Add Settings Page

[masteradhoc]

What?

• Adds Plugin Settings to the plugin row action links on the Plugins screen.
• Adjusts the current "Settings" link in the plugin row action links to "User Settings"
• Adds a dedicated Two-Factor Settings admin page under Settings → Two-Factor.
• Introduces a new settings UI (class-two-factor-settings.php) to disable specific Two-Factor providers site-wide via a saved option.

Fixes #249

Why?

Right now, site admins don’t have a UI to manage which Two-Factor providers are available on the site. Disabling providers requires custom code via filters. This PR provides a simple admin-facing settings page to enable/disable providers without requiring code changes.

How?

two-factor.php

• Loads the settings UI class.
• Registers an admin menu entry (Settings → Two-Factor) and renders the settings page.

class-two-factor-settings.php

• Renders a settings page listing providers (via Two_Factor_Core::get_providers()).
• Saves disabled provider keys to the two_factor_disabled_providers option (with nonce + sanitization).

class-two-factor-core.php

• Updates plugin action links to include:
• Plugin Settings → options-general.php?page=two-factor-settings
• User Settings → profile.php#application-passwords-section (existing destination preserved)-

Adds enforcement filters:

• Filters two_factor_providers to remove disabled providers from the available set.
• Filters user/provider related hooks so disabled providers can’t be enabled/used when disallowed.

Testing Instructions

1. Install/activate the plugin.
2. Go to Settings → Two-Factor.
3. Check/uncheck a few providers and click Save Settings.
4. Verify that:
   Disabled providers no longer appear as available providers for users.
   Existing users can’t enable newly-disabled providers.
5. Go to Plugins → Two-Factor and confirm the action links show:
   Plugin Settings
   User Settings
6. Confirm the settings page itself still lists all providers so an admin can re-enable them.

This PR also works with existing filter to disable providers. Those will not be shown on the settings page:

add_filter( 'two_factor_providers', function( $providers ) {
    // Remove providers you want to hide for testing.
    unset( $providers['Two_Factor_Email'] );
    unset( $providers['Two_Factor_Backup_Codes'] );
    // unset( $providers['Two_Factor_Totp'] );
    // unset( $providers['Two_Factor_FIDO_U2F'] );
    // unset( $providers['Two_Factor_Dummy'] );
    return $providers;
}, 99 );

Screenshots or screencast

1. Settings UI

2. Profile user UI after adjusting the settings

Changelog Entry

Added - Admin settings page to disable Two-Factor providers site-wide and plugin action links for Plugin/User settings.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @ecgroupcom, @Crag-Monkey, @binaryfire, @Hotcooler, @solaceten, @diguinho2018.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: ecgroupcom, Crag-Monkey, binaryfire, Hotcooler, solaceten, diguinho2018.

Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: todeveni <skithund@git.wordpress.org>
Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>
Co-authored-by: iandunn <iandunn@git.wordpress.org>
Co-authored-by: h0ek <hoeczek@git.wordpress.org>
Co-authored-by: flowdee <flowdee@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[todeveni]

readme.txt also needs updating on couple of places regarding site-wide settings.

There are no site-wide settings for this plugin.
No global settings: This plugin operates on a per-user basis only.
Why doesn't this plugin have site-wide settings?

[masteradhoc]

readme.txt also needs updating on couple of places regarding site-wide settings.

There are no site-wide settings for this plugin.
No global settings: This plugin operates on a per-user basis only.
Why doesn't this plugin have site-wide settings?

Thanks @todeveni - adjusted it accordingly :)

[georgestephanis]

So my uncertainty right now is how necessary this is.

We've got U2F pared down, so the only providers we'd ship with are Backup Codes, TOTP, and Emailed Passwords?

I don't think we want to enable disabling emailed passwords trivially as it's an important fallback. Backup codes and TOTP I'm also not sure we want to make easy to disable -- I'd personally prefer to have any disabling ui limited to a filter, with any additional providers easily disabled by disabling their plugin?

Maybe I'm missing a use case here, @masteradhoc?