v0.54.0
What's in 0.54.0
Security suite phase 3: two-factor authentication + password policy for site users. Previously only WPMgr operators had 2FA; now you can require it for the WordPress users of a managed site, enforced at the login screen.
- Two-factor for site users: authenticator app (TOTP), email codes, and single-use backup codes. Enforce per user role, with configurable grace logins for enrollment and a remember-this-device window. Recommended setup is administrators with an authenticator app plus backup codes.
- Password policy: minimum strength, block known-compromised passwords (checked against a free public breach corpus by a privacy-preserving prefix query, so the password never leaves the site), block reuse, and optional expiry with a forced-change screen.
- Hide the login page behind a secret address.
Per-site, opt-in, off by default. Strong lockout-proofing: the control plane can always reach a site it manages, backup codes always work, and wp-config recovery constants disable enforcement from the filesystem if ever needed. Enabling 2FA applies to new logins; existing sessions remain valid until they expire.
Container images
ghcr.io/mosamlife/wpmgr-api:v0.54.0ghcr.io/mosamlife/wpmgr-web:v0.54.0ghcr.io/mosamlife/wpmgr-media-encoder:v0.54.0