The WP-Members Security plugin has been updated to version 1.4.0. There are some important bug fixes in this release as noted below.
While there was a general code review and cleanup, there were two major bugs that were fixed in this release. They may or may not affect you, depending upon (1) the version of WP-Members being used and (2) what settings were enabled in WP-Members Security. But as always, you should update to the most recent version anyway. Here are the two major bugs that were fixed:
The biggest bug fix in this release is a bug in the password reset/change process when the plugin is set to confirm the existing password upon changing a password. With the new WP-Members password reset link, this setting caused the confirm field to be checked when resetting a forgotten password. Obviously, that’s logically impossible, since resetting a forgotten password means that you don’t have the current password to confirm. If you’re using WP-Members 3.4.x (and you should be!) and you use the password confirmation setting in WP-Members Security, you need to update to this version.
Another annoying bug that was fixed in this release is that when failed login tracking was enabled, login lockout was also enabled – regardless of whether it was enabled in the settings. This led to users being locked out upon sequential failed logins triggering a lockout and wondering why that was occurring. Not only was this directly addressed in the 1.4.0 release, the plugin now only loads the object classes for options that are enabled.
As usual, there were some feature updates. The most noticeable will be the option to change the password strength level requirement. Previously, the plugin allowed you to require a strong password and included the WP password strength meter for this.
Based on some user feedback and requests, I have added the ability to “dial this down”. Now the option is to included the password strength meter (same as before), but with the option to set the strength required to submit the password change. The meter will tell you the strength, but will let through weak or medium passwords if you have set the required strength as such. Also, the text used in the meter can now be filtered if you need to customize it.
Along with this, I included a “generate password” button as an option. For now, this will require some basic CSS to be applied if you want to make it suit your form. The HTML markup required is based on WP’s native process for the generate password button in the admin and that cannot be changed or the process will break. But you can apply CSS rules to the tags, IDs, and classes used. If you need to customize the look, I recommend using the WordPress Customizer to do it.
Another new setting is the option to remove the plugin’s custom database tables upon uninstall (the “delete” option in the WP plugin panel). The plugin creates two database tables; one for failed login tracking, and the other for login lockouts. Depending upon your preferences, you may want to save these or remove them. But now, with the added option, this can be done along with all the other settings the plugin cleans up when removed.