Added two-factor authentication (2FA): authenticator app (TOTP — Google Authenticator, Microsoft Authenticator, Authy and others) and/or one-time codes by email, with the method chosen at login when both are enabled. Includes QR-code setup, one-time backup codes, an optional “require 2FA by role” policy, and an optional “remember this browser” option with an admin-defined duration. No external service.
Added an optional custom login URL: serve the login page from a secret slug and return 404 for the default wp-login.php (requires pretty permalinks; off by default).
Added a login CAPTCHA on the login, registration and lost-password forms: a privacy-first self-hosted math question with honeypot by default, or optional Cloudflare Turnstile / Google reCAPTCHA v2 / hCaptcha with your own keys.
Added a dedicated Login Security module: comprehensive brute-force protection with persistent, per-IP login attempt statistics.
Every login attempt is recorded (date, IP address, username, result) to a dedicated database table and classified as informational, a possible incident, or an incident.
Statistics dashboard: failed attempts (24h/7d), incidents, lockouts and successful sign-ins, plus top attacking IPs and top targeted usernames.
Escalating lockouts (each repeat lockout for the same IP lasts longer, up to 24 hours), IP allowlist and blocklist (with CIDR and wildcard support), and active-lockout management (manual block/unblock).
Optional email alerts when a lockout is triggered or when an administrator signs in; automatic log pruning with a configurable retention window.
Detects attacks on admin-like or non-existent usernames and flags them as incidents. Moved login-attempt limiting from the Security tab to the new Login Security tab.
Branded, mobile-friendly two-step verification screen at login, with a centered QR code on the profile setup page and a paginated login attempt log.
1.6.0
Added a weighted Site Health Score with Core, Server, Security, Reliability and Performance categories, severity caps, top issues, recommendations and action links.
Added Safe Client Health Report and improved system exports for support, diagnostics and client communication.
Improved the Advanced Tools safety model for sensitive actions such as diagnostic snapshots, full phpinfo(), wp-config debug switches, cron management, database cleanup, table optimization and one-click security fixes.
Improved Force HTTPS and HSTS flows with capability checks, nonces, HTTPS pre-flight checks, host validation and typed confirmation for HSTS includeSubDomains.
Improved diagnostic snapshots with private storage by default, long random archive names, self-healing directory protection, public-access checks and safer file exclusions.
Improved database cleanup with a preview-first workflow, risk labels, impact descriptions, batch processing, WordPress API deletion for posts/comments and typed confirmation for risky actions.
Improved revision cleanup with retention options and safer WooCommerce handling, including warnings for store content and explicit opt-in for order-like records.
Improved table optimization so it targets only the current WordPress table prefix by default, with an opt-in option for all database tables and clearer performance warnings.
Improved cron tools so run and unschedule actions target a single event by hook, timestamp and arguments while protecting critical hooks.
Improved wp-config.php edits with timestamped backups, atomic writes, permission preservation where possible and cancellation when a backup cannot be created.
Improved REST API restriction with an allowlist and improved login-attempt limiting with IP + username matching and trusted proxy/CDN header support.
Improved 404 logging, error-log handling and phpinfo access to reduce performance impact and better protect sensitive diagnostic information.
Improved Health Score signals for downtime, SSL expiry and not-checked states, backup exposure, debug-log size and critical score caps.
Improved admin navigation and UI organization across Overview, Monitoring, System, Security, Tools and Settings.
Improved uninstall cleanup options for plugin-created files such as diagnostic snapshots and wp-config/readme backups.
