WP-Members Security 1.1.0 has been released and it is primarily a bug fix release. Well… it started as a bug fix release. There were a couple of new features added as well (from the 2.0.0 project – adding them early) that facilitated bumping to to 1.1.0 instead of 1.0.4.
Here’s what’s covered in the update
Bug fix: This release fixes a bug that caused some of the settings to not display in the admin panel. It was for sure in the 1.0.3 version and possibly in 1.0.2 as well. If you look at the Security tab and only see the blacklist settings, then you are affected by the bug and should upgrade (because you’re not able to utilize all the settings).
Added: This version adds the password “flag” (which triggers requiring a password change by the user) when the admin changes a user’s password. In previous versions, the flag was set when a random password was set for the user (such as a forgot password reset, or if initial passwords are randomly generated). But if the admin sets a new password via WP’s random password generator, that is actually viewed as a custom password (because the random password generator has already run). So this update adds a flag to force the user to change this password if set in this manner.
Added: New API functions are included in this release. Actually, I should just say “API functions are included” because while they are “new,” there were no API functions in previous versions. This update adds the following user accessible functions for customization:
- wpmem_sec_set_password_flag() – This function sets a flag requiring a user to update their password. This can be used for customizing where you might want to provide a mechanism to force a user to update their password. Requires $user_id to be passed, otherwise it will set for the current user.
- wpmem_sec_users_with_sessions() – Gets all users who have active sessions. The session management features of the Security plugin are primarily used for preventing users from having concurrent logins (being logged in from two places as once). Note that an “active” session merely means the session is not expired. It does not mean that the user is active on the site.
- wpmem_sec_get_user_session() – Gets the session for a specific user. Requires $user_id to be passed, otherwise retrieves the current user.
Improvements: The main class was updated to improve coding standards. Additionally, some of the core methods that did not have specific return values were updated to return a value (mostly booleans, i.e. true|false to indicate specific successful processes).
Due to the bug from previous versions affecting full use of the plugin’s features, updating is recommended for all users.
Next update in development
While I have your attention, I’ll let you know that the next update is already in development and it has a lot of really great new features! I’ve been working on this for awhile, and had intended it to be the next release – until the 1.0.3 settings bug was brought to my attention.
Here’s an overview of what you can expect in the upcoming release (tentatively 1.2.0, but may be 2.0.0 depending on the end result):
- Akismet anti-spam validation for registrations – this release applies the Akismet API and checks it for valid registrations. This will help cut down on spam registrations (although if you’re using the honey pot, those should be limited already anyway). This makes use of the RocketGeek Akisment API class that I recently wrote specifically for use in WordPress plugins.
- StopForumSpam.com anti-spam validation for registrations – like the Akismet API, stopforumspam.com is an API that checks data for spam. Contrary to what you might think from the name, this is not only for forums – it operates as a check for registrations (and thus is a good fit for WP-Members Security). Unlike Akismet, no API key is necessary for you to use it. I have written an API wrapper class for this as well and will be releasing it for general use in WordPress plugins on the RocketGeek Github page. (Note: there will a FREE plugin released this month as well to make use of the stopforumspam.com API in WP-Members registration.)
- Failed login logging and notification – This feature will record data on failed logins and notify the site administrator via email. I’ll be expanding this feature in future updates, but for the upcoming release it will record the IP, timestamp, username used of each failed login attempt. You’ll have the option of emailing the admin when this occurs. This can be useful for determing what user are having trouble as well as a warning of attempted brute force attacks.
- Improved registration form honey pot – A honey pot is the single most effective method to combat registration spam. And the Security plugin already has one. But the next release improves on this process. Now, the field will receive a random name. This provides an extra measure of protection against bots since not every WP-Members registration form will contain the same honey pot field name. The field name will not be made to look random, however. We employed a library of actual words that would look like the name of an actual field in a real form – this should be an effective deterrent against bots using AI. While I have seen other plugins with honey pots, I have not seen one with this feature.
- Previous passwords restriction – This keeps a log of password hashes used to compare and require a user to set a new password that is different from his X previous passwords (where X is a custom value you set). The X value can also be set to require a completely unique password that the user has never used before.
As you can see, the majority of new features involve anti-spam methods. I’m confident that between the registration form nonces (already in place in the core plugin), the improved honey pot, and the anti-spam APIs, you will have a rock solid system to prevent spam registrations.
If you’re not a current WP-Members Security plugin license holder, I’ll be transparent and let you know two important details. First, the features above are extensive and there will inevitably be a price increase. Second, existing licensees, while getting free updates for 1 year, also keep their pricing when renewing – so they will not be subject to the future price increase. In other words, if you’ve been on the fence thinking about the WP-Members Security plugin, now would be a good time to get it. Or, get it with the Pro Bundle, which represents a tremendous value over purchasing the plugin extensions alone.
Other upcoming plugins
I’ve already released a free plugin this month for use with WooCommerce – Simplify Free Checkout. This plugin allows you to simplify the registration form in WooCommerce checkout if the user’s cart value is $0.00. If you want to see it in action, get the plugin. The checkout on this site uses the plugin (that’s where and why I built it in the first place ;-)). If you use it, be sure to let me know.
There are a couple of other plugins coming for WooCommerce – a Checkout Blacklist and a Simple VAT Invoice. You can read about those here.
And of course, as a I briefly mentioned above, there will be a free anti-spam plugin for WP-Members making use of the stopforumspam.com API (those of you with WP-Members Security will already have this feature and more).