The Goal
As the plugin list shrank, security was the one area where we still relied on an external tool. The next step was to build essential security features directly into the theme, so the site's protection wouldn't depend on a third-party plugin staying updated, compatible, and available.
What Was Built
Multi-Factor Authentication (MFA) A custom MFA flow was added to the login process. After entering their password, users receive a one-time code that must be confirmed before access is granted. The entire flow is handled by the theme no external service required.
Email Verification for New Users — New user registrations now trigger an email verification step before the account becomes active. This prevents spam registrations and ensures that every account on the site belongs to a real, reachable email address.
A Self-Contained Site
These additions made the site's security posture independent of any external plugin. Combined with the earlier plugin reductions, the result is a WordPress installation that is leaner, faster, and easier to audit with security built in rather than bolted on.
By owning the authentication and verification logic directly in the theme, the site gains long-term resilience against plugin abandonment, licensing changes, and compatibility issues.
