Cache-proof by design: the OTP step now runs on wp-login.php
• The two-factor verification screen now renders and is processed on wp-login.php (?action=bcshield_otp) instead of a front-end URL. wp-login.php is excluded from full-page caching by virtually every cache by default (Cloudways Varnish, NitroPack, WP Rocket, LiteSpeed, Cloudflare APO…), so the OTP page is never served stale or cached — no per-site cache exclusions required.
• FIXED: on cached hosts the old front-end OTP URL could be served as a cached 404 (form never appeared) or a cached page with a stale CSRF nonce (entering the correct code bounced you to the home page, not logged in). Both are eliminated by moving to the never-cached login surface.
• The OTP page is now fully self-contained (inline CSS), so it always renders correctly regardless of theme or caching.
• The OTP URL is derived from wp_login_url(), so it automatically respects custom-login-URL plugins (Admin and Site Enhancements / WPS Hide Login).
• The legacy ?bcshield_action=verify_otp URL now forwards to the new surface, so in-flight logins keep working through the upgrade.
Security (unchanged protections, safer surface):
• Same CSRF nonce, random server-side session token (2.0.6), OTP attempt limits, IP lockouts, honeypot/reCAPTCHA. The pending 2FA session is still validated before the form renders; anyone else is sent to the normal login form. No open-redirect surface (redirects use wp_safe_redirect(); the OTP URL never trusts the Host header). The page sends X-Robots-Tag, X-Frame-Options: DENY and Referrer-Policy: no-referrer.
Bugfix: OTP page 404s / looks like the homepage because the session cookie was lost
• FIXED: After correct credentials, the OTP page could return the hidden-URL 404 (which on some themes looks like the homepage) because the pending-OTP session cookies didn’t survive the login redirect. Two causes, both fixed:
1. The OTP page was sent to site_url(), which on a site with an inconsistent www/non-www setup could be a different host than the one the user logged in from — the host-only cookies didn’t travel.
2. The login 302 wasn’t marked non-cacheable, so a reverse proxy / CDN (e.g. NitroPack) could strip its Set-Cookie headers while still forwarding the redirect.
• The OTP page is now reached via a same-host relative redirect, so it always stays on the login host and the cookies match.
• intercept_login() now sends no-cache headers before writing the session cookies and redirecting, so the login redirect (and its Set-Cookie) can’t be cached or stripped by an intermediary.
• The OTP redirect now uses wp_safe_redirect() (was wp_redirect()).
Security (unchanged protections):
• No open-redirect surface: the OTP destination is a path-only relative URL with no host/scheme component, the code never trusts the Host header, and it is passed through wp_safe_redirect(). Sub-directory installs are handled via the home path.
• CSRF nonce, the random server-side session-token check (2.0.6), OTP attempt limits, IP lockouts, the hidden/404-gated OTP URL, honeypot and reCAPTCHA bot protection all remain fully in force.
• For full reliability where WordPress’s own auth cookie depends on host consistency, also force a canonical-host (non-www → www) redirect for all paths including wp-login.php at the server.
Bugfix: correct OTP but never reaches the dashboard (proxy/Cloudflare logins)
• FIXED: On some sites users entered the correct OTP but were dropped on the home page instead of /wp-admin/ (and occasionally saw “Security validation failed. Please sign in again.”). This happened before the redirect introduced in 2.0.5, so the 2.0.5 fix did not resolve it.
• Root cause: the pending-OTP session token was bound to the client IP + user-agent, and the OTP record was hard-bound to the IP. When the perceived IP changed between the login request and the OTP submission — routine behind Cloudflare/reverse proxies, mobile networks, or IPv4/IPv6 dual-stack — the request was treated as a hijacked session and bounced to the home page.
• The session token is now a cryptographically random value stored server-side (no longer derived from IP/user-agent), so a shifting IP can no longer break a legitimate in-progress login.
• The OTP IP-mismatch check is now informational only (logged, not blocked) and no longer sends a per-attempt “different IP” alert email.
Security (unchanged protections):
• CSRF nonce validation, the session cookie check (now an unguessable random token), OTP attempt limits, IP lockouts, the hidden/404-gated OTP URL, honeypot and reCAPTCHA bot protection all remain fully in force. The change only removes the IP/user-agent binding of the pending-session token, replacing it with a stronger random token.
• Updating bumps the version constant, so trusted devices are re-prompted for OTP once after the update (expected).
Bugfix: post-OTP redirect lands users in the right place
• FIXED: After entering a correct OTP, some users hit a 404 or were dropped on the site’s home page instead of reaching their dashboard. The plugin was forcing every verified login to /wp-admin/, which setups that restrict wp-admin for non-admin roles (e.g. WooCommerce customers, subscribers) bounce to a 404 or the front page.
• The verified-login redirect now mirrors WordPress core’s own behaviour: it honours the original redirect_to from the login request and falls back to a role-appropriate destination (dashboard for admins, profile/home for lower-privilege users).
• Respects the standard login_redirect filter, so WooCommerce, membership and custom-login plugins steer the post-2FA destination exactly as they would for a normal login.
Security (unchanged protections + hardening):
• All redirects are passed through wp_validate_redirect() / wp_safe_redirect() — a tampered redirect_to can never send a user to an external/attacker-controlled site (open-redirect guard).
• OTP code verification, CSRF nonce, HMAC session-token binding, IP checks, attempt limits, lockouts, hidden OTP URL (404 gating), honeypot and reCAPTCHA bot protection all remain fully in force — the redirect fix changes only where a successfully verified user is sent.
Bugfix: BaseCloud logo broken in admin header
• Fixed two bugs causing the admin header to show a broken-image icon instead of the BaseCloud logo:
1. The logo PNG lived in assets/, which the WordPress.org deploy treats as listing-page-only assets (banners/icons) and excludes from user installs. Logo now ships from images/ so it reaches every install.
2. The admin used esc_url() on the embedded data URI; esc_url() strips the data: scheme by default, leaving the image tag with an empty src. Switched to esc_attr() (safe because the data URI is built from our own bytes).
UX: Visible Shield status badge on login form + reCAPTCHA improvements
• Added a visible “Protected by BaseCloud Shield” badge on the WordPress login form whenever 2FA is enabled. Admins and end-users can now confirm at a glance that the plugin is actively protecting the form.
• Added Google’s required reCAPTCHA v3 attribution text (Privacy Policy + Terms links) directly under the login form — satisfies Google’s TOS for hiding the floating badge.
• reCAPTCHA v2 widget is now centered for a cleaner login layout.
• reCAPTCHA v2 script now loads with async defer per Google’s recommended loading pattern.
• No changes to bot-blocking logic; spam suppression and honeypot continue to work as in 2.0.2.
Bugfix: Critical error on hidden OTP URL
• Fixed a fatal error that occurred when visiting the OTP verification URL without an active login session. The 404 fallback ran too early in the WordPress lifecycle (on init) where $wp_query and the theme template system were not yet available.
• OTP form is now rendered on template_redirect (the correct hook), and the 404 path uses a safe fallback that works on themes without a 404.php.
Maintenance release
• Republished under a new version to resolve a legacy WordPress.org SVN tag conflict that was preventing the 1.5.0 feature set from reaching users.
• Functionally identical to 1.5.0 (anti-spam OTP, bot protection, security hardening — see below).
Major: Anti-spam OTP, bot protection & security hardening
• OTP spam suppression — when an account receives 3+ codes in 10 minutes, further OTPs are blocked for 30 minutes (configurable). Clients no longer get flooded with verification codes.
• Dedicated Admin Alert Email — spam, credential-stuffing and account-targeting alerts now go to a separate admin address (not the end user).
• Hidden OTP verification URL — returns a real WordPress 404 to anyone without a valid pending login session. Bots and scanners get nothing.
• Honeypot field on wp-login.php — invisible to humans, irresistible to bots. Triggered IPs are locked immediately.
• Google reCAPTCHA v2 & v3 integration — score-based filtering on the login form with hostname + action binding (prevents site-key reuse and token replay).
• Logo embedded as base64 — admin/OTP UI no longer shows broken images on hosts with non-standard plugin paths.
Security hardening:
• Generic error messages prevent username enumeration via OTP suppression response
• Generic error messages prevent method enumeration via bot-wall responses
• OTP URL gated by validated cookies (regex shape + user existence check)
• reCAPTCHA token pre-validated (length cap + charset regex) before network call
• CAPTCHA fail-open scoped to network errors only — invalid/low-score/missing all block
• XML-RPC / REST / non-POST requests skipped to avoid blocking API integrations
• reCAPTCHA secret encrypted at rest (AES-256-CBC); site key strictly sanitised
• OTP form sets X-Frame-Options: DENY and Referrer-Policy: no-referrer
Webhook delivery — CRM compatibility fix
• Webhook URLs now accept both HTTP and HTTPS (was HTTPS-only, breaking many CRM integrations)
• Added “Allow insecure SSL” toggle for webhook endpoints with self-signed/expired certificates
• Added redirect-following (up to 3 redirects) for webhook delivery
• Added webhook delivery error logging — failures now appear in the security log
• Improved timeout handling and error messages
Secret protection hardening + stronger credential-stuffing defenses
• API and token fields are no longer sent back to the browser in value attributes (prevents DevTools exposure)
• SendGrid/Webhook/Twilio secrets are stored encrypted and preserved when fields are left blank
• Webhook URLs now require HTTPS and reject localhost endpoints
• Added per-IP OTP burst limiting to reduce OTP spam from credential stuffing attacks
• Hardened outbound SendGrid/Webhook requests with strict transport options and added SendGrid failure logging
Version bump — all version references unified to 1.4.3
• All version strings (plugin header, constant, readme, changelog, package.json) set to 1.4.3
• No functional changes from 1.4.2
Critical Security Hardening — Credential Stuffing & OTP Abuse
This release addresses real-world credential stuffing attacks where attackers hold valid passwords for multiple accounts and use them to flood users with unsolicited OTP emails.
SECURITY FIXES:
• Credential stuffing now blocked after 2 accounts from same IP (was 3) — prevents attacker triggering OTP emails across multiple compromised accounts
• Admin alert email sent when credential stuffing is blocked: lists attacking IP, compromised account names, and recommended actions
• Individual compromise warning email sent to each affected user
• Requesting IP address shown in every OTP email with password-change warning — users can instantly identify unsolicited logins
• Account targeting alert now triggers after 2 OTP requests (was 5 + multiple IPs) — legitimate users log in once
• Eliminated duplicate log spam: locked IPs no longer generate hundreds of redundant login_failed + auto_lockout entries per blocked attempt
• Pre-OTP Attack Detection: tracks login attempts before OTP generation, blocks credential stuffing
• Progressive Delay Mechanism: exponential backoff after 3 failed attempts (5s, 10s, 20s, 40s, max 2 minutes)
• Username Enumeration Protection: masks login error messages, auto-locks IPs trying 5+ different usernames
IMPORTANT: If users receive OTPs without logging in, their passwords are compromised. Force password reset immediately.
Stable release — reverted to proven v1.4.0 base
• Reverted to the v1.4.0 codebase which has a reliable and working OTP authentication flow
• Experimental v2.0.0 rebuild contained a critical error in the OTP success path that caused a PHP fatal on login — this release restores full stability
• All v1.4.0 features intact: Security Webhooks, Audit Logs, IP Whitelist/Blacklist, multi-channel OTP delivery (Email, SendGrid, Webhook, WhatsApp, SMS), split-digit OTP input, brute force protection, and rate limiting
Major Update — Security Webhooks, Audit Logs & UI Redesign
NEW FEATURES:
• Security Event Webhook: Dedicated webhook that fires on every security event, sending IP address, user agent, event type, severity level, username, site URL and timestamp to any external endpoint (SIEM, Slack, alerting systems)
• Security Logs Panel: Full audit log viewer inside the admin with 500-event retention, severity colour-coded badges (critical / high / medium / info), per-severity filtering, and one-click “Clear Logs” with confirmation
• Split-digit OTP input: Verification screen now uses 6 individual digit boxes with auto-advance, backspace navigation, and paste support for a faster, more polished login experience
• IP address and user agent now included in OTP Webhook payload
BUG FIXES:
• Fixed critical bug: ajax_unlock_ip handler was registered but never defined — Unlock IP button now works correctly
• Fixed wildcard IP matching regex that could produce incorrect results
• Fixed OTP remaining-validity calculation when incrementing failed attempts
IMPROVEMENTS:
• Redesigned admin UI using official BaseCloud brand logo and colour system (#52C25A green)
• Tabbed admin interface: Configuration tab and Security Logs tab
• Log retention increased from 100 to 500 events
• Security event webhook fires asynchronously (non-blocking) to avoid login delays
• OTP email template redesigned with per-digit display and BaseCloud branding
• CIDR matching now validates mask range (0–32) before calculation
• All wp_remote_post webhook calls now send JSON with Content-Type header
Release Update
• Bug fixes and improvements
• Updated version for deployment
Release Update
• Bug fixes and improvements
• Updated version for deployment
Release Update
• Bug fixes and improvements
• Updated version for deployment
Release Update
• Bug fixes and improvements
• Updated version for deployment
Release Update
• Bug fixes and improvements
• Updated version for deployment
Logo & Icon Fixes
• FIXED: Broken logo image in settings page header
• FIXED: Broken menu icon – replaced with clean SVG shield icon
• IMPROVED: Integrated official BaseCloud Shield logo from main assets
• IMPROVED: Visual consistency across WordPress admin interface
Branding Update
• Replaced Lottie animation with official BaseCloud SVG logo
• Removed Lottie player dependency for lighter plugin
• Cleaner, faster admin interface
UI/UX Polish
• Removed placeholder text from IP Whitelist and Blacklist fields
• Cleaner, empty textareas by default
• Current IP info box remains for reference
Release Update
• Bug fixes and improvements
• Updated version for deployment
Premium UI/UX Overhaul – Glassmorphism Design
UI/UX REVOLUTION:
• Premium Glassmorphism Design: Complete admin interface redesign with stunning glass-morphic effects and backdrop blur
• Advanced Animations: Added shimmer, float, glow-pulse, and logo-pulse animations throughout interface
• Enhanced Logo Display: Upgraded to animated BaseCloud logo with glowing effects and smooth floating animation
• Futuristic Color Scheme: Deep space blues (#0a1628) with vibrant neon green accents (#4bc46a)
• Interactive Elements: Smooth hover effects, transform animations, and enhanced visual feedback on all controls
• Professional Polish: Refined typography, improved spacing, and enhanced visual hierarchy
• Consistent Branding: Now matches BaseCloud UTM Tracker’s premium design language
• Modern Aesthetics: Rounded corners, gradient backgrounds, and sophisticated shadow effects
• Enhanced Accessibility: Better contrast ratios and clearer visual states
Advanced IP Management & Security Controls
NEW FEATURES:
• IP Whitelist: Add trusted IPs that bypass lockout and rate limiting
– Support for exact IPs (169.0.79.28)
– Support for wildcards (192.168..)
– Support for CIDR notation (10.0.0.0/24)
– Current IP displayed for easy whitelisting
• IP Blacklist: Permanently block malicious IPs from accessing site
• Manual IP Unlock: Real-time lockout management
– View all currently locked IPs in admin panel
– See countdown timers for auto-unlock
– One-click manual unlock button
– Audit trail for all unlock actions
SECURITY IMPROVEMENTS:
• Whitelisted IPs bypass all lockout checks and rate limiting
• Blacklist check occurs before authentication processing
• Enhanced logging for whitelist/blacklist activities
• Secure AJAX endpoint for IP unlock with nonce verification
UI/UX ENHANCEMENTS:
• New “Security Controls” section in admin settings
• Real-time locked IP display with status indicators
• Color-coded security interface
• Improved admin panel organization
Critical Hotfix – Login Issue Resolved
CRITICAL FIX:
• Fixed “Suspicious session detected” blocking legitimate logins
• Session token now uses consistent secret (not time-based)
• Users can now successfully complete login with OTP
Improvements:
• Enhanced OTP lock mechanism to prevent duplicate generation
• Existing valid OTP reused if login attempted multiple times
• Better handling of page refreshes during OTP verification
• Reduced false positive security alerts
Critical Security & Bug Fix Release
CRITICAL FIX – Duplicate OTP Prevention:
• Fixed issue causing multiple duplicate OTP emails to be sent
• Implemented email deduplication across all delivery methods
• Added phone number deduplication for WhatsApp/SMS
• Enhanced recipient list processing to prevent duplicate entries
• Added 60-second OTP generation lock to prevent rapid duplicates
Enterprise-Grade Security Enhancements:
• Brute Force Protection: Maximum 5 OTP attempts before 15-minute IP lockout
• Rate Limiting: 3 OTP requests per 10-minute window per user/IP
• Cryptographically Secure OTP: Replaced rand() with random_bytes()
• Session Binding: IP address validation, User-Agent fingerprinting
• HMAC-SHA256 session tokens to prevent session fixation attacks
• CSRF Protection: WordPress nonce validation on all OTP submissions
• Enhanced Cookie Security: httponly and secure flags on all cookies
• Security Event Logging: Comprehensive audit trail (last 100 events)
• Real-Time Security Alerts: Email/webhook alerts for suspicious activity
• Timing Attack Protection: Constant-time comparisons using hash_equals()
Attack Prevention:
• OTP Interception Prevention (IP binding)
• Session Hijacking Detection (multi-factor validation)
• CSRF Attack Protection (nonce tokens)
• Replay Attack Prevention (one-time codes with metadata)
• Rate Limit Abuse Prevention (throttling)
• Brute Force Attack Blocking (auto-lockout)
Security Monitoring:
• 12 new security event types tracked and logged
• IP mismatch detection and alerting
• Session token mismatch detection
• Failed attempt tracking with remaining attempt counter
• Expired OTP usage attempt logging
• Invalid trust cookie detection
Technical Improvements:
• Enhanced IP detection (proxy, CloudFlare, load balancer support)
• OTP metadata tracking (IP, User-Agent, timestamp, attempts)
• Improved error messages with security context
• Pattern validation for numeric OTP input
• Better cookie management with expiration handling
Release Update
• Bug fixes and improvements
• Updated version for deployment
SendGrid From Email Enhancement
• Added dedicated “From Email Address” field for SendGrid configuration
• Allows customization of sender email specifically for SendGrid API
• Improved email deliverability and branding control for SendGrid users
• Defaults to site admin email if not configured
Lottie Logo Fix
• Fixed Lottie player script loading order to display logo properly
• Changed script loading from footer to header for immediate availability
• Resolved warning icon display issue on page load
Visual Enhancement
• Added animated BaseCloud logo (Lottie) to settings page header
• Logo animation loops continuously for enhanced brand presence
• Improved visual appeal and professional appearance
WordPress.org Compliance
• Fixed tag limit compliance (reduced to 5 tags as per WordPress.org requirements)
• Optimized tags for better plugin discoverability
UI/UX Improvements
• Enhanced select dropdown readability with bright green highlight for selected options
• Improved multi-select list with visible selection states
• Added hover effects and visual feedback for better user experience
• Enhanced checkbox styling with BaseCloud green accent colors
• Improved input field focus states with green border highlights
• Added text selection styling with brand colors
• Enhanced save button with glow effect and hover animation
• Better contrast and readability across all form elements
• More polished “BaseCloud” branded interface
Major Feature Release – Multi-Recipient & Multi-Channel Delivery
• Added Multi-Recipient System with 3 modes:
– Send to Logging-in User (default)
– Send to Manager Email (centralized notifications)
– Send to Selected Users (choose specific users from your site)
• Added Multi-Channel Delivery – select multiple delivery methods simultaneously
• Added WhatsApp integration via Twilio API
• Added SMS integration via Twilio API
• Enhanced UI with organized sections and dynamic form fields
• User selection interface with multi-select dropdown
• Auto-detection of all WordPress users on the site
• Smart routing system sends OTP to all selected recipients via all selected methods
• Phone number retrieval from user meta (billing_phone field)
• Improved settings panel layout with collapsible configuration sections
• Each delivery method now has dedicated configuration area
• Backward compatible with existing configurations
Internal Development Version
• Pre-release testing version
UI Improvements
• Updated labels and placeholders to be more generic for broader use
• Changed “BaseCloud CRM Webhook” to “Webhook” in delivery method options
• Removed BaseCloud-specific email placeholders for wider audience compatibility
• Updated version for deployment
Plugin Website
Visit website
Share Post
Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.
