WordPress · aslamdoctor · Feb 26, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 3, 2026
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -907,7 +907,7 @@ public static function is_api_request() {
 	 *
 	 * @since 0.2.0
 	 *
-	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param WP_User|false $user WP_User object of the logged-in user.
 	 */
 	public static function show_two_factor_login( $user ) {
 		if ( ! $user ) {
@@ -1750,9 +1750,9 @@ public static function _login_form_revalidate_2fa( $nonce = '', $provider = '',
 	 *
 	 * @since 0.9.0
 	 *
-	 * @param object  $provider        The Two Factor Provider.
-	 * @param WP_User $user            The user being authenticated.
-	 * @param bool    $is_post_request Whether the request is a POST request.
+	 * @param object|null $provider        The Two Factor Provider.
+	 * @param WP_User    $user            The user being authenticated.
+	 * @param bool       $is_post_request Whether the request is a POST request.
 	 * @return false|WP_Error|true WP_Error when an error occurs, true when the user is authenticated, false if no action occurred.
 	 */
 	public static function process_provider( $provider, $user, $is_post_request ) {
@@ -2059,7 +2059,7 @@ public static function user_two_factor_options( $user ) {
 		<h2><?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?></h2>
 
 		<?php foreach ( $notices as $notice_type => $notice ) : ?>
-		<div class="<?php echo esc_attr( $notice_type ? 'notice inline notice-' . $notice_type : '' ); ?>">
+		<div class="<?php echo esc_attr( 'notice inline notice-' . $notice_type ); ?>">
 			<p><?php echo wp_kses_post( $notice ); ?></p>
 		</div>
 		<?php endforeach; ?>

diff --git a/phpstan.dist.neon b/phpstan.dist.neon
@@ -8,3 +8,7 @@ parameters:
 		- class-two-factor-compat.php
 		- class-two-factor-core.php
 		- two-factor.php
+	excludePaths:
+		- providers/class-two-factor-fido-u2f.php
+		- providers/class-two-factor-fido-u2f-admin.php
+		- providers/class-two-factor-fido-u2f-admin-list-table.php
diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php
@@ -335,7 +335,7 @@ public function generate_and_email_token( $user ) {
 	 *
 	 * @since 0.1-dev
 	 *
-	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param WP_User|false $user WP_User object of the logged-in user.
 	 */
 	public function authentication_page( $user ) {
 		if ( ! $user ) {
@@ -391,11 +391,15 @@ public function authentication_page( $user ) {
 	 *
 	 * @since 0.2.0
 	 *
-	 * @param  WP_User $user WP_User object of the logged-in user.
+	 * @param WP_User|false $user WP_User object of the logged-in user.
 	 * @return boolean
 	 */
 	public function pre_process_authentication( $user ) {
-		if ( isset( $user->ID ) && isset( $_REQUEST[ self::INPUT_NAME_RESEND_CODE ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- non-distructive option that relies on user state.
+		if ( ! $user ) {
+			return false;
+		}
+
+		if ( isset( $_REQUEST[ self::INPUT_NAME_RESEND_CODE ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- non-distructive option that relies on user state.
 			$this->generate_and_email_token( $user );
 			return true;
 		}
@@ -408,12 +412,16 @@ public function pre_process_authentication( $user ) {
 	 *
 	 * @since 0.1-dev
 	 *
-	 * @param WP_User $user WP_User object of the logged-in user.
+	 * @param WP_User|false $user WP_User object of the logged-in user.
 	 * @return boolean
 	 */
 	public function validate_authentication( $user ) {
+		if ( ! $user ) {
+			return false;
+		}
+
 		$code = $this->sanitize_code_from_request( 'two-factor-email-code' );
-		if ( ! isset( $user->ID ) || ! $code ) {
+		if ( ! $code ) {
 			return false;
 		}
 

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
@@ -326,10 +326,6 @@ public static function generate_qr_code_url( $user, $secret_key ) {
 	 * @codeCoverageIgnore
 	 */
 	public function user_two_factor_options( $user ) {
-		if ( ! isset( $user->ID ) ) {
-			return;
-		}
-
 		$key = $this->get_user_totp_key( $user->ID );
 
 		wp_enqueue_script( 'two-factor-qr-code-generator' );
@@ -720,11 +716,11 @@ public static function pack64( int $value ): string {
 		if ( 8 === PHP_INT_SIZE ) {
 			return pack( 'J', $value );
 		}
-	
+
 		// 32-bit PHP fallback
 		$higher = ( $value >> 32 ) & 0xFFFFFFFF;
 		$lower  = $value & 0xFFFFFFFF;
-	
+
 		return pack( 'NN', $higher, $lower );
 	}
 
@@ -890,7 +886,7 @@ public static function base32_encode( $string ) {
 		$base32_string     = '';
 
 		foreach ( $five_bit_sections as $five_bit_section ) {
-			$base32_string .= self::$base_32_chars[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
+			$base32_string .= self::$base_32_chars[ (int) base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
 		}
 
 		return $base32_string;

diff --git a/two-factor.php b/two-factor.php
@@ -22,19 +22,17 @@
  * Network:           True
  */
 
-if ( ! defined( 'ABSPATH' ) ) {
-	exit; // Exit if accessed directly.
+if ( ! defined( 'TWO_FACTOR_DIR' ) ) {
+	define( 'TWO_FACTOR_DIR', __DIR__ . '/' );
 }
 
-/**
- * Shortcut constant to the path of this file.
- */
-define( 'TWO_FACTOR_DIR', plugin_dir_path( __FILE__ ) );
+if ( ! defined( 'TWO_FACTOR_VERSION' ) ) {
+	define( 'TWO_FACTOR_VERSION', '0.15.0' );
+}
 
-/**
- * Version of the plugin.
- */
-define( 'TWO_FACTOR_VERSION', '0.15.0' );
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly.
+}
 
 /**
  * Include the base class here, so that other plugins can also extend it.