1.0.0 (20230302) – Plugin renamed

Release notes: Announcing MelaPress Login Security 1.0.0

New Features:

• Free edition of the plugin now available on the WordPress plugins repository.
• One-click integration with WooCommerce, LearnDash, Ultimate Member, BuddyPress and bbPress: add password policy checks to forms from these plugins with just a click.
• Editable email templates: the text of all the plugin’s emails can be edited using the WordPress editor.

Improvements & other changes:

• New plugin slug: melapress-login-security.
• New plugin menu name: MelaPress Login Security.
• WordPress’ “Generate Password” button creates a password that matches the policies.
• Added a configurable time limit users can configure to specify the time period required to reset the failed logins count in the [Failed Logins Policies]() feature.
• In the Failed Logins Policies usrs can now specify minutes instead of hours, enuring no accounts are locked for a very long time.
• Updated code to adhere to coding standards and formatting.
• Improved support for running the plugin on wesites with custom file structure (WordPress core files are no longer called directly).
• Beefed up security; added much more sanitization and validation, and escaping user input etc.
• Reviewed and improved the text and help text in the plugin.
• Improved the UI of the password suggestions in the password reset page.
• Updated the Freemius SDK to version 2.5.3.
• Consolidated the “Redirect user to password reset” code to one class.
• Reviewed and improved all the text of the email templates.
• Updated the password-strength-meter.js to avoid any potential conflicts.
• Removed quite a bit of redundant code.
• Better support for passwordless logins: plugin now completely bails out when a user is using a passwordless login.
• UX improvement: mouse pointer only changes on checkmarks/hoverable/clickable elements.
• Support for forms with multiple password placeholders; plugin adds the policy checks to both placeholders.
• Improved support for running the plugin on PHP 8.

Fixed:

• Fixed: Plugin not remembering the first used password when the Disallow Passwords policy is enabled.
• Fixed: Missing var in ppm_handle_login_based_reset.
• Disallow the use of previous passwords was not working properly on reset password page.
• Fixed: reducing the number of disallowed passwords was not purging the passwords that are no longer needed.
• Fixed an issue with the HTML in the Inactive users when the interface is translated.
• Fixed the text in the settings page: in some places HTML code was showing up.
• Fixed: fatal error when a user tries to reset a password while already logged in to the website.
• Fixed a PHP fatal error in the class PPM_Failed_Logins.

2.6.1 (20220726)

Bug fixes:

* Fixed: Locked users always requested to reset password upon unlock (even when the setting is disabled).
* Fixed: Password expired email sent multiple times.
* Fixed: Inactive users still able to log in in some cases.
* Fixed a typo in reset password email.

2.6.0 (20220517)

Release notes: Announcing the release of WPassword 2.6.0

New feature:

• Validate password during user registration on WordPress.

Improvements:

• Made some prompts’ text available for translation.
• Improved the formatting of the summary email.
• Added the new plugin logo in the plugin’s UI.
• Improved parsing of list of IDs and classes in the custom forms support script.
• Updated the text of the Help & About us page.
• Added the GNU license / updated the licensing details.

Bug fixes:

• Fixed: Plugin sending multiple “password expired” emails to users.
• Fixed: The password expired check was running even on exempted users.
• Fixed: Automatically unlocked users not removed from list of locked users.
• Fixed: Unable to use the ‘ and ” characters in the special characters field.

2.5.1 (20220225)

Security Fix

• Updated the Freemius SDK to 2.4.3 to address a security issue.

Improvement

• Updated variable order for PHP8 support.

2.5.0 (20211103)

Release notes: Password Policy Manager renamed to WPassword

Update Highlight

• Password Policy Manager has been renamed to WPassword.

Improvements

• Settings and Locked Users moved to their own pages.
• Better support for WooCommerce – plugin’s login error notices can now be displayed in WooCommerce custom login pages.
• Locked Users area now correctly uses the “lockout time” rather than the last activity time which could lead to inaccurate results.
• Ensured all strings can be translated

Bug fixes

• Fixed issue which was causing certain characters to not display in the password hints.
• Fixed regex issue which was causing JS errors if certain characters are elected to the “must not contain” setting.
• Fixed logic which caused “must contains special chars” to display an empty string.
• Fixed bug with custom user roles priority setting which was causing some of the policies to be ignored for custom user roles.
• Users who have been locked out due to failed login attempts are now self-removing from the Locked Users list upon successful login.
• Exclude characters setting will now alert correctly if an invalid setting is provided.

2.4.1 (20210906)

Release notes: PPMWP 2.4.1: Weekly email summary and other UI/UX improvements

New Features

• New shortcode to add password policy checks to custom login pages (more efficient way of adding the policies check to a page).
• Custom form filter/shortcode no longer require all 3 arguments to work.
• Weekly summary email highlighting a list of users which have been made dormant, locked due to failed logins or have reset their password during the last week.
• New option to prioritise roles in cases where users can have multiple roles.
• New policy to disable users from requesting a new password (meaning admins must send reset).
• New hook “ppmwp_apply_forced_reset_usermeta” that can be used to “force password reset on login” when creating WordPress users via a custom workflow.

Improvements

• The plugin settings, list of locked users, and help & contact pages are now available in their own admin pages.
• Policies UI is now hidden unless policies are enabled.
• The role tabs are now available via a dropdown rather than individual tabs (better UX & UI).
• Failed login policy now detects failed email-based logins.
• Standardized and improved the password reset form hints styling.
• Improved the plugin’s help-text and setting names.
• Users last activity is now updated on login or logout, to improve performance.

Bug fixes

• Double quotes were escaped when added as non-allowed special characters in plugin settings.
• “Update user” button in user profile was not reset when the reset password dialogue is closed.
• Custom password hints not reflected in non-admin facing forms.
• Dormant user now uses correct value even if translated.
• Failed login policies required error argument to always be provided.
• The notice “A user must be excluded” no longer appears when the inactive users policy is disabled.
• Network users now recieve relevant email when “Reset all passwords” is used.
• Cancelling the “set new password” box within a user’s profile page no longer leaves the “Save profile settings” button disabled.
• Password reset’s via a user’s profile page can no longer POST an empty password.

2.4.0 (20210331)

Release notes: PPMWP 2.4.0: New feature to block users with failed login attempts & other updates

New Features

• Failed logins policy – block user log in attempts after a number of failed logins.
• New filter hook to hide password strength suggestions on custom forms.

Improvements

• Automatically generated passwords now match the configured policies.
• Added more input validation in backend fields.
• Plugin now uses timestamp() instead of time() so it is aware of the time zone configured in WordPress.
• All plugin settings now use YES/NO instead of boolean values in the database (improving dev standards).
• Refactored script data and styles that were printed manually (now using the function wp_localize_script).
• Reduced code by deleting duplicate code and using central functions instead.
• Improved the “User last active” check – plugin updates this more often for more accurate functionality.
• More plugin text, especially text with links is now translatable.
• Email with password reset notification is no longer sent when user has to reset password on next login.

Bug fixes

• PHP fatal during plugin uninstall and data clean-up.
• Excluded characters were not shown in the policies in user view
• In some cases users were marked as inactive even though the inactive users check was not enabled.
• Policies for logged-in user’s role were applied when resetting the password of another user with a different role.
• WordPress “Send password reset link” button was not working when the plugin was installed.
• “Generate password” button in the password reset page was not working for users who had to change the password during login.
• Password hints in password reset page were not being updated when changing password.
• Users can bypass some policies and use easy passwords when manipulating the DOM in the user profile page.
• Number of warnings were being generated when generating the POT file.
• In some cases, unlocked inactive users were still marked as inactive users.

2.3.4 (2021-01-21)

Release notes: PPMWP 2.3.4: improved plugin interoperability & maintenance updates

Improvements

• Improved the support for post-login redirect plugins (in some setups the “reset password on first login”was not working when a post-login redirect plugin was installed).
• Moved a number of queries as background process, so users can navigate away from the plugin’s settings page while the task is still running.
• Improved a number of database queries for better performance.

Bug fixes

• In some cases users with expired password could still access the dashboard.
• The function “reset password on first login” was not working well with some redirect plugins.
• The password reset link sent to unlock users was invalid in some cases.
• Password policies were not being shown when a password reset page was refreshed.

2.3.3 (2020-12-04)

Improvement

• Added the ability to specify the submit button class/ID when enabling password policies on custom forms and pages.

Bug fix

• Headers not sent errors were being reported when resetting passwords using the WooCommerce account form.

2.3.2 (2020-11-23)

Improvement

• Updated the Freemius SDK to 2.4.1.

2.3.1 (2020-09-09)

Release notes: PPMWP 2.3.1: improved support for third party plugins

Breaking change

• Removed option to disable WordPress’ automatic password generation.

Improvements

• Better support for third party plugins – plugin works much better now with eCommerce, membership & subscription plugins.
• The password reset module will require users to change the password even if they have not reset it within 24 hours.

Bug fixes

• Password was not always automatically generated.
• Generated password did not always meet the configured password policies.
• UI was not showing the correct configured user role specific policies.
• Password was not being generated automatically when user had to reset the password on next login.
• Password policies not inherited properly when using custom roles in certain edge cases.
• Password policies not displayed properly on custom pages with WooCommerce.

2.3.0 (2020-07-15)

Release notes: PPMWP 2.3.0: inactive users & other policies and performance updates

New features

• User profile setting to require user to change the password during next login.
• The password policies shown when creating a new user are are the policies that apply for the new user’s role.
• Setting to stop WordPress from automatically generating passwords.
• Policy to require inactive users in WordPress to reset password once unlocked.

Improvements

• Applied several core and performance updates. Plugin can now be used to enforce policies on sites with more than 100,000 users  without any performance drops.
• The inactive WordPress users policy now works as a standalone policy. It is no longer dependent on the expiration policy.
• When users are marked as inactive, their existing sessions are instantly terminated.
• Standardized the plugin’s settings prefix (code improvement).

Bug fixes

• Plugin hangs when a user is automatically created by WooCommerce during checkout.
• Users are not asked to reset their password during first login when using a specific custom login form.
• Minor UI / placeholders alignment issues.
• Password not reset properly when reset via Custom password reset form in Storefront.

2.2.0 (2020-04-22)

Release notes: WPassword 2.2.0: out of the box support for custom login pages & other updates.

New features

• Out of the box support for custom login pages.
• Added documentation about the hook for custom password reset pages.

Improvements

• Updated About us page – added reference to our new two-factor authentication plugin.
• Standardized the UI and UX of the user exemption settings.
• Improved validation / checking of all policy settings.

Bug fixes

• Password policies inheritance not working properly in some edge cases.
• Plugin loading translation files correctly.
• Plugin settings & data deleted from database when relevant setting is enabled and plugin is uninstalled.
• Plugin shows incorrect message to user when their account is locked (WordPress dormant users check).

2.1.0 (2020-03-05)

Release notes: WPassword 2.1.0: dormant users policy and support for post login redirect plugins.

New features

• Dormant users policy.
• Setting to specify special characters that cannot be used in passwords.
• Support for post login redirect plugins.

Improvements

• Reset all passwords functionality now resets all passwords and terminates sessions instantly.
• Updated Freemius SDK to 2.3.2.
• Removed old / obsolete code from the plugin.
• Localized some strings that were hardcoded in js files.
• Setting to exempt users from dormant users checks.

Bug fixes

• Fixed some issues with localization and generated new POT file.

2.0.1 (2019-12-04)

Bug fix

• Fixed an edge case issue in which the reset all function was not terminating the users’ sessions.

2.0 (2019-11-06)

Release notes: WPassword 2.0: multisite networks support and first time login policy.

New Features

• Password policies for WordPress multisite networks.
• New password policy to force WordPress users to reset the password the first time they login.

Improvements

• Increased password history policy: plugin can now remember up to 100 passwords per user.
• Improved the text of the email templates used in the plugin.
• Improved the help and about pages (more links, help etc).
• Improved plugin’s error messages.

Bug Fixes

• Expired passwords can be reset with a wrong password.
• Expired passwords cannot be reset by administrator.

1.4 (2019-08-13)

Release notes: WPassword 1.4: premium trials, advantageous pricing & plugin improvements.

New Feature

• Added new SDK to allow Free 7-day plugin trials.

Improvements

• Reset all passwords functionality works also when policies are disabled.
  Improved the plugin’s text and messages (better UX).

Bug Fix

• Fixed an issue in which plugin prompts on login pages where incorrect.

1.2 (2019-06-05)

New Feature

• Support for custom login & password reset pages via a new hook in the plugin.

1.1 (2019-01-10)

New Feature

• Ability to configure different password policies for different user roles.

Improvements

• Users can now configure the maximum password length to less than 6 characters (not recommended).
• Generic plugin improvements

1.0.1 (2018-09-10)

• Added Spanish language files.

1.0.0 (2018-08-17)

• Initial Release.