WP Toolkit One-Time Login - Bypassing Wordfence 2FA and No Option to Select WP Admin

SaltechDesign

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian 18.0.79 Update #2 Web Host Edition
I have a quick question and a feature suggestion regarding how WP Toolkit handles WordPress logins now:

  1. Wordfence 2FA Bypass: We've noticed that clicking "Log In" via WP Toolkit completely bypasses WordPress-level security, specifically Wordfence 2FA. Is there a native way to force WP Toolkit to respect application-level 2FA, or is this bypass expected behavior due to the server-level login injection?
  2. Switching Login Users: Because of this bypass, being able to precisely control which admin account the toolkit logs into is critical for our security auditing. However, clicking "Setup" next to the Administrator username forces us to input or generate a new password to save any changes and its not clear on whether or not this sets the default WP admin account for WP Toolkit to use for single sign on.
Proposed Solution: Could the password field in the Setup modal be made optional or there be a more obvious way to set the default WP Admin? This would allow us to easily switch the target login user from the dropdown without overwriting their existing WordPress password.

This would be a massive quality-of-life and security improvement for agencies managing multiple sites.
 
Back
Top