Melapress Login Security Release notes

On this page, you’ll find a highlight of what is new and improved with every update release of the Melapress Login Security plugin. Entries are listed in chronological order, starting from the most recent at the top. For a complete and detailed list of all changes, including bug fixes, please refer to the Melapress Login Security change log.

Update 1.3.1

Date: 30th May 2024

While this release represents a relatively minor version update, it still includes a number of new features and improvements.

Password expiry notification for users

You can now configure the plugin to alert users whenever their password is set to expire. The notice period is fully configurable for maximum flexibility.

Users are notified once they log in that their password is about to expire.

Site administrators can now add a notification bar at the bottom of the login page and add any message they want. The bar can also be added to custom login pages with a shortcode. This feature is required by websites that need to advise users that their IP address is recorded, such as those that need to be GDPR or PCI DSS compliant.

With Melapress Login Security you can add a GDPR consent notice to the WordPress login page. The message can be modified.

Other improvements

In this update, we have also:

  • Consolidated the Locked User and Import/Export users under a new User Management section
  • Added more links to the plugin’s documentation and updated some of the help text
  • Enhanced the plugin’s notification system for efficiency

Update 1.3.0

Date: 30th April 2024

Limit failed login attempts available in the Free edition

The Limit failed login attempts, a feature that allows you to disable user logins when there are too many failed login attempts, has now been made available in the free edition of the plugin. This feature addition makes the Free edition of the plugin a more complete WordPress login and passwor security solution

What’s new?

In this update we have also included a good number of new features. Here is an overview:

Geo-blocking for the login page

With the Geo-blocking feature you can limit the traffic to the login page to a number of specific countries. You can also use the Geo-blocking feature to block traffic to the login page originating from specific countries.

Limit user’s logins to specific IPaddress(es)

Since this update you can now specify the number of different IP addresses every individual user can log in from. For example; you can configure the plugin to allow a user to log in from two different IP addresses. So the first time the user logs in from two different IP addresses, the plugin keeps a record of those IP addresses and limits the user’s logins to those IP addresses. This feature helps website administrators limit credentials sharing. Also, website admins can always reset the list of IP addresses, or edit the list.

Added more bulk options in the “Reset all passwords” feature

A number of new settings have been added to the “reset all users’ passwords” feature to allowvwebsite admins to reset the password of all users with a specific user role, reset the password of a number of users in a list, or reset the password of a list of users imported via a CSV file.

Other updates & improvements

In this update we have also:

  1. Added the new reports that allow you to see the last time users were active on the website, their passwords’ age, and a list of users with expired passwords.
  2. Improved the plugin’s code and loading up mechanism for improved performance.
  3. Made several minor UI and UX improvements.

Update 1.2.2

Date: 29th February 2024

Update 1.2.2 is a maintenance update which includes a number of bug fixes and “under the hood” updates, in preparation for the upcoming big updates.

Update 1.2.1

Date: 1st February 2024

Update 1.2.1 is a maintenance release featuring updated artwork, an updated Freemius SDK, and support for the new plans that are going to be introduced later on this year.

Update 1.2.0

Date: 3rd October 2023

What’s new?

Users’ login time restrictions

With this update, we are introducing a new security feature that allows you to restrict when users can log in to the website. This feature is convenient because you can lock down your website when everyone is out of the office. For example, if no one typically logs in to the website overnight, between 6 PM and 8 AM, and during the weekends, you can enable this feature so no user can log in during such hours, thus reducing your website’s possible attack surfaces. Policies can be enabled for all users or by role, giving you complete flexibility and control over their implementation.

Use the Timed login policies in the Melapress Login Security plugin to restrict the times when users can log in to your WordPress website to reduce the potential attack surface of your website.

Option to disable plugin’s emails

The plugin sends emails to users to notify them of changes to their accounts, for example, when their account is unlocked, when their password has expired, etc. In this update, we included a setting that allows you to disable (and enable again if need be) specific emails in case you do not want the plugin to send out these emails.

All the plugin’s emails can be edited and disabled/enabled from the Email Templates tab on the plugin’s Settings page.

Plugin’s settings exporter & importer

In this update, we have also added a feature to import and export plugin settings. This handy feature allows you to keep a backup of the plugin’s settings and easily copy the settings from one plugin install to another by exporting them from the source website and then importing the settings on the destination website.

To export and import the plugin settings, navigate to the Settings Import/Export tab in the plugin’s Settings page.

What’s improved?

This update includes quite a lot of user experience improvements. Here is an overview:

Improved support for WooCommerce: You can now add the login and password policies to the WooCommerce registration form with a mouse click.

Better out-of-the-box support for third parties: We improved the user-facing error messages and the support for post-login redirects for WooCommerce, Memberpress, and Ultimate Member plugins.

Update 1.1.0

This latest update adds new configuration options as well as several improvements and bug fixes.

What’s new?

Change the WordPress login page URL

Melapress Login Security version 1.1.0 includes a new feature that allows you to change the URL of the WordPress login page. You can also set a redirect slug to protect the default wp-login.php login page.

Another new feature that makes an appearance in this release is out-of-the-box support for MemberPress, including the registration and user password update forms.

What’s improved?

Version 1.1.0 adds pagination for the locked users list, making for better performance. Speaking of performance, websites with a large number of users will notice faster activations due to user meta no longer being applied on plugin activation. Plugin files now use autoloading for optimized loading.

Other improvements available in this version include:

  • Compatibility with WooCommerce HPOC (formerly COT)
  • Removal of obsolete NPM code
  • Text improvements

And much more.

Update 1.0.0

This update marks the transition from WPassword to Melapress Login Security.

Melapress Login Security – What’s new?

When we first released WPassword, we focused the plugin on WordPress password security (almost) exclusively. As the plugin matured and customers gave us their feedback, we added new features that went beyond passwords. While this drastically increased the value that the plugin offers to users, it also increased its scope. To this end, we are changing the name to reflect the value that the plugin brings to WordPress administrators and website owners who value security.

What can Melapress Login Security do for you?

Aside from implementing strong password policies, Melapress Login Security also allows you to:

And much more! The plugin also offers out-of-the-box one-click integration with several third-party plugins, including WooCommerce, LearnDash, Ultimate Member, and others.

Melapress Login Security free version

Previously, WPassword was only available as a premium plugin. Developing a plugin from the ground up requires a lot of work, and we had to ensure that the plugin could be sustainable. We are very proud of the reception the plugin has received, and this has allowed us to release the free edition of Melapress Login Security.

This free version of the plugin includes all of the basic functionality you need to ensure your WordPress login process is more secure. If you’re new to Melapress Login Security download it now for a more secure WordPress login.

New Pricing

Melapress Login Security Premium comes in three different plans. Each plan comes with a different feature set, allowing you to get the features you need without overspending on features you do not need.

  • Pro Plan – The Pro Plan starts from $49 per year for a single-site license and includes all features available in the free version, plus editable email templates. a detailed weekly summary email, and email support.
  • Business Plan – The Business Plan starts from $59 per year for a single-site license and includes all features available in the Pro Plan, plus the Inactive Users Policy Composer and the Failed Logins Policy Composer.
  • Enterprise Plan – The Enterprise Plan starts from $69 per year for a single-site license and includes all features available in the Business Plan, plus priority support.

When purchasing a plan, you can choose the number of sites you would like to be able to install your license on, with great discounts available on higher-site licenses. It’s important to note that Multisite networks require a license that covers all sites on the network. You can find more information on the Melapress Login Security pricing page.

Update 2.6.0

This version includes several improvements and bug fixes for an even smoother user and administrative experience while maintaining a focus on WordPress password security.

Release highlight – enforce password policies during user registration

The biggest change in this release centers around password validation during the user registration process. In previous versions, you could only validate passwords based on user roles, limiting this feature to existing users. As such, administrators could not enforce password policies on registrations since, during the registration process, users are not assigned a user role yet.

In this update, password validation no longer requires a user to have an assigned user role, enabling administrators to enforce strong password policies during the user registration process.

Important improvements and bug fixes

The update also features several improvements and bug fixes, improving both functionality and user experience.

UI improvements include text and formatting improvements while parsing of list IDs and classes in the custom forms support script has been revised for better performance.

We took extra care to ensure previously reported bugs were fixed, including instances where multiple emails were being sent to users and the addition of special characters previously unavailable for use in the special characters field.

Update 2.4.1

This update includes several new features and housekeeping updates designed to improve the plugin’s functionality, usability, and performance.

Let’s dive right in to see what is new and improved in this update of our password security plugin for WordPress.

What’s new?

With update 2.4.1, we have sought to include additional security features designed to keep WordPress administrators informed and in control with the least amount of effort. With security becoming an increasingly important topic, we recognize that administrators need more robust tools to keep their websites safe, which this update provides.

Weekly summary email: Administrators can now configure the plugin to send a weekly email with a password activity summary highlighting inactivity lockouts, failed logins, and password resets.

Stop password reset requests: Anyone who knows a user’s email address can request a password reset link. This can present certain risks if the user’s email is compromised. As such, we have now included an option that allows administrators to stop password reset links from being sent. Instead, a custom message is displayed. The message is also customizable.

Configurable user role’s password policy priority: WordPress administrators rely on multiple plugins to extend the functionality of their WordPress. Many of these plugins come with their own roles, so it is normal for a user on big websites to have more than one role. This leads to possible conflicts when applying password policies. With this update, administrators can prioritize policies by role. Users with multiple roles will automatically inherit the policy with the highest priority.

configurable use roles password policy priority

Other noteworthy updates

This release also includes several other updates to improve the user experience of website administrators and users alike. These include:

  • Several UX improvements for a cleaner user interface and ease of use
  • Password policy hints and their format in the password reset forms have been standardized and improved

Update 2.4.0

This exciting release features the much anticipated new feature to block users who have failed login attempts, as well as other updates and improvements.

Let’s dive right in to see what is new and improved in this latest update of our WPassword for WordPress.

Block users with multiple failed login attempts

By default, WordPress allows users to try to log in as many times as they want. This functionality is often exploited – attackers use easily available automated tools to launch dictionary attacks and guess your website’s users’ passwords.

However, now you can prevent this by limiting the number of failed login attempts per user. For example, after 5 failed attempts, the plugin locks the user temporarily.

blocked users with multiple failed login attempts

Once a user is blocked, the login attempts for that user are not even sent to WordPress to limit the resources such attacks use as much as possible.

Locked users can be unlocked automatically after a configurable period of time, or administrators can unlock the users manually. For more detailed information and all the possible configuration options of this feature, refer to blocking user failed logins on WordPress.

Other noteworthy highlights

In this update, we have also included the following improvements:

  • Automatically generated passwords now match the policies
  • Improved the input validation in backend fields
  • Plugin now uses timestamp() instead of time(), so it is aware of the time zone configured in WordPress
  • Refactored script data and styles that were printed manually (now using the function wp_localize_script)
  • Reduced the code by deleting duplicate code and merged functionality into a central function instead
  • Improved the “User last active” check – plugin updates this more often for more accurate check for inactive users on WordPress
  • More plugin text, especially text with links, is now translatable

Update 2.3.1

The highlight of this update is improved support for other third-party plugins, such as login redirects, e-Commerce, and membership-type plugins.
Even though this update is a maintenance release, it still packs a punch. Let’s dive right in to see what’s new and improved in this update.

Improved support for third-party plugins

Many site administrators use WPassword to configure password policies on membership, subscription, and e-Commerce sites. So since the plugin is used alongside other plugins such as WooCommerce, Login & Logout Redirects, and Memberpress, one of the most important under-the-hood features this plugin must have is the ability to play well with other plugins.

That is exactly what we focused on and improved in this update; the way the plugin hooks into WordPress, so users who use these plugins can still enforce policies without any issues.

Therefore now you can require new users to change the password on the first login, even when you use a login redirect plugin or if you use custom login pages and portals.

Other noteworthy updates

In this update, we have also included the following improvements:

  • Much better integration with WordPress’ password generation module, so automatically generated passwords are generated according to the configured policies
  • Improved the password reset policy, so when a user is required to change the password yet fails to reset the password within 24 hours, the user is still requested to reset it.

In this update, we also have a breaking change. Earlier this year, we added a new setting that site admins could use to stop WordPress from automatically generating passwords. However, since now the automatically generated passwords meet the configured policies, this feature is no longer required.

Update 2.3.0

This is an exciting release featuring the all-new inactive WordPress users check. In it we also included a good number of other password policy improvements and performance updates.
Let’s dive right in to see what is new and improved in this latest update of our WPassword.

Checks for inactive WordPress users

Inactive and forgotten website users are very often targeted by malicious hackers. They are an easy target that can be used to break into a website. Attackers find them ideal because no one is monitoring them, and more often than not, they have easy passwords.

Hence why we are introducing the Inactive users check in WPassword. Once you install the plugin, it will check your WordPress website for inactive users. Inactive users are locked and can only be unlocked by the WordPress site administrator.

Checks for inactive WordPress users

As an additional security precaution, once unlocked, users are also required to reset their passwords before they log in again to the WordPress website. Read more about this feature and how to configure it in Inactive users check for WordPress.

Password strength check when creating a new user

The password policies now also apply when a WordPress site administrator is creating a new WordPress user.

When creating a new user, the plugin displays a generic tip on password strength. However, once you select the role and try creating the user, the plugin checks the password strength. It basically checks that the password matches the policies that apply to that role.

password strength check when creating a new user

If the password does not match the policies, you will be alerted about it. The plugin will also display the policies the password has to meet for the user to be created on the website.

Require users to change password on next login

Another commonly requested feature was to have the ability to require individual users to change their password the next time they log in to the website.

In this update, we have also added this feature. All you have to do is simply enable the below-highlighted setting on their user profile page. The next time the user tries to log in, they will be prompted to reset their password.

require users to change password on next login

Major performance & scalability improvement

With this new update, the plugin’s responsiveness is the same regardless if it is running on a site with 10 or 50,000 users! We have incorporated a new module that processes these types of tasks in the background.

Therefore when for example, you want to reset the password of 50,000 users, you do not have to wait for the plugin to complete the task. Also, there won’t be any timeout issues. It only takes a second to send the instructions to the new module. While the module processes the request, you can continue with your work.

Other plugin improvements

In this update, we have also added the following:

  • A new setting to stop WordPress from automatically generating passwords
  • Inactive users’ sessions are automatically terminated,
  • We have standardized all of the plugin’s settings prefixes. This is an important code improvement that makes troubleshooting and future development easier,

Update 2.2.0

The highlights of this update include out-of-the-box support for custom login pages and the plugin translations.

We have also included a number of updates and fixed a number of issues in this update. These release notes highlight what is new, improved, and fixed in this exciting update of our password security plugin for WordPress.

Out-of-the-box support for custom login pages

Up until this update, site administrators had to add a code snippet to the custom login page template there were using. Otherwise, users were not told when their password expired.

However, this is no longer required.

In this update, we have included a listener so the WordPress password policies can be applied on custom login pages without requiring the site administrator to add any code.

out of the box support for custom login pages

We have tested this feature extensively, and it works on popular plugins such as WooCommerce and Ultimate Member. However, if you use a custom login page and the policies are not being enforced through it, get in touch with us so we can work on supporting it.

Enforce policies on custom password reset pages

When you use WooCommerce or a membership theme/plugin, you also have a custom user profile and custom password reset page. In this update, we developed a hook that you can use to add the password policy checks to the custom pages from which users can reset their passwords.

All you need to do is add a few lines of code to your website plugin or functions.php file, as explained in enforcing password policies on custom WordPress password reset pages.

Plugin is fully translatable

Up until this update, some of the interface strings were missing from the translations file (POT file). Also, in some edge cases, the plugin was not loading the translation files, even when available.

In this version update, we focused on translations as well. So now the plugin is fully translatable. Also, when available, the plugin loads the translation files correctly.

Do you have translation files for the plugin?

If you have translated the plugin, please send us the translation files so we make them available to others. We will add them to the plugin so they are readily available for other users upon installation.

Improved the inheritance of password policies

With WPassword, you can configure different password policies for different WordPress user roles. However, in some edge cases, the configured role-specific policies were not overriding the generic password policies.

In this update, we have reviewed the code responsible for policies and addressed all the known edge cases. We have also implemented additional precautions, ensuring the inheritance of policies works even with custom WordPress user roles.

Other noteworthy updates and fixes

In this update we have also:

  • Fixed the uninstaller to completely remove the plugin data from the database upon uninstall.
  • Fixed an issue in which the plugin was showing incorrect password messages to users during login.

Update 2.1.0

In this plugin update, we added a new policy to disable dormant users, support for post-login redirect plugins, and several other improvements. This post highlights all that is new and improved in the latest version of WPassword.

The dormant WordPress users policy

The dormant users policy is an additional layer of security on top of the password expiry policy. Users are marked as dormant when their password expires, and they do not change it within 30 days.

The dormant WordPress users policy

Dormant users are basically locked user accounts; therefore, they cannot log in to the website. Very often, neglected user accounts become an easy point of entry on websites for malicious hackers, hence why it is safest to lock them. The site administrator has to unlock them for them to be able to log in back to the website.

Read the dormant WordPress users policy documentation for more details on how this policy works and how it can be enabled.

Support for post-login redirect plugins

By default, WordPress redirects users to the dashboard when they log in. However, you can redirect users to another page upon logging in with a third-party plugin.

In this update, we have included support for these third-party plugins. Therefore now you can redirect your users to a page of your choice and yet still enforce a strong password policy with WPassword.

Other highlights in this plugin update

In this update, we have also included other updates worth mentioning:

  • The Reset All Passwords function now resets all passwords and terminates all sessions instantly
  • Added a new setting allowing administrators to disallow the use of specific special characters in passwords (ideal for WordPress websites integrated with legacy software)
  • A new setting to exclude users from the dormant users policy

Update 2.0.0

Today we are announcing WPassword 2.0! We are very excited about this release. Finally, WordPress multisite network administrators can also enforce strong password policies.
In this update, we have also added the new first-time login password change policy. In addition to these new features, we have added several other plugin improvements, as we highlight in these release notes.

WordPress multisite network support

Typically, multisite networks have many users. In most cases, the network’s administrators do not even know who owns the users and how security conscious they are. So the need to enforce strong WordPress password policies is even more critical on multisite networks.
WPassword works as a network tool when installed on a multisite. Super administrators can:

and everything else that can be done on a single WordPress website

New policy to change password on first-time login

When new users are registered or created on a WordPress website, the chances are that they will use a weak password. There is nothing that incentives them to use a strong password. Even worse, most eCommerce and membership plugins sent the users’ password over email in clear text. For example, this happens when WooCommerce automatically creates a new customer user on your eCommerce website.

new policy to change password on first-time login

As a security best practice to counter the use of weak passwords, you can configure a policy with the WPassword to enforce users to reset their password the first time they log in, and their password has to meet the policy requirements.

Update 1.4.0

Today we are announcing update 1.4 of the plugin. With this update, we are allowing users to trial the plugin before they buy it, which we believe is very important when selling a premium-only plugin.

This post tells you about all that is new with the updated WPassword 1.4.

Premium plugin now available directly from our website

Until this release, we were selling the plugin through Envato. While Envato was good to start with, it has a lot of limitations: users could not trial the plugin before buying it, and we could not run special offer campaigns whenever we wanted. So with this change, we now have:

Free trials of WPassword

You can get a 7-day free trial of WPassword from our website. No strings attached, no payments, no BS!

premium plugin now available directly from our website

New advantageous pricing

We can now have more advantageous pricing for all our users. Envato add fees of up to $25 on top of our price in some cases. This meant many users were buying the plugin without support because the overall cost was too high. We didn’t like that.

Since we are selling the plugin directly, there are no hidden fees. The price you see on our website is the price you pay. Also included in the price are unlimited updates and premium support. Prices start from as low as $5.99, up to only $149.99 for the unlimited sites license.

Check out the plugin pricing page for more information.

Reset all WordPress users password feature improved

When using WPassword, you can also reset the passwords of all the users on your WordPress website. It only takes a mouse click!

Previously this functionality was only available when the policies were enabled. However, now the function is totally independent: regardless of the state of the policies, you can reset all the users’ passwords.

Other plugin improvements and bug fixes

In this update, we included other plugin improvements and bug fixes.

Update 1.2.0

The highlight of this update is a new hook that allows theme developers to include password policies in custom pages. In this update, we have also included a few minor improvements and enhancements.

Support for custom WordPress login & user profile pages
When users change or reset their passwords, the plugin shows them the requirements their passwords have to meet. Users cannot change their password if it does not meet the requirements.

other improvements and bug fixes

Password strength requirements highlighted in password reset page

This works out of the box when using the standard WordPress login, password reset, and user profile pages. However, on custom user profile, password reset, and login pages, the policies and checks do not work. And typically, the users who have custom pages are those who need this the most. These pages are typically found on eCommerce sites with WooCommerce and similar software.

In this update, we introduced the hook ppm_enable_custom_form. WordPress theme developers can use this hook to include the password policies checks in any custom login and password reset pages, including WooCommerce’s user profile pages.

How does the plugin hook work?

The way this works is very simple: call the plugin’s hook on the custom page, and the plugin checks the users’ password and shows the password requirements.

how does the plugin hook work?

Strong password requirements show on custom WordPress user registration & profile page

The hook’s code is available in the WPassword plugin user guide. You can add it to the custom page or in the functions.php file. Refer to the guide to strong WordPress passwords to get a better understanding of which policies are the most effective.

Update 1.1.0

We released the first version of WPassword around three months ago. Since its released we received some valuable feedback and the plugin has been featured on some of the leading WordPress sites, such as Torque Magazine.

We’ve listened to all the good feedback and today we are happy to announce an update for WPassword. This post highlights the new feature and what is new and improved in version 1.1 of our plugin.

Different Password Policies for Different User Roles

With this update you can configure different password policies for different WordPress user roles. This feature is very useful if you have a subscription or a WooCommerce WordPress site and you want to ensure your shop managers and editors use strong passwords but do not want to hassle your customers and subscribers.

different password policies for different user role

Configure different password policies for different WordPress user roles

In this new version, you also have the option to disable password policies for a particular user role as well.

Support for Updates

In the first version of the plugin, we did not have support for updates. So when upgrading to this version (from 1 to 1.1), you will have to reconfigure the password policies. However, in this version, we did implement support, so whenever you will be updating the plugin version in the future, all the settings and password policies will be retained.

New Interface and Settings

The plugin’s settings have all been moved to a new Settings tab. From here, you can exclude a user from the password policies, configure email and database settings, and more.

new interface and settings

Settings for the WordPress password policy plugin

Take the Melapress Security Survey 2024

Share your perspective
and WIN