Search for answers or browse our knowledge base.
Melapress Login Security changelog
This is the plugin’s changelog, which is mainly a detailed list of all the plugin changes and bug fixes introduced in every version update. Refer to the plugin release notes for a high level overview of what is new and improved with every plugin version update.
1.3.1 (2024-05-30)
New features
- New GDPR consent message on the login page (this is a new optional setting and the admins can also edit the message).
- New shortcode to add the GDPR consent message to any custom login page.
- Password expiry notification: users can now be notified via a notice in the dashboard prior to their password expiring.
Plugin improvements
- Added some more links to plugin’s documentation in the plugin’s help text.
- Added in-dashboard notification to advise users what is new and improved in the plugin with each update.
- Enhanced Notification System: Improved the overall infrastructure of the plugin’s notification system.
- Created a new “User Management” page and centralized the “Locked Users” and “User import/export” in this new section, for a better UX.
- Updated some settings to ensure they all use the same prefix in the database settings table.
- PHP Function Tweaks: Adjusted some PHP functions to prevent potential errors when timed login policies are active.
Bug fixes
- Fixed an edge case in which a fatal error is caused when unlocking a locked user and both the Free and Premium editions are installed.
- Security patch: fixed a low severity security issue reported by YC_Infosec.
1.3.0 (2024-04-30)
New features
- Limit failed login attempts feature now also available in the free edition.
- Geo-blocking to restrict access to the login page to specific countries only, or to block traffic from specific countries.
- User login IP restriction policy: limit every user’s login to a specific IP address or number of IP addresses to restrict account sharing.
- Reports to see when users were last active on the website, their passwords’ age and whose password is expired.
- Easily reset passwords of all users with a specific user role, a user, or a selective list of users.
- Users import feature: import users to the site via a CSV file.
Improvements
- Optimized and improved the plugin loading speed and data processing.
- Enhanced email deliverability by adjusting the “From” email address used by the plugin – now the plugin uses an email address with the same domain of the website.
- Made several UX improvements in the “Timed Login Policies” section of the plugin.
- Enhanced plugin security by reviewing input sanitization and updating all libraries used by the plugin.
- Made several minor UX/UI improvements and text updates across the plugin.
- Included support for a legacy Premium plan to prevent potential issues.
Bug fixes
- Fixed PHP warnings generated on multisite when the Summary Email was sent.
- Resolved a redirection issue when using a custom login URL.
- Resolved an error that could occur when resetting passwords for Professional plan users.
- Fixed PHP errors and warnings that might appear when logging in with an incorrect password using the Ultimate Member login form.
- Addressed a PHP error that could occur on the Ultimate Member login page when using non-existent users for login.
- Fixed plugin text overlapping on small devices and resolved several UI/UX issues across the plugin.
1.2.2 (2024-03-01)
New feature
- Added an editable message in the “User login time restrictions” section for when users try to log in during restricted times.
Plugin updates
- Removed redundant code for an improved overall speed and performance.
- Added logic check and notice for users in regards to the ‘From email address’ used by the plugin when using the “import settings” feature.
- Users can now remove default policies over WordPress forms from the ‘Forms & Placements’ plugin page.
- Tweaked how the “Run inactive check” button acts when it is manually run by the administrator (Locked Users table).
- Applied a number of UX improvements to the User login time restrictions settings area.
- Fixed a couple of broken URLs in the Free edition’s UI used for help text etc.
- Updated the plugin’s branding.
Bug fixes
- Updated a broken URL of an SVG used inside the plugin’s UI.
- Fixed a potential crash that could occur when the plugin was running on sites running on PHP 7.2.
- Fixed: user data and plugin settings was not removed upon uninstall in the Free edition, even when the setting is enabled.
- Fixed an edge case that could cause a wizard to be prompted inside the plugin dashboard, in regards to missing Email Templates content.
- Fixed: an edge case fatal error triggered when the “Remove all plugin data on uninstall” setting is enabled in the Free edition.
1.2.1 (2024-02-01)
Improvements
- Updated the plugin’s branding (was still using old logo and artwork).
- Upgraded the Freemius SDK to 2.6.2.
- Added support for the upcoming new Premium plains.
1.2.0 (2023-10-03)
New features
- User login time restrictions: restrict the time and days users can log in to the website
- Settings importer & exporter: export the plugin’s settings for backup purposes and / or to import the settings to new plugin installs.
- Setting to enable/disable individual emails the plugin sends to users to notify them about changes to their user account.
Plugin improvements
- Support for the WooCommerce user registration form: add the login and password policies with just a click.
- Failed login error messages by the plugin are now displayed correctly on Memberpress powered forms / websites.
- The plugin admin notices only appear on appropriate admin pages.
- Applied various styling and UX improvements to the admin settings and the plugin’s UI.
- Improved the integration script so now the PW Strength JS can be triggered via custom JS.
- The change the login page URL setting now available in own admin area.
- Improved user-facing error messages for both Memberpress and Ultimate Member.
- Users restricted from accessing front-end pages on Memberpress + WooCommerce pending a forced password update.
Bug fixes
- The strings ‘wp-activate’ and ‘wp-signup’ are no longer blocked in the Custom Login URL settings.
- Fixed bug in password history which would cause the initial user password to not be stored.
- Exempt users setting no longer accepts duplicate entries.
- Fixed: PHP 8.1 deprecation errors.
- Fixed: Bulk Actions not working within Inactive Users page
- Fixed: Error causing wrong email to be sent on user unblock due to failed logins.
- Fixed an error on multisite networks which could cause some policies to be ignored when logging in via a child site.
- Password hints are displayed correctly on Ultimate Member.
- Fixed potential Fatal error when password reset requests are blocked on Memberpress.
- Fixed JS to ensure PW hide/unhide buttons function as expected on Memberpress forms.
- Ensure any password(s) updates adhere to all policies on third party forms.
- Fixed JS bug on multisite networks bug which would cause an empty popup to appear when toggling ‘disable password reset’ checkbox.
Other improvement
- Updated Freemius SDK to the latest version (addressing a security issue).
1.1.1 (2023-07-05)
Improvements
- Improved contextual help text around the Login access settings page.
- Added further help text to third-party forms area.
- Renamed Failed login policies to Login limitation policies in settings.
Other improvement
- Updated Freemius SDK to the latest version (addressing a security issue).
1.0.0 (20230302) – Plugin renamed
Release notes: Announcing Melapress Login Security 1.0.0
New Features:
- Free edition of the plugin now available on the WordPress plugins repository.
- One-click integration with WooCommerce, LearnDash, Ultimate Member, BuddyPress and bbPress: add password policy checks to forms from these plugins with just a click.
- Editable email templates: the text of all the plugin\’s emails can be edited using the WordPress editor.
Improvements & other changes:
- New plugin slug: melapress-login-security.
- New plugin menu name: Melapress Login Security.
- WordPress’ “Generate Password” button creates a password that matches the policies.
- Added a configurable time limit users can configure to specify the time period required to reset the failed logins count in the [Failed Logins Policies]() feature.
- In the Failed Logins Policies usrs can now specify minutes instead of hours, enuring no accounts are locked for a very long time.
- Updated code to adhere to coding standards and formatting.
- Improved support for running the plugin on wesites with custom file structure (WordPress core files are no longer called directly).
- Beefed up security; added much more sanitization and validation, and escaping user input etc.
- Reviewed and improved the text and help text in the plugin.
- Improved the UI of the password suggestions in the password reset page.
- Updated the Freemius SDK to version 2.5.3.
- Consolidated the “Redirect user to password reset” code to one class.
- Reviewed and improved all the text of the email templates.
- Updated the password-strength-meter.js to avoid any potential conflicts.
- Removed quite a bit of redundant code.
- Better support for passwordless logins: plugin now completely bails out when a user is using a passwordless login.
- UX improvement: mouse pointer only changes on checkmarks/hoverable/clickable elements.
- Support for forms with multiple password placeholders; plugin adds the policy checks to both placeholders.
- Improved support for running the plugin on PHP 8.
Fixed:
- Fixed: Plugin not remembering the first used password when the Disallow Passwords policy is enabled.
- Fixed: Missing var in ppm_handle_login_based_reset.
- Disallow the use of previous passwords was not working properly on reset password page.
- Fixed: reducing the number of disallowed passwords was not purging the passwords that are no longer needed.
- Fixed an issue with the HTML in the Inactive users when the interface is translated.
- Fixed the text in the settings page: in some places HTML code was showing up.
- Fixed: fatal error when a user tries to reset a password while already logged in to the website.
- Fixed a PHP fatal error in the class PPM_Failed_Logins.
2.6.1 (20220726)
Bug fixes:
* Fixed: Locked users always requested to reset password upon unlock (even when the setting is disabled).
* Fixed: Password expired email sent multiple times.
* Fixed: Inactive users still able to log in in some cases.
* Fixed a typo in reset password email.
2.6.0 (20220517)
Release notes: Announcing the release of WPassword 2.6.0
New feature:
Improvements:
- Made some prompts\’ text available for translation.
- Improved the formatting of the summary email.
- Added the new plugin logo in the plugin’s UI.
- Improved parsing of list of IDs and classes in the custom forms support script.
- Updated the text of the Help & About us page.
- Added the GNU license / updated the licensing details.
Bug fixes:
- Fixed: Plugin sending multiple “password expired” emails to users.
- Fixed: The password expired check was running even on exempted users.
- Fixed: Automatically unlocked users not removed from list of locked users.
- Fixed: Unable to use the ‘ and ” characters in the special characters field.
2.5.1 (20220225)
Security Fix
- Updated the Freemius SDK to 2.4.3 to address a security issue.
Improvement
- Updated variable order for PHP8 support.
2.5.0 (20211103)
Release notes: Password Policy Manager renamed to WPassword
Update Highlight
- Password Policy Manager has been renamed to WPassword.
Improvements
- Settings and Locked Users moved to their own pages.
- Better support for WooCommerce – plugin\’s login error notices can now be displayed in WooCommerce custom login pages.
- Locked Users area now correctly uses the “lockout time” rather than the last activity time which could lead to inaccurate results.
- Ensured all strings can be translated
Bug fixes
- Fixed issue which was causing certain characters to not display in the password hints.
- Fixed regex issue which was causing JS errors if certain characters are elected to the “must not contain” setting.
- Fixed logic which caused “must contains special chars” to display an empty string.
- Fixed bug with custom user roles priority setting which was causing some of the policies to be ignored for custom user roles.
- Users who have been locked out due to failed login attempts are now self-removing from the Locked Users list upon successful login.
- Exclude characters setting will now alert correctly if an invalid setting is provided.
2.4.1 (20210906)
Release notes: PPMWP 2.4.1: Weekly email summary and other UI/UX improvements
New Features
- New shortcode to add password policy checks to custom login pages (more efficient way of adding the policies check to a page).
- Custom form filter/shortcode no longer require all 3 arguments to work.
- Weekly summary email highlighting a list of users which have been made dormant, locked due to failed logins or have reset their password during the last week.
- New option to prioritise roles in cases where users can have multiple roles.
- New policy to disable users from requesting a new password (meaning admins must send reset).
- New hook “ppmwp_apply_forced_reset_usermeta” that can be used to “force password reset on login” when creating WordPress users via a custom workflow.
Improvements
- The plugin settings, list of locked users, and help & contact pages are now available in their own admin pages.
- Policies UI is now hidden unless policies are enabled.
- The role tabs are now available via a dropdown rather than individual tabs (better UX & UI).
- Failed login policy now detects failed email-based logins.
- Standardized and improved the password reset form hints styling.
- Improved the plugin\’s help-text and setting names.
- Users last activity is now updated on login or logout, to improve performance.
Bug fixes
- Double quotes were escaped when added as non-allowed special characters in plugin settings.
- \”Update user\” button in user profile was not reset when the reset password dialogue is closed.
- Custom password hints not reflected in non-admin facing forms.
- Dormant user now uses correct value even if translated.
- Failed login policies required error argument to always be provided.
- The notice “A user must be excluded” no longer appears when the inactive users policy is disabled.
- Network users now recieve relevant email when “Reset all passwords” is used.
- Cancelling the “set new password” box within a user’s profile page no longer leaves the “Save profile settings” button disabled.
- Password reset’s via a user’s profile page can no longer POST an empty password.
2.4.0 (20210331)
Release notes: PPMWP 2.4.0: New feature to block users with failed login attempts & other updates
New Features
- Failed logins policy – block user log in attempts after a number of failed logins.
- New filter hook to hide password strength suggestions on custom forms.
Improvements
- Automatically generated passwords now match the configured policies.
- Added more input validation in backend fields.
- Plugin now uses timestamp() instead of time() so it is aware of the time zone configured in WordPress.
- All plugin settings now use YES/NO instead of boolean values in the database (improving dev standards).
- Refactored script data and styles that were printed manually (now using the function wp_localize_script).
- Reduced code by deleting duplicate code and using central functions instead.
- Improved the “User last active” check – plugin updates this more often for more accurate functionality.
- More plugin text, especially text with links is now translatable.
- Email with password reset notification is no longer sent when user has to reset password on next login.
Bug fixes
- PHP fatal during plugin uninstall and data clean-up.
- Excluded characters were not shown in the policies in user view
- In some cases users were marked as inactive even though the inactive users check was not enabled.
- Policies for logged-in user\’s role were applied when resetting the password of another user with a different role.
- WordPress “Send password reset link” button was not working when the plugin was installed.
- “Generate password” button in the password reset page was not working for users who had to change the password during login.
- Password hints in password reset page were not being updated when changing password.
- Users can bypass some policies and use easy passwords when manipulating the DOM in the user profile page.
- Number of warnings were being generated when generating the POT file.
- In some cases, unlocked inactive users were still marked as inactive users.
2.3.4 (2021-01-21)
Release notes: PPMWP 2.3.4: improved plugin interoperability & maintenance updates
Improvements
- Improved the support for post-login redirect plugins (in some setups the \”reset password on first login\”was not working when a post-login redirect plugin was installed).
- Moved a number of queries as background process, so users can navigate away from the plugin\’s settings page while the task is still running.
- Improved a number of database queries for better performance.
Bug fixes
- In some cases users with expired password could still access the dashboard.
- The function “reset password on first login” was not working well with some redirect plugins.
- The password reset link sent to unlock users was invalid in some cases.
- Password policies were not being shown when a password reset page was refreshed.
2.3.3 (2020-12-04)
Improvement
- Added the ability to specify the submit button class/ID when enabling password policies on custom forms and pages.
Bug fix
- Headers not sent errors were being reported when resetting passwords using the WooCommerce account form.
2.3.2 (2020-11-23)
Improvement
- Updated the Freemius SDK to 2.4.1.
2.3.1 (2020-09-09)
Release notes: PPMWP 2.3.1: improved support for third party plugins
Breaking change
- Removed option to disable WordPress’ automatic password generation.
Improvements
- Better support for third party plugins – plugin works much better now with eCommerce, membership & subscription plugins.
- The password reset module will require users to change the password even if they have not reset it within 24 hours.
Bug fixes
- Password was not always automatically generated.
- Generated password did not always meet the configured password policies.
- UI was not showing the correct configured user role specific policies.
- Password was not being generated automatically when user had to reset the password on next login.
- Password policies not inherited properly when using custom roles in certain edge cases.
- Password policies not displayed properly on custom pages with WooCommerce.
2.3.0 (2020-07-15)
Release notes: PPMWP 2.3.0: inactive users & other policies and performance updates
New features
- User profile setting to require user to change the password during next login.
- The password policies shown when creating a new user are are the policies that apply for the new user\’s role.
- Setting to stop WordPress from automatically generating passwords.
- Policy to require inactive users in WordPress to reset password once unlocked.
Improvements
- Applied several core and performance updates. Plugin can now be used to enforce policies on sites with more than 100,000 users without any performance drops.
- The inactive WordPress users policy now works as a standalone policy. It is no longer dependent on the expiration policy.
- When users are marked as inactive, their existing sessions are instantly terminated.
- Standardized the plugin\’s settings prefix (code improvement).
Bug fixes
- Plugin hangs when a user is automatically created by WooCommerce during checkout.
- Users are not asked to reset their password during first login when using a specific custom login form.
- Minor UI / placeholders alignment issues.
- Password not reset properly when reset via Custom password reset form in Storefront.
2.2.0 (2020-04-22)
Release notes: WPassword 2.2.0: out of the box support for custom login pages & other updates.
New features
- Out of the box support for custom login pages.
- Added documentation about the hook for custom password reset pages.
Improvements
- Updated About us page – added reference to our new two-factor authentication plugin.
- Standardized the UI and UX of the user exemption settings.
- Improved validation / checking of all policy settings.
Bug fixes
- Password policies inheritance not working properly in some edge cases.
- Plugin loading translation files correctly.
- Plugin settings & data deleted from database when relevant setting is enabled and plugin is uninstalled.
- Plugin shows incorrect message to user when their account is locked (WordPress dormant users check).
2.1.0 (2020-03-05)
Release notes: WPassword 2.1.0: dormant users policy and support for post login redirect plugins.
New features
- Dormant users policy.
- Setting to specify special characters that cannot be used in passwords.
- Support for post login redirect plugins.
Improvements
- Reset all passwords functionality now resets all passwords and terminates sessions instantly.
- Updated Freemius SDK to 2.3.2.
- Removed old / obsolete code from the plugin.
- Localized some strings that were hardcoded in js files.
- Setting to exempt users from dormant users checks.
Bug fixes
- Fixed some issues with localization and generated new POT file.
2.0.1 (2019-12-04)
Bug fix
- Fixed an edge case issue in which the reset all function was not terminating the users\’ sessions.
2.0 (2019-11-06)
Release notes: WPassword 2.0: multisite networks support and first time login policy.
New Features
- Password policies for WordPress multisite networks.
- New password policy to force WordPress users to reset the password the first time they login.
Improvements
- Increased password history policy: plugin can now remember up to 100 passwords per user.
- Improved the text of the email templates used in the plugin.
- Improved the help and about pages (more links, help etc).
- Improved plugin’s error messages.
Bug Fixes
- Expired passwords can be reset with a wrong password.
- Expired passwords cannot be reset by administrator.
1.4 (2019-08-13)
Release notes: WPassword 1.4: premium trials, advantageous pricing & plugin improvements.
New Feature
- Added new SDK to allow Free 7-day plugin trials.
Improvements
- Reset all passwords functionality works also when policies are disabled.
Improved the plugin’s text and messages (better UX).
Bug Fix
- Fixed an issue in which plugin prompts on login pages where incorrect.
1.2 (2019-06-05)
New Feature
1.1 (2019-01-10)
New Feature
- Ability to configure different password policies for different user roles.
Improvements
- Users can now configure the maximum password length to less than 6 characters (not recommended).
- Generic plugin improvements
1.0.1 (2018-09-10)
- Added Spanish language files.
1.0.0 (2018-08-17)
- Initial Release.