Submit Changelog
Track Changelogs

MSC Stealth Login

Changelog

1.0.8

  • Fixed: Updated plugin metadata to WordPress 7.0 compatibility (Tested up to: 7.0).
  • Fixed: Renamed global init callback to prefixed function name for Plugin Check naming compliance.
  • Fixed: Removed discouraged load_plugin_textdomain() call for WordPress.org translation loading compliance.
  • Fixed: Refactored login history SQL query assembly to avoid interpolated dynamic WHERE fragments and ensure placeholder/replacement parity in $wpdb->prepare().
  • Fixed: Replaced direct usermeta cleanup queries in uninstall with delete_metadata() API.
  • Updated: Release version bumped to 1.0.8.

1.0.7

  • Security: Fixed IP spoofing vulnerability — now defaults to REMOTE_ADDR; proxy headers only trusted when explicitly enabled via new trust_proxy option.
  • Security: Removed broad redirect_to exception that allowed bypassing login block.
  • Security: Added CSV formula injection prevention for data exports.
  • Fixed: Added load_plugin_textdomain() so translation files are loaded correctly.
  • Fixed: Converting closures to named methods for removability.
  • Fixed: Added settings_errors() output on settings page.
  • Fixed: Refactored SQL sentinel pattern to dynamic WHERE clauses for index utilisation.
  • Fixed: URL-safe validation for custom login slug.
  • Fixed: Synchronized reserved slug list between PHP and JavaScript.
  • Fixed: Double-escaping in login URL display.
  • Fixed: esc_attr_e() in JS onclick handlers replaced with esc_js().
  • Fixed: esc_html__() in plain text email bodies replaced with __().
  • Fixed: esc_html__() in wp_localize_script() replaced with __().
  • Fixed: esc_url() in input value attributes replaced with esc_attr().
  • Fixed: Timezone-sensitive date calculation using gmdate() + DAY_IN_SECONDS.
  • Fixed: Incomplete translator comment for lockout email.
  • Fixed: Orphan user meta cleanup on uninstall.
  • Fixed: delete_transient() instead of delete_option() for transients.

1.0.6

  • Fixed: Removed inline <script> from data tracking notice and moved dismiss logic to admin.js with localized nonce (WordPress.org review compliance).
  • Fixed: Replaced hardcoded /wp-login.php URL paths with wp_login_url() + add_query_arg() for subdirectory WordPress compatibility.
  • Fixed: Added missing translators comment for data tracking notice string (Plugin Check compliance).
  • Fixed: Added phpcs:ignore comments for custom table direct database queries (Plugin Check compliance).

1.0.5

  • Fixed: CIDR IP whitelist matching now works correctly for subnet ranges.
  • Fixed: Recovery token comparison now uses timing-safe comparison (hash_equals).
  • Fixed: Lockout message output now properly escaped.
  • Fixed: Recovery token option key renamed from msc_recovery_token to mscsl_recovery_token for namespace consistency, with automatic migration.
  • Fixed: Plugin header tab character removed for parser compatibility.
  • Added: Privacy admin notice informing administrators about data collection (IP addresses, usernames, user agents, login history).
  • Added: Database schema version tracking for future upgrade path.
  • Added: Privacy Policy section to plugin documentation.

1.0.4

  • Changed: Inlined CSS styles on error page elements for simpler standalone page rendering.
  • Removed: External CSS file for error pages (no longer needed).
  • Removed: Frontend style registration hooks (no longer needed).

1.0.3

  • Fixed: Extracted inline CSS to external stylesheet file per WordPress.org review requirements.
  • Fixed: Created template files for lockout and blocked error pages.
  • Added: X-Frame-Options and X-Content-Type-Options security headers to error pages.

1.0.2

  • Fixed: Plugin Check errors for unescaped database parameters in query methods.
  • Fixed: Plugin Check error for fclose() on php://output stream — added phpcs:ignore.
  • Fixed: DROP TABLE query now uses direct query instead of prepare() (table names cannot be prepared).
  • Fixed: Added phpcs:ignore comments for nonce verification warnings in frontend security filters.
  • Fixed: Added cleanup of flush rewrite rules transient in uninstall.

1.0.1

  • Fixed: Custom login URL now works immediately after plugin activation without manual permalink flush.
  • Fixed: Custom login URL now works immediately after changing the slug in settings.

1.0.0

  • Initial release
  • Custom login URL with rewrite rules
  • wp-admin blocking and redirect
  • Brute force protection with configurable lockouts
  • Email notifications (lockout, admin alert, new IP)
  • Login history with filtering and CSV export
  • XML-RPC endpoint disable option
  • REST API user enumeration blocking
  • IP whitelist for bypassing protection
  • Progressive lockout delay multiplier
  • Recovery URL system for forgotten login URLs

Plugin Website
Visit website

Author
djm56
Version:
1.0.8
Last Updated
May 28, 2026
Requires
WordPress 5.9
Tested Up To
WordPress 7.0
Requires PHP
7.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.