Skip to content

v0.54.0

Choose a tag to compare

@mosamlife mosamlife released this 20 Jun 11:45
cc832b1

What's in 0.54.0

Security suite phase 3: two-factor authentication + password policy for site users. Previously only WPMgr operators had 2FA; now you can require it for the WordPress users of a managed site, enforced at the login screen.

  • Two-factor for site users: authenticator app (TOTP), email codes, and single-use backup codes. Enforce per user role, with configurable grace logins for enrollment and a remember-this-device window. Recommended setup is administrators with an authenticator app plus backup codes.
  • Password policy: minimum strength, block known-compromised passwords (checked against a free public breach corpus by a privacy-preserving prefix query, so the password never leaves the site), block reuse, and optional expiry with a forced-change screen.
  • Hide the login page behind a secret address.

Per-site, opt-in, off by default. Strong lockout-proofing: the control plane can always reach a site it manages, backup codes always work, and wp-config recovery constants disable enforcement from the filesystem if ever needed. Enabling 2FA applies to new logins; existing sessions remain valid until they expire.

Container images

  • ghcr.io/mosamlife/wpmgr-api:v0.54.0
  • ghcr.io/mosamlife/wpmgr-web:v0.54.0
  • ghcr.io/mosamlife/wpmgr-media-encoder:v0.54.0