{"id":337150,"date":"2026-07-08T15:35:10","date_gmt":"2026-07-08T15:35:10","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/goultra-auth\/"},"modified":"2026-07-08T15:34:58","modified_gmt":"2026-07-08T15:34:58","slug":"goultra-auth","status":"publish","type":"plugin","link":"https:\/\/bel.wordpress.org\/plugins\/goultra-auth\/","author":23516968,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"0.33.0","stable_tag":"0.33.0","tested":"7.0","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"GoUltra Auth","header_author":"GoUltra.AI","header_description":"WhatsApp authentication for WordPress and WooCommerce. Protect admin login with a WhatsApp second factor, verify customers, and add step-up checks before sensitive actions. Codes are not delivered over the SMS network; rate limits, recovery controls and an audit log are built in.","assets_banners_color":"132f43","last_updated":"2026-07-08 15:34:58","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/goultra-auth\/","header_author_uri":"https:\/\/goultra.ai","rating":0,"author_block_rating":0,"active_installs":0,"downloads":27,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"0.33.0":{"tag":"0.33.0","author":"goultraai","date":"2026-07-08 15:34:58"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3600502,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3600502,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256},"icon.svg":{"filename":"icon.svg","revision":3600502,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3600502,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3600502,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":{"goultra-auth\/whatsapp-login":{"name":"goultra-auth\/whatsapp-login","title":"GoUltra WhatsApp Login"}},"tagged_versions":["0.33.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3600502,"resolution":"1","location":"assets","locale":"","width":520,"height":760},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3600502,"resolution":"2","location":"assets","locale":"","width":1440,"height":1360},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3600502,"resolution":"3","location":"assets","locale":"","width":1440,"height":1240},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3600502,"resolution":"4","location":"assets","locale":"","width":900,"height":900},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3600502,"resolution":"5","location":"assets","locale":"","width":1440,"height":1420},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3600502,"resolution":"6","location":"assets","locale":"","width":640,"height":760},"screenshot-7.png":{"filename":"screenshot-7.png","revision":3600502,"resolution":"7","location":"assets","locale":"","width":760,"height":940}},"screenshots":{"1":"Admin login protected by a WhatsApp two-factor code, with an optional \"Remember this device for 30 days\".","2":"Login Protection settings: choose which roles use two-factor, turn on \"Remember this device\", and email a security alert on every administrator sign-in.","3":"The GoUltra Auth dashboard: connection status, protection level and a setup and security checklist.","4":"Passwordless sign-in: customers sign in with a WhatsApp code instead of a password, or create an account in the same step.","5":"Customer sign-in options: passwordless login, account creation with WhatsApp, and risk-based checkout verification.","6":"On the checkout, a guest can create their account with WhatsApp instead of choosing a password.","7":"A clean security email is sent whenever an administrator signs in, showing the username, IP address, device and time."}},"plugin_section":[],"plugin_tags":[9211,710,1229,9217,3160],"plugin_category":[38],"plugin_contributors":[269093],"plugin_business_model":[],"class_list":["post-337150","plugin","type-plugin","status-publish","hentry","plugin_tags-2fa","plugin_tags-authentication","plugin_tags-login-security","plugin_tags-two-factor","plugin_tags-whatsapp","plugin_category-authentication","plugin_contributors-goultraai","plugin_committers-goultraai"],"banners":{"banner":"https:\/\/ps.w.org\/goultra-auth\/assets\/banner-772x250.png?rev=3600502","banner_2x":"https:\/\/ps.w.org\/goultra-auth\/assets\/banner-1544x500.png?rev=3600502","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/goultra-auth\/assets\/icon.svg?rev=3600502","icon":"https:\/\/ps.w.org\/goultra-auth\/assets\/icon.svg?rev=3600502","icon_2x":false,"generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-1.png?rev=3600502","caption":"Admin login protected by a WhatsApp two-factor code, with an optional \"Remember this device for 30 days\"."},{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-2.png?rev=3600502","caption":"Login Protection settings: choose which roles use two-factor, turn on \"Remember this device\", and email a security alert on every administrator sign-in."},{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-3.png?rev=3600502","caption":"The GoUltra Auth dashboard: connection status, protection level and a setup and security checklist."},{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-4.png?rev=3600502","caption":"Passwordless sign-in: customers sign in with a WhatsApp code instead of a password, or create an account in the same step."},{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-5.png?rev=3600502","caption":"Customer sign-in options: passwordless login, account creation with WhatsApp, and risk-based checkout verification."},{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-6.png?rev=3600502","caption":"On the checkout, a guest can create their account with WhatsApp instead of choosing a password."},{"src":"https:\/\/ps.w.org\/goultra-auth\/assets\/screenshot-7.png?rev=3600502","caption":"A clean security email is sent whenever an administrator signs in, showing the username, IP address, device and time."}],"raw_content":"<!--section=description-->\n<p>GoUltra Auth adds a WhatsApp one-time code as a second factor at login. After the password is\naccepted, the user enters a short code delivered to their WhatsApp, so a leaked password alone\nis no longer enough to get into the admin.<\/p>\n\n<p>It connects to the GoUltra service, which delivers the code through a WhatsApp\nAuthentication-category message approved by Meta.<\/p>\n\n<p><strong>Why WhatsApp (an honest comparison)<\/strong><\/p>\n\n<p>WhatsApp authentication codes are not delivered through the SMS network, which reduces exposure\nto common SMS delivery and interception risks (such as message interception, poor reception,\nand certain SIM-swap scenarios). No authentication method is unbreakable, so GoUltra Auth also\nincludes rate limits, recovery controls and an audit log. It usually costs less than SMS in\nmost markets and arrives over Wi-Fi without a cellular signal.<\/p>\n\n<p><strong>What you get in this version<\/strong><\/p>\n\n<ul>\n<li>Admin \/ role-based login 2FA over WhatsApp.<\/li>\n<li>Passwordless login for customers: sign in (or register) with a WhatsApp code instead of a\npassword, with an optional \"remember this device\" (off by default, customers and subscribers\nonly, password sign-in always kept).<\/li>\n<li>Self-service enrollment: each user verifies their own WhatsApp number.<\/li>\n<li>Recovery codes (single-use) so you are never locked out.<\/li>\n<li>Emergency disable via wp-config.php and WP-CLI.<\/li>\n<li>Rate limits per user, per IP and per site, plus daily and monthly cost caps.<\/li>\n<li>A security score and an audit log.<\/li>\n<\/ul>\n\n<p><strong>Recovery and lockout protection<\/strong><\/p>\n\n<p>You can always get back in without WhatsApp: enter a recovery code, add\n    define( 'GOULTRA_AUTH_DISABLE', true ); to wp-config.php, or run <code>wp goultra-auth disable<\/code>.<\/p>\n\n<h3>Third-Party Service<\/h3>\n\n<p>This plugin sends the WhatsApp phone number you provide, and a one-time code, to the GoUltra\nservice so the code can be delivered over WhatsApp. No message is sent until you connect the\nplugin with a GoUltra API key and a user enrolls a number.<\/p>\n\n<ul>\n<li>Service: GoUltra - https:\/\/goultra.ai<\/li>\n<li>API endpoint: https:\/\/go.goultra.ai\/api<\/li>\n<li>Terms: https:\/\/goultra.ai\/terms<\/li>\n<li>Privacy: https:\/\/goultra.ai\/privacy<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin to <code>wp-content\/plugins\/goultra-auth\/<\/code> and activate it.<\/li>\n<li>Go to <strong>GoUltra Auth<\/strong> and paste your GoUltra API key to connect.<\/li>\n<li>Verify your own WhatsApp number (you will receive a test code).<\/li>\n<li>Save your recovery codes somewhere safe.<\/li>\n<li>Turn on <strong>Admin login 2FA<\/strong> for the roles you choose.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"what%20if%20i%20cannot%20receive%20a%20whatsapp%20code%3F\"><h3>What if I cannot receive a WhatsApp code?<\/h3><\/dt>\n<dd><p>Use a recovery code on the login screen. If you have none, add\n    define( 'GOULTRA_AUTH_DISABLE', true ); to wp-config.php, or run <code>wp goultra-auth disable<\/code>.<\/p><\/dd>\n<dt id=\"does%20it%20make%20my%20site%20impossible%20to%20hack%3F\"><h3>Does it make my site impossible to hack?<\/h3><\/dt>\n<dd><p>No. No authentication method is unbreakable. It is a strong additional layer that, combined with\nrate limits, recovery controls and an audit log, makes account takeover significantly harder than\na password alone.<\/p><\/dd>\n<dt id=\"does%20it%20cost%20money%3F\"><h3>Does it cost money?<\/h3><\/dt>\n<dd><p>WhatsApp authentication messages are billed by Meta per delivered message, and pricing varies by\ncountry. The built-in cost caps let you bound the spend.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.33.0<\/h4>\n\n<ul>\n<li>Moved all inline CSS and JavaScript on the two-factor login screen, the step-up screen and the\nWooCommerce checkout verification field into properly enqueued asset files.<\/li>\n<li>Hardened the step-up (protected action) screen with a nonce and a capability check before it processes\na request or sends a code.<\/li>\n<li>Setting or resetting another user's WhatsApp number now also requires permission to edit that user.<\/li>\n<li>Small code-quality and internationalization cleanups for the plugin directory guidelines.<\/li>\n<\/ul>\n\n<h4>0.32.3<\/h4>\n\n<ul>\n<li>The \"authentication service is turned off for this number\" message now matches the exact signal the\nGoUltra service sends, so it always shows the right guidance.<\/li>\n<li>Translations: the new plan-limit, cooldown and plan-usage messages are now translated to Hebrew,\nArabic, Spanish and French.<\/li>\n<\/ul>\n\n<h4>0.32.2<\/h4>\n\n<ul>\n<li>Plan usage: the settings screen now shows how many authentication messages your GoUltra plan has\nused this cycle (\"X of Y\"), and if the plan allowance is reached the login screen says so clearly.\nIf the WhatsApp authentication service is turned off for a number, that is now explained too.<\/li>\n<\/ul>\n\n<h4>0.32.1<\/h4>\n\n<ul>\n<li>Clearer messages: when a code cannot be sent, the login and sign-in screens now show the specific\nreason (for example, the plan's message allowance was reached, or a short cooldown between sends)\ninstead of a generic notice, and always point to the recovery-code fallback.<\/li>\n<\/ul>\n\n<h4>0.32.0<\/h4>\n\n<ul>\n<li>Cost protection: fresh installs now ship with safe sending limits ON by default (per destination\nnumber per hour, a minimum interval between sends to the same number, and a site-wide daily cap), so\nthe WhatsApp send volume cannot be run up before an admin tunes anything.<\/li>\n<li>Reliability: a recovery (backup) code can now always be entered at the login challenge, even during the\n\"too many attempts\" cooldown or when another user shares the same IP, so a locked-out admin is never\nstopped from using a backup code.<\/li>\n<li>Robustness: the setup-enforcement redirect no longer runs on REST, cron or CLI requests; uninstall now\nclears the daily cleanup schedule; a checkout-verified number is never auto-attached to an admin account.<\/li>\n<\/ul>\n\n<h4>0.31.0<\/h4>\n\n<ul>\n<li>Pre-submission hardening from a full four-angle audit (wp.org compliance, security, correctness, i18n).\nNo behavior changes for store owners or customers; the plugin is now cleaner and stricter.<\/li>\n<li>Security: added a cross-attempt rate limit (per number and per IP) to the guest one-time-code checks\nused by new-customer signup, order-received setup and checkout verification, so codes cannot be guessed\nacross many requests. Rotating a user's devices now also clears their admin two-factor \"remembered\ndevice\". The account-created email path sanitizes any unexpected upstream text.<\/li>\n<li>wp.org \/ Plugin Check: sanitized a server value, annotated the one-time uninstall\/deactivate database\ncleanup and the CSV export stream, and hardened the activity CSV export against spreadsheet formula\ninjection. Removed one unused internal option and a stale code comment.<\/li>\n<\/ul>\n\n<h4>0.30.0<\/h4>\n\n<ul>\n<li>New: create your account with WhatsApp on the checkout (no password). On the classic checkout, when a\nguest chooses to create an account, they can verify their WhatsApp number with a code instead of\nchoosing a password. The account is created with no password and they sign in with a WhatsApp code\nnext time. Fully additive: the normal password option is untouched, and if the number is not verified\nnothing changes. New setting under Customer sign-in (on by default). Translated to all five languages.<\/li>\n<li>Improved: the admin-login alert email was redesigned to be cleaner and to nest correctly inside sites\nthat wrap outgoing emails in their own branded template (no more double header). It now uses a light\ncard with a green accent instead of a dark banner.<\/li>\n<\/ul>\n\n<h4>0.29.0<\/h4>\n\n<ul>\n<li>New: \"Remember this device\" for admin two-factor login. After a correct code, the login screen\noffers to trust that device for 30 days (7\/14\/30, configurable), so admins are not asked for a code\nevery time. This saves WhatsApp messages and cost while a new or unknown device still needs a fresh\ncode, so a leaked password alone is not enough to sign in.<\/li>\n<li>New: \"Reset all remembered devices\" button in Login Protection. It forgets every trusted device at\nonce (admin and customer), so everyone is asked for a fresh code on the next login. Use it if a\ndevice was lost, sold or shared.<\/li>\n<li>New: admin-login email alerts. A clean, well-designed security email (like Wordfence, but tidier) is\nsent by your own WordPress site whenever an administrator signs in, showing the username, IP address,\nhostname, device and time, with a \"was this you?\" prompt. Toggle it and set the recipient in settings.<\/li>\n<li>All new screens and the alert email are translated to English, Hebrew, Arabic, Spanish and French,\nwith right-to-left support and phone\/IP shown left-to-right.<\/li>\n<\/ul>\n\n<h4>0.28.0<\/h4>\n\n<ul>\n<li>New: on the order-received page after checkout, customers can set up WhatsApp sign-in. A guest who\nordered without an account can create one with WhatsApp (no password), and a signed-in customer who\nhas no WhatsApp number can switch it on. This closes the gap where customers who registered the normal\nway at checkout never got WhatsApp sign-in.<\/li>\n<li>The customer verifies the order's own number with a one-time code first, so nothing is set up without\nproof, and the guest's order is linked to the new account automatically.<\/li>\n<li>Works on every checkout (classic and the block-based order confirmation). New setting under Customer\nsign-in: \"On the order-received page, offer customers to set up WhatsApp sign-in\" (on by default).<\/li>\n<li>Phone numbers in the new card always display left-to-right, even on right-to-left (Hebrew, Arabic)\nstores. Card text is translated to all five supported languages.<\/li>\n<\/ul>\n\n<h4>0.27.0<\/h4>\n\n<ul>\n<li>The plugin description and admin texts now appear in your store's language: when WordPress is set to\nHebrew, Arabic, Spanish or French, the plugins-list description and the settings show that language.<\/li>\n<li>Customer Verification: the \"Checkout phone verification\" option moved to the bottom of the tab, and it\nnow honestly shows it runs on the classic checkout (not the block checkout).<\/li>\n<li>\"Login protection is off\" no longer shows when only passwordless WhatsApp login is turned on.<\/li>\n<li>Removed the \"Change number\" button from the customer WhatsApp-login area for a cleaner verified state.<\/li>\n<li>Hardening from a full code review: closed a timing side-channel on the sign-in endpoint, tightened\noutput escaping in two places, standardized \"WhatsApp number\" wording at checkout, and added a tip for\nplacing the sign-in panel in a theme's header\/popup login.<\/li>\n<\/ul>\n\n<h4>0.26.1<\/h4>\n\n<ul>\n<li>Fixed (Hebrew\/Arabic): the verified WhatsApp number shown in the admin \"Your verification number\"\ncard and in the My Account \"WhatsApp login is on for ...\" line could read right-to-left. Numbers are\nnow bidi-isolated so a phone number always reads left-to-right wherever it is displayed.<\/li>\n<li>\"Use WhatsApp instead\" is now \"Sign in or sign up fast with WhatsApp\", so customers understand the\nWhatsApp option is for both signing in and creating an account.<\/li>\n<li>The \"Change number\" action is now a quiet link (instead of a prominent button) once a number is\nverified, so the verified state stays clean.<\/li>\n<\/ul>\n\n<h4>0.26.0<\/h4>\n\n<ul>\n<li>New customers can now sign up with WhatsApp in one simple flow. There is no longer a \"I have an\naccount \/ I am new\" choice to make: the customer enters their WhatsApp number and a code. If they\nalready have an account they are signed in; if they are new, they are asked for an email and the\naccount is created in the same step. This matches how modern stores (and Shopify, Clerk, Stytch)\nhandle passwordless sign-up, and it is account-enumeration safe (whether the number already has an\naccount is only revealed after the code is verified, never before).<\/li>\n<li>The email is requested only after the number is verified, and only for brand-new customers, so\nreturning customers sign in with just their number and a code.<\/li>\n<li>New-customer sign-up is now on by default (it still respects your store's own \"allow customers to\ncreate an account\" setting, so nothing changes unless your store already allows registration).<\/li>\n<li>At account creation the panel shows a clear line that signing in with WhatsApp is not consent to\nreceive marketing messages, with a link to your Privacy Policy.<\/li>\n<\/ul>\n\n<h4>0.25.1<\/h4>\n\n<ul>\n<li>Fixed: on Hebrew and Arabic (right-to-left) stores, phone numbers and codes could display\nreversed in several places (your verification number in Settings, the 2FA login code field, the\nMy Account \"verify my number\" fields, the step-up code, and the checkout code). All phone, code\nand key fields are now forced left-to-right everywhere, so a number always reads correctly.<\/li>\n<\/ul>\n\n<h4>0.25.0<\/h4>\n\n<ul>\n<li>Block-based checkout: returning customers can now sign in with WhatsApp right from the new\nWooCommerce block checkout. Turn on \"Show the WhatsApp sign-in panel on the block-based checkout\"\nand the panel appears above the checkout form for logged-out customers, with no setup. It signs\nthem in without leaving the page, then disappears once they are logged in.<\/li>\n<li>The panel is rendered outside the checkout app and bound by the same reliable script used on the\nMy Account page, so it works across themes and is not affected by checkout updates.<\/li>\n<\/ul>\n\n<h4>0.24.0<\/h4>\n\n<ul>\n<li>Per-user control: every WordPress user-edit screen now shows the user's WhatsApp sign-in status\n(verified number and the date it was last verified). An administrator can revoke it with one click,\nwhich clears the verified number and signs the user out of all remembered devices. The password\nlogin is never affected, so this can never lock anyone out.<\/li>\n<li>Clear consent wording: in the admin, on the user profile and in the suggested privacy-policy text we\nstate that signing in with WhatsApp verifies the number only and is not consent to receive WhatsApp\nmarketing messages. The number is not used for marketing through this plugin.<\/li>\n<li>The block-based checkout button stays clearly marked \"Coming soon\" \/ experimental: this release does\nnot claim full block-checkout support.<\/li>\n<li>A WooCommerce billing phone is never used to sign anyone in. Only a number the user has verified\nthrough WhatsApp can be used for passwordless login.<\/li>\n<\/ul>\n\n<h4>0.23.0<\/h4>\n\n<ul>\n<li>Appearance options for the WhatsApp sign-in panel: choose Modern panel (the full card), Compact\n(smaller, good for popups and sidebars), or Button first (shows a single \"Continue with WhatsApp\"\nbutton that opens the panel when clicked). Set it under WhatsApp sign-in - Advanced.<\/li>\n<li>Accessibility: each field is now linked to its label, the status line is announced to screen\nreaders, and keyboard focus is clearly visible on every button and link. With JavaScript turned\noff the panel stays open so nothing is lost.<\/li>\n<\/ul>\n\n<h4>0.22.0<\/h4>\n\n<ul>\n<li>Manual placement for any theme or page builder. Put the WhatsApp sign-in panel exactly where you\nwant with the shortcode [goultra_auth_customer_login], the new \"GoUltra WhatsApp Login\" block, or\nthe template tag goultra_auth_customer_login() - so it works even on custom login pages where\nautomatic placement is not perfect.<\/li>\n<li>New \"Placement on the My Account page\" setting: Automatic (above the forms), Inside the login\nform, or Manual only (use the shortcode or block).<\/li>\n<\/ul>\n\n<h4>0.21.0<\/h4>\n\n<ul>\n<li>Reliability (from a professional review): the WhatsApp sign-in now talks to the server over a\ndedicated, never-cached endpoint and no longer depends on a security token baked into the page.\nOn heavily cached sites (WP Rocket, LiteSpeed, Cloudflare) this removes a cause of the button\noccasionally not responding.<\/li>\n<li>Added a small developer API for custom themes and page builders:\nGoUltraAuth.mount(), GoUltraAuth.refresh() and GoUltraAuth.reset(), so a custom login popup can\ninitialize or reset the panel reliably.<\/li>\n<li>Login popups that reopen now reset to the WhatsApp view automatically, unless you are in the\nmiddle of entering a code (then it is preserved).<\/li>\n<\/ul>\n\n<h4>0.20.1<\/h4>\n\n<ul>\n<li>Phone, code and email fields are now always left-to-right, even on Hebrew and Arabic stores (a\nphone number should never read right-to-left).<\/li>\n<li>\"Sign in with a password instead\" is now a clean, reversible switch: it shows only the password\nform (never both panels at once) and a \"Use WhatsApp instead\" link to switch back, with no page\nrefresh needed. This fixes the stuck state where reopening the login could show only the password\nscreen.<\/li>\n<\/ul>\n\n<h4>0.20.0<\/h4>\n\n<ul>\n<li>Fixed: the \"Continue with WhatsApp\" button could do nothing on some live sites. The widget no\nlonger depends on a script that themes\/caching could delay or strip; it now loads reliably\neverywhere the login or register form appears (account page, header login popup, and under\noptimization plugins such as WP Rocket and LiteSpeed).<\/li>\n<li>Redesigned the customer sign-in as one clean, branded WhatsApp panel: enter your number, get a\ncode, done. New customers can sign up the same way. The password login\/registration is tucked\nbehind a \"Sign in with a password instead\" link, and always stays available.<\/li>\n<li>The panel adapts to the page direction, so it looks right in right-to-left languages (Hebrew,\nArabic) as well as left-to-right.<\/li>\n<li>Simpler settings: the where-it-appears and allowed-roles options moved under an \"Advanced\"\nsection, so the common setup is just one switch.<\/li>\n<li>Verified end to end in a real browser: enter number, receive code, verify, and you are signed in.<\/li>\n<\/ul>\n\n<h4>0.19.0<\/h4>\n\n<ul>\n<li>Clearer customer area. The \"Continue with WhatsApp\" option now appears above both the sign-in and\nthe create-account columns on My Account, so new customers can also sign up with WhatsApp (it is no\nlonger hidden inside the sign-in box). Your password forms stay exactly as they were.<\/li>\n<li>Renamed the two customer options so the difference is obvious:\n\"Customer login protection (password + WhatsApp code)\" = password first, then a code; and\n\"Passwordless WhatsApp login (sign in without a password)\" = a code instead of a password.<\/li>\n<li>Added a short intro at the top of Customer Verification explaining the three modes.<\/li>\n<li>Made it explicit that WhatsApp login is a sign-in method, not consent to WhatsApp marketing, and\nthat administrators and shop managers always use password + 2FA even on the WordPress login screen.<\/li>\n<\/ul>\n\n<h4>0.18.1<\/h4>\n\n<ul>\n<li>Setting the default code language is more reliable: if a save does not reach the server (a slow\nhost or a cache or optimization layer can drop an admin request), it now retries automatically.<\/li>\n<li>Admin actions now show a clear \"Your session expired. Refresh the page and try again.\" message\nwhen a security token has gone stale, instead of a generic \"That did not work.\"<\/li>\n<\/ul>\n\n<h4>0.18.0<\/h4>\n\n<ul>\n<li>Passwordless customer login is now a complete flow. Four additions, all admin-controlled:<\/li>\n<li>Remember this device: customers can choose to stay signed in on a device they trust and skip the\ncode next time. A password change or a \"sign out of all devices\" button (on My Account) cancels it.<\/li>\n<li>New-customer registration: a new visitor can open an account with just an email and a WhatsApp\ncode (no password). Requires user registration to be enabled for your site.<\/li>\n<li>Checkout account creation: when a customer verifies their phone at checkout and an account is\ncreated, WhatsApp login is turned on for them automatically.<\/li>\n<li>Block checkout (experimental): optionally show \"Continue with WhatsApp\" on the block-based\ncheckout. Confirm the button placement on your live store.<\/li>\n<li>Account protection: registration can never take over an existing account whose WhatsApp number\nyou do not control, and remembered devices are bound to the password so a reset clears them.<\/li>\n<li>All new screens and messages are translated to English, Hebrew, Arabic, Spanish and French (RTL).<\/li>\n<\/ul>\n\n<h4>0.17.0<\/h4>\n\n<ul>\n<li>New: Passwordless customer login with WhatsApp. Customers can sign in with a one-time WhatsApp\ncode instead of a password they keep forgetting. Off by default; the store owner turns it on and\nchooses where it appears (the WooCommerce account page and\/or the WordPress login form).<\/li>\n<li>Customers and subscribers only. Administrators and shop managers can never sign in passwordless;\nthey always keep their password and second factor. Sign-in with a password is always kept too.<\/li>\n<li>Customers add and confirm their own WhatsApp number from My Account before they can use it.<\/li>\n<li>Privacy by design: no way to tell from the screen whether a number has an account, single-use\ncodes, the same rate limits and audit log as the rest of the plugin.<\/li>\n<li>Available in English, Hebrew, Arabic, Spanish and French, with full right-to-left support.<\/li>\n<\/ul>\n\n<h4>0.16.0<\/h4>\n\n<ul>\n<li>Team numbers moved to My Number &amp; Recovery (one logical place for all number management), right\nunder your own number.<\/li>\n<li>The team list now shows all staff \/ privileged users (administrators, shop managers, editors and\nso on), not just protected-role users and never regular customers, and flags any whose role is\nnot protected at login.<\/li>\n<\/ul>\n\n<h4>0.15.0<\/h4>\n\n<ul>\n<li>Team: an admin can now set a WhatsApp number directly for any user (e.g. a shop manager) from\nthe \"Your team\" panel, in addition to each user verifying their own. Setting a number is recorded\nin the activity log; Reset and Send-reminder remain available.<\/li>\n<\/ul>\n\n<h4>0.14.1<\/h4>\n\n<ul>\n<li>Fix: after saving Login Protection (or Customer Verification), the page now refreshes so the\nbanners and status update immediately - the \"Login protection is off\" notice clears as soon as\nyou turn it on, without a manual refresh.<\/li>\n<\/ul>\n\n<h4>0.14.0<\/h4>\n\n<ul>\n<li>Protected actions (step-up): optionally require a fresh WhatsApp code before sensitive admin\nscreens - Plugins, Users and roles, Themes, General settings, Permalinks, and WooCommerce\nPayments \/ Advanced (REST API, webhooks). It protects both viewing the screen and saving on it,\nso a hijacked session cannot change a sensitive setting without a new code. Configurable code\nlifetime (5 \/ 15 \/ 30 \/ 60 minutes). Opt-in; recovery codes and the emergency switch always work,\nand a user without a verified number is never blocked.<\/li>\n<li>Fix: on connect, existing templates (for example a previously-approved Arabic one) now appear\nimmediately, without needing a manual refresh.<\/li>\n<li>New \"Login protection is off\" notice when you are connected and ready but have not turned on a\ncode at login yet, so it is clear the plugin is not protecting anyone.<\/li>\n<li>New text translated to English, Spanish, French, Arabic and Hebrew.<\/li>\n<\/ul>\n\n<h4>0.13.0<\/h4>\n\n<ul>\n<li>Header badge changed to \"Login security\" (clearer, and avoids implying a WhatsApp-branded product).<\/li>\n<li>Slightly smaller, more refined header logo.<\/li>\n<li>Templates: a short summary line (how many languages are approved, which is the default).<\/li>\n<li>Customer Verification: quick-setup presets (Basic, Store, High-risk) to configure protection fast.<\/li>\n<li>New text translated to English, Spanish, French, Arabic and Hebrew.<\/li>\n<\/ul>\n\n<h4>0.12.0<\/h4>\n\n<ul>\n<li>New \"Your team\" panel (Login Protection): see every user in a protected role, whether each has\nverified a WhatsApp number, send a setup reminder to anyone who has not, or reset a user's setup.<\/li>\n<li>Each user still verifies their own number from their own account, which keeps it secure.<\/li>\n<li>Team panel fully translated (English, Spanish, French, Arabic, Hebrew) and RTL-aware.<\/li>\n<\/ul>\n\n<h4>0.11.0<\/h4>\n\n<ul>\n<li>Clear \"GoUltra Auth is not active yet\" banner until you connect GoUltra and approve a template,\nwith one-click next steps and a plain note about what is included in your plan.<\/li>\n<li>Honest billing wording: AUTH verification sends are included in your GoUltra plan; the monthly\nnumber is a safety limit (not a billing cap), and any Meta \/ WhatsApp fees are noted separately.<\/li>\n<li>Faster verification: the code box now appears instantly while the code is sent.<\/li>\n<li>New \"Change number\" button to update your own verification number after it is set.<\/li>\n<li>Screens that need a connection are locked until you connect, with a hint.<\/li>\n<li>Checklist split into Required setup vs Recommended security (fewer alarming warnings during setup).<\/li>\n<li>Login screen polish: cleaner card and a \"Use a recovery code instead\" toggle.<\/li>\n<li>Translations updated for all the new text (English, Spanish, French, Arabic, Hebrew).<\/li>\n<\/ul>\n\n<h4>0.10.0<\/h4>\n\n<ul>\n<li>Full translations: the whole admin and the login screen are now available in English, Spanish,\nFrench, Arabic and Hebrew, following your WordPress language automatically.<\/li>\n<li>Right-to-left layout for Arabic and Hebrew (the screens flip correctly).<\/li>\n<\/ul>\n\n<h4>0.9.2<\/h4>\n\n<ul>\n<li>Brand logo in the admin header and on the login screen.<\/li>\n<li>Security hardening (from a full audit): guest checkout no longer shares one global rate-limit\nbucket (each phone is limited on its own); trusted-device cookies are now tied to your password,\nso changing your password ends them everywhere; pending login codes are cleared on a password\nchange. No issues affected existing logins.<\/li>\n<\/ul>\n\n<h4>0.9.1<\/h4>\n\n<ul>\n<li>Much simpler Templates screen: one \"Code language\" card. Pick the default with a radio button\nnext to each language - it saves instantly, no separate Save button.<\/li>\n<li>Removed the confusing \"Language coverage\" section.<\/li>\n<li>Enrollment button now says \"Verify my number\" (instead of \"Send code\").<\/li>\n<li>Fixed: recovery codes shown after verifying your number are no longer wiped by an auto-refresh;\nthey stay on screen with Download\/Print until you click Done.<\/li>\n<li>The plugin logo is used in the header automatically if present in assets\/images.<\/li>\n<\/ul>\n\n<h4>0.9.0<\/h4>\n\n<ul>\n<li>Premium redesign pass across every screen (from the public-readiness review).<\/li>\n<li>Dashboard: each status card is now actionable (Verify now, Manage templates, Generate codes),\nand the GoUltra sending number is clearly separated from your own verification number.<\/li>\n<li>Setup wizard with a progress bar and a Continue button that takes you to the next step.<\/li>\n<li>Login Protection: recommended\/advanced role policy cards, and a live \"1 of 2 verified\" count\nper role so you can see who is actually protected.<\/li>\n<li>Optional enforcement: ask protected users who have not verified a number to finish setup after\na grace period (never a hard lockout; recovery and the emergency switch always work).<\/li>\n<li>Templates: a Language coverage view showing which of your site languages are Approved, Active,\nthe Default, or Missing, with one-click Create for the missing ones.<\/li>\n<li>Customer Verification: clearer wording, Classic\/Block\/HPOS compatibility badges, and a direct\n\"Customer account login\" toggle (no more jumping to another tab).<\/li>\n<li>Cost control: daily and per-phone limits in addition to monthly, plus a sent today \/ this month\nusage meter.<\/li>\n<li>Recovery kit: status, unused-code count, last-generated date, and an emergency-access warning.<\/li>\n<li>Activity log: a Where (context) column and quick filters (Successful, Failed, Rate limited).<\/li>\n<\/ul>\n\n<h4>0.8.1<\/h4>\n\n<ul>\n<li>The \"Default template\" language selector now appears reliably once you have two or more approved\ntemplates, so you can switch the default (for example from English to Arabic) in one click.<\/li>\n<li>After you create a template, or one is approved, the page refreshes itself so the language list and\nthe default selector stay correct - a language you already added is never offered again.<\/li>\n<li>More robust template-status matching (case-insensitive) so an approved template is always recognized.<\/li>\n<\/ul>\n\n<h4>0.8.0<\/h4>\n\n<ul>\n<li>Templates: around 50 world languages to choose from.<\/li>\n<li>The create list now hides languages you have already added, so you cannot create a duplicate.<\/li>\n<li>A clear \"Default template\" selector (the language used when a customer has no template of their own).<\/li>\n<li>Enrollment wording is now \"verify your number\" \/ \"Send code\" (no more \"test code\").<\/li>\n<\/ul>\n\n<h4>0.7.0<\/h4>\n\n<ul>\n<li>Trusted devices: optionally skip 2FA on a device you trust for 7, 14 or 30 days\n(signed, expiring cookie). A \"Trust this device\" option appears on the login screen.<\/li>\n<li>Recovery codes: Download and Print buttons.<\/li>\n<li>Templates: show the WordPress locale (e.g. en_US) next to the language.<\/li>\n<li>Activity log: Export to CSV, plus automatic 30-day retention cleanup.<\/li>\n<li>Cost control: email the site admin at 80% and 100% of the monthly message cap.<\/li>\n<\/ul>\n\n<h4>0.6.0<\/h4>\n\n<ul>\n<li>Phase 2 - WooCommerce: risk-based checkout phone verification (first order, Cash on Delivery,\norder over an amount, guest checkout). Opt-in and fail-open - it never blocks an order if\nGoUltra is unavailable. Classic checkout. New \"Customer Verification\" tab.<\/li>\n<li>Phase 3 - Sudo mode: optionally require a fresh WhatsApp code before opening the GoUltra Auth\nsettings, so a hijacked admin session cannot weaken or disable 2FA without a code.<\/li>\n<\/ul>\n\n<h4>0.5.0<\/h4>\n\n<ul>\n<li>Rebuilt the admin into a professional tabbed product: Dashboard, Login Protection,\nTemplates, My Number &amp; Recovery, and Activity.<\/li>\n<li>New Dashboard with a protection banner and status cards (protection level, your number,\ntemplates, recovery codes, monthly usage) plus a clear protection checklist.<\/li>\n<\/ul>\n\n<h4>0.4.0<\/h4>\n\n<ul>\n<li>Redesigned the login challenge into a branded, mobile-friendly, RTL-aware card with a\nshield, a clean code input, a resend countdown and clear recovery\/cancel actions.<\/li>\n<li>Security score is now an honest \"Protection level (N of M checks passed)\" instead of a\nbare percentage, and includes an XML-RPC \/ REST protection check.<\/li>\n<li>Wording: \"approved by Meta\" instead of \"official\"; clearer \"Fallback language\".<\/li>\n<\/ul>\n\n<h4>0.3.0<\/h4>\n\n<ul>\n<li>Fixed codes not arriving: the send language is now matched to an actually approved template\n(e.g. en_US), instead of a bare \"en\" that the backend could not match.<\/li>\n<li>Template language labels display correctly (en_US shows as English).<\/li>\n<li>Added a Default language choice when more than one template is approved, and clarified that\neach user gets the code in their own language when available.<\/li>\n<li>Enrollment: a \"wrong number?\" link to go back and change the number.<\/li>\n<li>Added a full mocked-backend flow test (connect, template, enrollment, login, fallback).<\/li>\n<\/ul>\n\n<h4>0.2.0<\/h4>\n\n<ul>\n<li>Setup wizard: a guided \"Getting started\" panel that shows the exact steps in order.<\/li>\n<li>Connection now shows the WhatsApp display name (matches the GoUltra dashboard).<\/li>\n<li>Loading states on every action button; live template status (auto-refresh, no page reload).<\/li>\n<li>Longer network timeout for template creation (fixes a cURL timeout on slower approvals).<\/li>\n<li>Clearer enrollment (Step 1 \/ Step 2) and admin notice wording.<\/li>\n<\/ul>\n\n<h4>0.1.0<\/h4>\n\n<ul>\n<li>Initial development version: admin\/role login 2FA over WhatsApp (local verification),\nself-enrollment, recovery codes, emergency disable (wp-config + WP-CLI), rate limits and cost\ncaps, security score, audit log, and GDPR export\/erase.<\/li>\n<\/ul>","raw_excerpt":"WhatsApp authentication for WordPress and WooCommerce. Protect admin login with a second factor, with recovery codes, rate limits and an audit log.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/337150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=337150"}],"author":[{"embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/goultraai"}],"wp:attachment":[{"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=337150"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=337150"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=337150"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=337150"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=337150"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/bel.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=337150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}