An update to the WP-Members Security extension has been released. This update involves some changes to the db (and upgrades the db version for the plugin). That may or may not make rollback an issue, so it is recommended that you backup your database before updating.
You are definitely going to want to upgrade to this version as I have packed in quite a few features that I have been working on for some time.
Login Form Captcha
This version allows you to add captcha to the login form. It will take whatever captcha you have set for in the core settings of WP-Members for registration captcha. Note that you do have to have captcha enabled for registration for the Security option to work for the login, but I don’t know of anyone who uses it on login but not registration, so I don’t expect this to be a problem.
The recent update the core plugin also added hCaptcha support, so now you have 4 captcha options to use.
Expanded Failed Login Capture
The failed login logging adds some additional information in the data capture. First, the dashboard screen displays the username used (if applicable) as well as the user’s cross referenced email (if the username was a valid username – in some cases it will not be).
It also captures the error code and message displayed to the user. So now you’ll know if the user input a bad username, password, captcha, or some other process. This can assist in determining if the issue is a genuine user having trouble with their username or password, or if it is a malicious attempt.
Login Lockout
This I’ve been wanting to add for quite some time. It was where the failed login tracking was headed when that was first added in 1.2, and now it is functional.
This feature allows you to set some variables to lock out login attempts if a user has too many failed logins. It will focus primarily on the user’s IP address, so if it’s a brute force attempt and they are changing usernames, they’ll still trigger a lockout based on their IP address.
You can manually remove the lock on a user from the dashboard table of failed logins.
New Email Shortcode for Failed Login Notification
If you’re upgrading, note that the plugin will not overwrite your existing admin notification for failed logins. But there are some new shortcodes (installed automatically in the default example for new installs). If you’re upgrading and want this info in your notification email, you can add the following:
- [timestamp]
- [error_code]
- [error_message]
Expanded Concurrent Login Prevention
Previously, there was only one setting for preventing concurrent logins. If a user logged in at a new location, the previous session was nullified and logged out.
This update allows you to choose between that and simply disallowing the new session to log in. Note that I recommend caution in this setting. If you have legitimate users who might log in at one location (i.e. work) and then later log in at different location (such as home), they may be disallowed from doing so. However, this setting was added by request for users who do want it that way. You can choose which works best for your particular situation.
Update for WP-Members 3.3.8 Compatibility
If you use the Security option to require the existing password for changing your password AND you employ the new password reset link feature added to WP-Members in version 3.3.5 and higher, you will need this update to automatically handle removing the existing password field from the password change form when a reset link is being followed.
If you have an expired license and cannot upgrade, and this issue affects you, let me know and I’ll get you a workaround. I’d love you to upgrade (and note the additional features above that I think make it worth it), I do want you to be able to at least be compatible with the newer versions of the core plugin.