Limit Login Attempts Reloaded – Login Security, 2FA, Brute Force Protection & Firewall

3.2.1

• Fixed rescue link behavior and updated the format.
• 2FA is pre-selected for administrators; when no user groups are selected, 2FA stays disabled.

3.2.0

• Improved WooCommerce registration protection in cloud mode.
• Refactored third-party integrations into a unified architecture (WooCommerce, MemberPress).

3.1.0

• Added technical details to the network issue notice.
• Fixed logo rendering in Gmail MFA notifications.
• Improved local risk indicator thresholds and refactored rendering.
• Improved compatibility with WPS Hide Login, WooCommerce, and MemberPress login flows; added WooCommerce cloud registration checks.

3.0.2

• Hardened admin tab parameter (whitelist, strict checks) before loading tab views.
• Onboarding: redirect to Dashboard when setup is incomplete and a tab other than Dashboard is opened.
• Failed-login email subject: numbered placeholders for translation-friendly word order (e.g. for Dutch).
• Onboarding popup: hide body scroll while open, restore on close; focus modal content.

3.0.1

• Hardened MFA security.
• MFA UI improved.
• Refactored the codebase.

3.0.0

• Implemented two-factor authentication.
• Refactored the codebase.

2.26.28

• Added user notification for failed /info API requests.
• Fixed the MC notice URL.
• First step of onboarding – UX improved.

2.26.27

• PHP 5.6 compatibility fix.

2.26.26

• Added login URL to notification emails for better debugging.

2.26.25

• Fixed MemberPress compatibility.
• Fixed a popup notice when a user was on the whitelist (local mode).
• Added the individual domain to the notification email subject.
• Updated formatting of the cloud login link.
• Improved onboarding popup behavior.

2.26.24

• Fixed: json_decode(): Passing null to parameter #1 ($json) of type string is deprecated warning.
• Help and extensions page visual changes.
• Assets cleanup.

2.26.23

• Fixed conflict with Hub and similar themes.
• Reorganized links.

2.26.22

• Fixed REMOTE_ADDR if server is misconfigured.
• Lint.

2.26.21

• Update notice position corrected.
• Debug tab – more info added.
• Lint.

2.26.20

• Fixed formatting issues for Safari on some pages.
• Added displaying of Customer ID.
• Menu minor fix.
• Onboarding process updated.

2.26.19

• Added links to the IP2Location page.

2.26.18

• Better displaying IPv6 in the log.

2.26.17

• Added default registration protection for cloud accounts (free and paid).

2.26.16

• Fixed GDPR message issue for some themes.

2.26.15

• Fixed translation compatibility with WordPress 6.7.
• Fixed GDPR message on the Woocommerce login page.
• Fix: load login-page-styles.css (on wp-login.php) only if it is necessary (thanks to georgejipa).
• CSS fixes.

2.26.14

• Improved compatibility with custom login pages, including WooCommerce and UltimateMember.
• Standardized display of login messages.
• A new Custom Error Message setting is added. The message is being appended to all asynchronous messages.
• Fixed translation compatibility with WordPress 6.7.
• CSS fixes.

2.26.13

• New “llar_admin” capability added to let other roles access the plugin.
• CSS fixes.
• Sticky headers added to the log tables.
• Small interface changes.

2.26.12

• Better displaying IPv6 in successful login attempts block.
• Possible intersections in tabs with other plugins fixed.
• PHP 8, 9 compatibility updates.
• Refactoring.

2.26.11

• Fixed possible style conflicts related to tables.
• Fixed possible PHP warnings.
• Fixed some I18N issues, thanks to alexclassroom!
• Better displaying multiple roles in login logs.

2.26.10

• Log of successful login attempts implemented for Micro Cloud (Free) and Premium users.
• Checklist of recommended actions implemented.
• Settings page reorganized.

2.26.9

• Chart library updated.

2.26.8

• Fixed possible WooCommerce conflict.

2.26.7

• Better informing on Micro Cloud.

2.26.6

• Micro Cloud API url fix.

2.26.5

• Better informing on cloud status.

2.26.4

• Added country translation.
• Better Micro Cloud API response handling.
• A link fixed.

2.26.3

• CSS issue fixed on Logs tab.

2.26.2

• CSS issue fixed.

2.26.1

• Micro Cloud link fixed.

2.26.0

• New design.
• Free Micro Cloud plan introduced.

2.25.29

• A link fixed.

2.25.28

• Improved cloud charts.

2.25.27

• Security improvement: Better shortcode escaping.
• Fixed date formatting on the logs page.
• Fixed top menu links on the front-end.
• Badge added to the top menu.

2.25.26

• Security improvement: Different nonce for each AJAX action.
• Security improvement: The toggle_auto_update_callback checks for the update_plugins cap.

2.25.25

• PHP 8.2/9 compatibility improved, thanks to Jer Turowetz!
• Button size and text typo fixed.

2.25.24

• Better loading of translations.
• Fixed PHP warning related to menu.

2.25.23

• Better side menu.
• Fixed I18N issues, thanks to alexclassroom!

2.25.22

• Interface changes.
• Tested with WP 6.3.

2.25.21

• Optimization: autoload for large options turned off.
• Interface changes.

2.25.20

• Fix against network requests caching removed b/c some misconfigured servers can’t handle it.

2.25.19

• Better handling of network connection issues.
• Fixed responsive formatting on dashboard.
• Added fix against network requests caching.

2.25.18

• Fixed errors occurring in situations where two versions of the plugin are installed (which should not normally happen).

2.25.17

• Refactoring.
• Server load reducing optimization.

2.25.16

• Double slashes in paths removed.
• Better handling of cloud response codes.

2.25.15

• Error messages logic fixed.

2.25.14

• Multisite support improved.
• CSS outside of the plugin issue fixed.
• Better number formatting on the dashboard.
• Lockout email template updated.

2.25.13

• Ultimate Member compatibility.
• Fixed conflicting URL parameters in some rare cases.
• Updated attempts counter logic.

2.25.12

• Fixed IPv4 validation when passed with a port number.
• Fixed texts and translations.

2.25.11

• PHP 8 compatibility fixed.
• Logs loading issue fixed.
• Help and Extensions tabs added.
• Notification about auto updates added.
• Displaying of plugin version added.
• Text changes made.

2.25.10

• Tested with PHP 8.
• Small styles refactoring.
• Fixed a rare issue with events log not being displayed correctly.
• Chart library updated.

2.25.9

• Welcome page replaced with a modal.

2.25.8

• Email text, links updated.

2.25.7

• Country flags added to log.
• Refresh button added to log.
• Email text updated.

2.25.6

• Email links updated.

2.25.5

• Fixed Woocommerce integration.
• Updated some interface links.

2.25.4

• Fixed session error in rare cases.
• Access rules explained.
• Improved session behavior on the login page.
• Fixed warning on some GoDaddy installations.

2.25.3

• Improved compatibility with WordFence.
• Better handling of HTTP_X_FORWARDED_FOR on Debug tab.
• Added option to hide warning badge.

2.25.2

• Security indicator fixed for multisite.

2.25.1

• Added setting to turn the dashboard widged off.
• The widget is visible to admins only.

2.25.0

• Dashboard widged added.
• Security indicator added.

2.24.1

• Fixed E_ERROR occurring in rare cases when the log table is corrupted.

2.24.0

• Protection increased: bots can’t parse lockout messages anymore.

2.23.2

• Cloud: better unlock UX.
• Litle cleanup.

2.23.1

• Added infinite scroll for cloud logs.

2.23.0

• Reduced plugin size by removing obsolete translations.
• Cleaned up the dashboard.
• Cloud: added information about auto/manually-blocked IPs.
• GDPR: added an option to insert a link to a Privacy Policy page via a shortcode, clarified GDPR compliance.

2.22.1

• IP added to the email subject.

2.22.0

• Added support of CIDR notation for specifying IP ranges.
• Texts updated.
• Refactoring.

2.21.1

• Fixed: Uncaught Error: Call to a member function stats()
• Cloud API: added block by country.
• Refactoring.

2.21.0

• GDPR compliance: IPs obfuscation replaced with a customizable consent message on the login page.
• Cloud API: fixed removing of blocked IPs from the access lists under certain conditions.
• Cloud API: domain for Setup Code is taken from the WordPress settings now.

2.20.6

• Multisite tab links fixed.

2.20.5

• Option to show and hide the top-level menu item.

2.20.4

• Sucuri compatibility verified.
• Wordfence compatibility verified.
• Better menu navigation.
• Timezones fixed for the global chart.

2.20.3

• More clear wording.
• Cloud API: fixed double submit in the settings form.
• Better displaying of stats.

2.20.2

• Updated email text.

2.20.1

• New dashboard more clear stats.

2.20.0

• New dashboard with simple stats.

2.19.2

• Texts and links updated.

2.19.1

• Welcome page.
• Image and text updates.

2.19.0

• Refactoring.
• Feedback message location fixed.
• Text changes.

2.18.0

• Cloud API: usage chart added.
• Text changes.

2.17.4

• Missing jQuery images added.
• PHP 5 compatibility fixed.
• Custom App setup link replaced with setup code.

2.17.3

• Plugin pages message.

2.17.2

• Lockout notification refactored.

2.17.1

• CSS cache issue fixed.
• Notification text updated.

2.17.0

• Refactoring.
• Email text and notification updated.
• New links in the list of plugins.

2.16.0

• Custom Apps functionality implemented. More details: https://limitloginattempts.com/app/

2.15.2

• Alternative method of closing the feedback message.

2.15.1

• Refactoring.

2.15.0

• Reset password feature has been removed as unwanted.
• Small refactoring.

2.14.0

• BuddyPress login error compatibility implemented.
• UltimateMember compatibility implemented.
• A PHP warning fixed.

2.13.0

• Fixed incompatibility with PHP < 5.6.
• Settings page layout refactored.

2.12.3

• The feedback message is shown for admins only now, and it can also be closed even if the site has issues with AJAX.

2.12.2

• Fixed the feedback message not being shown, again.

2.12.1

• Fixed the feedback message not being shown.

2.12.0

• Small refactoring.
• get_message() – fixed error notices.
• This is the first time we are asking you for a feedback.

2.11.0

• Blacklisted usernames can’t be registered anymore.

2.10.1

• Fixed: GDPR compliance option could not be selected on the multisite installations.

2.10.0

• Debug information has been added for better support.

2.9.0

• Trusted IP origins option has been added.

2.8.1

• Extra lockout options are back.

2.8.0

• The plugin doesn’t trust any IP addresses other than _SERVER[“REMOTE_ADDR”] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER[“REMOTE_ADDR”] with wrong IPs which leads to mass blocking of users.

2.7.4

• The lockout alerts can be sent to a configurable email address now.

2.7.3

• Settings page is moved back to “Settings”.

2.7.2

• Settings are moved to a separate page.
• Fixed: login error message. https://wordpress.org/support/topic/how-to-change-login-error-message/

2.7.1

• A security issue inherited from the ancestor plugin Limit Login Attempts has been fixed.

2.7.0

• GDPR compliance implemented.

• Fixed: ip_in_range() loop $ip overrides itself causing invalid results.
  https://wordpress.org/support/topic/ip_in_range-loop-ip-overrides-itself-causing-invalid-results/

• Fixed: the plugin was locking out the same IP address multiple times, each with a different port.
  https://wordpress.org/support/topic/same-ip-different-port/

2.6.3

• Added support of Sucuri Website Firewall.

2.6.2

• Fixed the issue with backslashes in usernames.

2.6.1

• Plugin returns the 403 Forbidden header after the limit of login attempts via XMLRPC is reached.

• Added support of IP ranges in white/black lists.

• Lockouts now can be released selectively.

• Fixed the issue with encoding of special symbols in email notifications.

2.5.0

• Added Multi-site Compatibility and additional MU settings. https://wordpress.org/support/topic/multisite-compatibility-47/

2.4.0

• Usernames and IP addresses can be white-listed and black-listed now. https://wordpress.org/support/topic/banning-specific-usernames/ https://wordpress.org/support/topic/good-831/
• The lockouts log has been inversed. https://wordpress.org/support/topic/inverse-log/

2.3.0

• IP addresses can be white-listed now. https://wordpress.org/support/topic/legal-user/
• A “Gateway” column is added to the lockouts log. It shows what endpoint an attacker was blocked from. https://wordpress.org/support/topic/xmlrpc-7/
• The “Undefined index: client_type” error is fixed. https://wordpress.org/support/topic/php-notice-when-updating-settings-page/

2.2.0

• Removed the “Handle cookie login” setting as they are now obsolete.
• Added bruteforce protection against Woocommerce login page attacks. https://wordpress.org/support/topic/how-to-integrate-with-woocommerce-2/
• Added bruteforce protection against XMLRPC attacks. https://wordpress.org/support/topic/xmlrpc-7/

2.1.0

• The site connection settings are now applied automatically and therefore have been removed from the admin interface.
• Now compatible with PHP 5.2 to support some older WP installations.

2.0.0

• fixed PHP Warning: Illegal offset type in isset or empty https://wordpress.org/support/topic/limit-login-attempts-generating-php-errors
• fixed the deprecated functions issue
  https://wordpress.org/support/topic/using-deprecated-function
• Fixed error with function arguments: https://wordpress.org/support/topic/warning-missing-argument-2-5
• added time stamp to unsuccessful tries on the plugin configuration page.
• fixed .po translation files issue.
• code refactoring and optimization.