); ?> <code><?php echo esc_html( $key ); ?></code>
+			</p>
+			<hr />
+			<p>
+				<?php esc_html_e( 'Enter the code generated by the Authenticator app to complete the setup:', 'two-factor' ); ?>
 			</p>
 			<p>
 				<input type="hidden" id="two-factor-totp-key" name="two-factor-totp-key" value="<?php echo esc_attr( $key ); ?>" />

From bc4ed48f1d6ab9c68a17be978c0290424200ab0d Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:39:53 +0300
Subject: [PATCH 06/10] Translate the string

---
 providers/class-two-factor-totp.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index 9f7e1d65..dc2c7f3a 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -294,7 +294,7 @@ public function user_two_factor_options( $user ) {
 			</p>
 			<p id="two-factor-qr-code">
 				<a href="<?php echo $totp_url; ?>">
-					Loading...
+					<?php esc_html_e( 'Loading…', 'two-factor' ); ?>
 					<img src="<?php echo esc_url( admin_url( 'images/spinner.gif' ) ); ?>" alt="" />
 				</a>
 			</p>

From e47f019c818a3d939f29412165434c4eabbcf440 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:40:09 +0300
Subject: [PATCH 07/10] Escape the URL

---
 providers/class-two-factor-totp.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index dc2c7f3a..efea8b94 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -283,22 +283,19 @@ public function user_two_factor_options( $user ) {
 		<div id="two-factor-totp-options">
 		<?php
 		if ( empty( $key ) ) :
-
 			$key      = $this->generate_key();
 			$totp_url = $this->generate_qr_code_url( $user, $key );
 
 			?>
-
 			<p>
 				<?php esc_html_e( 'Please scan the QR code or manually copy the shared secret key from below to your Authenticator app:', 'two-factor' ); ?>
 			</p>
 			<p id="two-factor-qr-code">
-				<a href="<?php echo $totp_url; ?>">
+				<a href="<?php echo esc_url( $totp_url ); ?>">
 					<?php esc_html_e( 'Loading…', 'two-factor' ); ?>
 					<img src="<?php echo esc_url( admin_url( 'images/spinner.gif' ) ); ?>" alt="" />
 				</a>
 			</p>
-
 			<style>
 				#two-factor-qr-code {
 					/* The size of the image will change based on the length of the URL inside it. */

From 2dd5bd8b17e67a0c9ad2eb745aa51518374a86c1 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:40:32 +0300
Subject: [PATCH 08/10] Match WPCS

---
 providers/class-two-factor-totp.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index efea8b94..88831185 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -64,7 +64,7 @@ public function register_rest_routes() {
 				array(
 					'methods'             => WP_REST_Server::DELETABLE,
 					'callback'            => array( $this, 'rest_delete_totp' ),
-					'permission_callback' => function( $request ) {
+					'permission_callback' => function ( $request ) {
 						return Two_Factor_Core::rest_api_can_edit_user_and_update_two_factor_options( $request['user_id'] );
 					},
 					'args'                => array(
@@ -77,20 +77,20 @@ public function register_rest_routes() {
 				array(
 					'methods'             => WP_REST_Server::CREATABLE,
 					'callback'            => array( $this, 'rest_setup_totp' ),
-					'permission_callback' => function( $request ) {
+					'permission_callback' => function ( $request ) {
 						return Two_Factor_Core::rest_api_can_edit_user_and_update_two_factor_options( $request['user_id'] );
 					},
 					'args'                => array(
-						'user_id' => array(
+						'user_id'         => array(
 							'required' => true,
 							'type'     => 'integer',
 						),
-						'key'     => array(
+						'key'             => array(
 							'type'              => 'string',
 							'default'           => '',
 							'validate_callback' => null, // Note: validation handled in ::rest_setup_totp().
 						),
-						'code'    => array(
+						'code'            => array(
 							'type'              => 'string',
 							'default'           => '',
 							'validate_callback' => null, // Note: validation handled in ::rest_setup_totp().
@@ -159,10 +159,10 @@ public function rest_delete_totp( $request ) {
 		$this->user_two_factor_options( $user );
 		$html = ob_get_clean();
 
-		return [
+		return array(
 			'success' => true,
 			'html'    => $html,
-		];
+		);
 	}
 
 	/**
@@ -198,10 +198,10 @@ public function rest_setup_totp( $request ) {
 		$this->user_two_factor_options( $user );
 		$html = ob_get_clean();
 
-		return [
+		return array(
 			'success' => true,
 			'html'    => $html,
-		];
+		);
 	}
 
 	/**

From 1fde89a2a7b38a663fcd11ec3b4f8e4a9908c740 Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:46:44 +0300
Subject: [PATCH 09/10] Describe the consequences

---
 providers/class-two-factor-backup-codes.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/providers/class-two-factor-backup-codes.php b/providers/class-two-factor-backup-codes.php
index ca9b628e..a1c9e379 100644
--- a/providers/class-two-factor-backup-codes.php
+++ b/providers/class-two-factor-backup-codes.php
@@ -175,6 +175,8 @@ public function user_options( $user ) {
 				<button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
 					<?php esc_html_e( 'Generate new recovery codes', 'two-factor' ); ?>
 				</button>
+
+				<em><?php esc_html_e( 'This invalidates all currently stored codes.' ); ?></em>
 			</p>
 		</p>
 		<div class="two-factor-backup-codes-wrapper" style="display:none;">

From caff650401f1293ca41bc019a36e2ecc86a3fdcf Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Wed, 2 Apr 2025 22:46:58 +0300
Subject: [PATCH 10/10] Match the rest of the option helpers

---
 providers/class-two-factor-email.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php
index 6c784343..ea33f0f2 100644
--- a/providers/class-two-factor-email.php
+++ b/providers/class-two-factor-email.php
@@ -368,7 +368,7 @@ public function is_available_for_user( $user ) {
 	public function user_options( $user ) {
 		$email = $user->user_email;
 		?>
-		<div>
+		<p>
 			<?php
 			echo esc_html(
 				sprintf(
@@ -378,7 +378,7 @@ public function user_options( $user ) {
 				)
 			);
 			?>
-		</div>
+		</p>
 		<?php
 	}