While I do really appreciate your willingness to help out I feel these are more of a custom thing for your own site. Like I say, it’s going to be a WordPress plugin so you can use any authentication WordPress supports in the future version of MDS.
I think it’s kind of a waste of time to work on it as it is unless it’s a security patch of some sort which I don’t see this as being. I don’t really see this as a security patch but rather adding additional functionality and manipulating things in an unnecessary way with the images and so forth. It would be nice if things were organized better but I am saving that for the complete rewrite. I have mostly been trying to fix bugs and harden security since I took this project over because I have always had the plan to put it into some sort of framework and give it a complete rewrite.
I normally use a different method to protect my admin areas if I feel like its necessary. For login forms I generally just use CAPTCHA type systems with a math question and those seem to stop the spam just fine for me. I haven’t bothered adding such a thing to this script. However, if I want to block out admin access from people I normally just put an Apache authentication box on the admin area and then a firewall app scans the logs for invalid logins and blocks their IP in the firewall if they try the wrong credentials too many times. But this isn’t how everyones servers are setup and this is part of the reason why I am choosing to put it all into a system like WordPress.
I was originally going to do Joomla but I’m sick of trying to do things with Joomla only to have them change everything and have to redo it all again, not to mention making something in Joomla is very time consuming and is like coding in a new language called Joomla whereas making something in WordPress is quick and is like coding in PHP with the option of using the WordPress API.
For future reference, these should actually be separate pull requests as its very confusing to have it all lumped together, the images and the Duo stuff, plus they are separate things. However you are wasting your time trying to make pull requests if they don’t fit into the security patch category as I have previously mentioned in my last post.
Also, you shouldn’t remove the copyright/license headers in the files. That alone will get pull requests on just about any project rejected.