Submit Changelog
Track Changelogs

Fail2WP

Changelog

1.2.6

  • Fixed a nasty REST API regression that could log Blocked REST API request even when the REST block settings were not enabled
  • Fixed the same regression so ordinary unauthenticated REST namespace requests are no longer treated as blocked just because user enumeration protection is active
  • Fixed blocked REST API logging so it now respects the “Log blocked requests” setting consistently
  • Verified with WordPress 6.9
  • Updated internal version metadata

1.2.5

  • Added an admin-side helper to fetch current Cloudflare IPv4 and IPv6 ranges into the settings form without auto-saving
  • Improved the Cloudflare tab UX so the ranges and refresh controls stay available but are visually muted when Cloudflare support is disabled
  • Changed disabled feed requests to return 404 instead of redirecting to the home page
  • Extended user enumeration blocking/logging to cover unauthenticated REST users endpoints
  • Fixed the REST users route block so it also covers individual user endpoints
  • Fixed REST route blocking so route-only rules are activated correctly
  • Fixed REST handling so logged in and authenticated requests bypass REST blocking
  • Fixed override IP handling for security/fail2ban alert messages
  • Fixed IPv6 CIDR validation for login allow and deny lists
  • Removed PHP 8.2 and PHP 8.3 dynamic property deprecations
  • Fixed PHP 8.4 syslog signature deprecation while keeping PHP 7.4 compatibility
  • Refreshed the bundled php-cidr-match library from current upstream
  • Updated translation assets, including the Cloudflare refresh flow and Swedish admin strings
  • Updated internal version metadata

1.2.4

  • Verified with WordPress 6.8 and WordPress 6.9
  • Removed PHP 7.2 compatibility (PHP 7.4 or above is now required)

1.2.3

  • Verified with WordPress 6.7
  • Verified with Plugin Check (PCP)
  • Fixed issue when requiring REST API authentication and IPv4/IPv6 bypass was configured
  • Fixed issue with uninitialized variable in XML-RPC handling
  • Fixed PHP warning for json_decode() call, this did not impact functionality
  • Corrected some Swedish translations
  • Corrected some checks for uninstall.php and made it more WP-CLI compatible

1.2.2

  • Verified with WordPress 6.6
  • Improved code for role notification settings (PR#2)
  • Improved code for e-mail checking for new user registrations (PR#1)
  • Thanks to philscott-rg and Edward Casbon

1.2.1

  • Verified with WordPress 6.5.2
  • Updated “About” information

1.2.0

  • Verified with WordPress 6.2.2 and PHP 8.1.20
  • Added support for allow/deny list for login (IP address, hostname with wildcard support)
  • Added entry in fail2wp.conf example fail2ban configuration for allow/deny login
  • Corrected typo in fail2wp.conf example fail2ban configuration, CHECK AGAINST YOURS!
  • Added support for HTTP_X_REAL_IP (X-Real-IP) header to “decode” actual remote IP address
  • Added support for partially or fully disabling XMLRPC
  • Added entry in fail2wp.conf example fail2ban configuration for XMLRPC access attempts

1.1.2

  • Verified with WordPress 5.8.3
  • Fixes for various PHP warning messages

1.1.1

  • Verified with WordPress 5.8

1.1.0

  • Added minimum username length
  • Added blocking of specific usernames (user registration)
  • Added requiring e-mail address matching setting
  • Added warning about new user role setting
  • Added blocking of portions or all of WordPress REST API
  • Added setting to disable RSS and Atom feeds
  • Added setting to remove “Generator” information from HTML and feeds
  • Minor corrections and general improvements

1.0.0

  • Initial release

Plugin Website
Visit website

Author
joho68
Version:
1.2.6
Last Updated
March 16, 2026
Active Installs
100
Requires
WordPress 5.4.0
Tested Up To
WordPress 6.9.4
Requires PHP
7.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.