Search for answers or browse our knowledge base.
Getting Started with Melapress Login Security
Melapress Login Security enables you to set up policies to secure your WordPress login processes. To this end, Melapress Login Security allows you to set up the following policies:
- Password policies
- User account and session policies
- User login policies
In this guide, we will go through the process of getting started with Melapress Login Security.
Do note that login page hardening settings are covered separately.
Step 1: Install and activate the plugin
Once you’ve purchased the plugin, you will receive an email with your license key and instructions on how to download the plugin file. If you cannot find the email, kindly check your Spam folder.
Alternatively, you can also log in to your My Account page, from where you’ll find downloads, license keys, and invoices, among other things.
You can follow our WordPress plugin installation guide for step-by-step instructions on how to install any of our plugins.
To get started with the free version of Melapress Login Security, download the plugin from the WordPress repository.
First, log in to your WordPress site, and navigate to Plugins > Add New Plugin. Click the Add New Plugin button and then search for Melapress Login Security in the Search Plugins search box as highlighted in the screenshot below. Next, click Install Now and once installed, activate the plugin.
Step 2: Test the email system
Melapress Login Security sends emails on various occasions, including password expiry notifications and password reset links. Therefore, it is important to confirm that your WordPress is able to send and deliver emails.
We have included a test email function that quickly and easily allows you to test email deliverability.
Navigate to Login Security > Settings and then scroll down to Email Test. Click on Send Test Email and ensure you receive it before proceeding forward. The email will be sent to the email address configured in your WordPress user profile.
Step 3: Enable Login Security Policies
Now that you’ve confirmed emails can be sent and received by their intended recipient, it is time to start configuring login policies.
Navigate to Login Security > Login Security Policies and enable the Enable login security policies option.
Step 4: Plan your policies
Once you enable policies, you will notice two tabs titled Site-wide policies and Role-based policies.
Any policies configured in the Site-wide policies tab apply to all site users. The Role-based policies tab, on the other hand, allows you to configure role-specific policies.
To configure a policy for a specific role, first choose the role you want to configure the policy for by clicking on the arrow next to Role-based policies. You can then choose whether you want to explicitly exclude the role from policies or inherit security policies from the Site-wide policies. Disable both options if you would like to set up user role-specific policies.
Step 5: Configure policies
The policy configuration page is divided into sections as follows:
- The first section is called Password policies. Here, you’ll find all of the configuration options available to set up password policies.
- The second section is called User account & session policies. Here, you’ll find all of the configuration options to set up inactive user policies, session policies, unrecognized devices policies, and security questions.
- The third and last section is called User login policies, which allows you to set various login restrictions.
Password Policies
What is a password policy?
A password policy represents a set of requirements that users must meet when setting their password. As the administrator of your WordPress website, you set these requirements through a policy.
First, check the Activate password policies checkbox, and then configure the policy as follows:
- Passwords must be minimum characters – Enter the minimum number of characters a password must have to be valid
- Password must contain at least one uppercase and one lowercase character – Enable this option to make sure passwords include at least one uppercase and one lowercase character to be valid
- Password must contain at least one numeric character – Enable this option to make sure passwords include a minimum of one number character (1-9)
- Password must contain at least one special character – Enable this option to make sure passwords contain at least one special character
- Do not allow these special characters in passwords: Enter any characters you would like to prohibit from being used in passwords
Password Expiration Policy
Use this setting to ensure users set new passwords frequently. To set a password expiration policy, first, check the Activate password expiration policies checkbox.
Next, choose the magnitude from the drop-down menu and then enter the desired value.
When you configure the password expiration policy, you can also configure the plugin to notify users when their passwords are about to expire.
Disallow old passwords on reset
Use this setting to ensure users do not use old passwords following a password reset. Check the Activate password recycle policies checkbox and then enter the number of previous passwords that a user is not allowed to use.
Reset password on first login
Check the Reset password on first login checkbox to enable this option and force users to reset their password on their first login.
Disable sending of password reset links
Check the Do not send password reset links checkbox to enable this option and stop WordPress from sending password reset links. Users will need to contact the administrator for a manual reset should they forget their password.
User account and session policies
In this section, you can configure policies for user accounts and sessions.
Enable Inactive users policy
Check the Activate Inactive Users policies checkbox to enable this option and automatically manage inactive user accounts.
Next, choose the period of inactivity required before an account is considered inactive and disabled. Choose the magnitude from the drop-down menu and enter a value in the text field.
You can also require inactive users to reset their password when they are unlocked. This policy is enabled by default. You can disable it by unticking the checkbox next to Require inactive users to reset password on unlock.
Lastly, you can choose to block password reset requests from users with locked accounts due to inactivity. Tick the checkbox next to Block Password reset requests from deactivated users (see locked users list) to activate this setting.
Activate the session policies
Session policies allow you to manage how long WordPress session cookies are valid for. Tick the checkbox next to Activate session policies to enable to policy.
By default, WordPress session cookies are valid for 2 days. You can change this setting by choosing the magnitude from the drop-down menu and entering a value in the text field next to Set the standard session cookie expiration time.
You can also change how long WordPress remembers users by choosing the magnitude from the drop-down menu and entering a value in the text field next to Set the “Remember me” session cookie expiration time.
Unrecognized devices policy
The Unrecognized devices policy keeps a record of users’ devices and alerts you whenever they log in with an unrecognized device. To enable this option, tick the checkbox next to Activate user unrecognized devices policy.
To receive an email whenever a user logs in with an unrecognized device, tick the checkbox next to Send an email to the site’s admin in the event of a terminated session. The email will be sent to the email address associated with the site’s admin user.
Security questions
Security questions in WordPress add an authentication layer whenever the user wants to perform a specific task. This ensures that the user is who they say they are. Available actions include resetting the password and enabling a deactivated account. To enable this policy, tick the checkbox next to Activate Security questions.
Next, choose when you would like users to answer security questions. Available options are:
- When requesting a password reset: Tick the checkbox next to Require security question to initiate a password reset
- When enabling a locked account: Tick the checkbox next to Require security question to enable a disabled account
Next, choose how many questions and answers each user for whom the policy applies must have saved. Users then have to answer one security question from the list of saved questions and answers.
Enter the minimum number of answers you require users to have in the Users must have at least pre-saved questions and answers field.
Lastly, you can add additional questions by clicking on the Add question button and typing in your question. To disable any of the preconfigured questions, click on the Disable option next to the question you want to remove.
User login policies
Restrict username/email address login
You can restrict which credentials users use to log in. By default, WordPress allows users to log in using either their email address or their username. Using this policy, you can choose to let users log in with either or just one of the options.
- To allow users to log in with either option, tick the radio button next to Users can log in with either their username or email address
- To only allow users to log in with their email address, tick the radio button next to Users can log in with their email address only
- To only allow users to log in with their username, tick the radio button next to Users can log in with their username only
Restrict user login times
You can restrict user login times to limit when WordPress users can log in to your website. With this setting, you can configure which days of the week users are allowed to log in, and during which times.
- First, tick the checkbox next to Activate restricted user login times
- Next, untick the days of the week during which users are not allowed to log in
- Lastly, specify the times during which users can log in to
Limit the IP addresses users can log in from
The IP address restrictions policy enables you to limit the IP addresses WordPress users can log in from. Here you can set the number of different IPs users can log in from..
- Tick the checkbox next to the Activate IP addresses restrictions
- Enter the number of different IP addresses a user can log in from in the Allow users to log in from different IP addresses
To customize the notification users see if they try to log in from an IP that is not on the list, navigate to Settings > User notification templates and modify the template User attempts login from a restricted location.
Failed login policies
Failed login policies enable you to limit login attempts by automatically locking accounts after a preset number of failed attempts. To enable this policy, first tick the checkbox next to Activate failed login policies and then configure the below:
- Number of failed login attempts before the User account is locked: Enter the number of attempts a user is allowed to try to log in to the website, before being locked out.
- Time required to reset the failed login count to 0: How long the plugin keeps a record of failed login attempts, in minutes.
When a user is locked:
It can only be unlocked by the administrator: Choose this option to manually unlock locked accounts.
Unlock it after minutes: Choose this option to automatically unlock user accounts. Enter the number of minutes that must pass before the account is automatically unlocked.
Require blocked users to reset password to unblock: Tick this option to require unblocked users to reset their password on their next log in.
What’s next?
Now that you’ve set up login policies, it’s time to focus on your WordPress login page hardening with Melapress Login Security for even better security.