WordPress.org

Friulian

  • Temis
  • Plugin
  • Gnovis
  • A rivuart di
  • Contat
  • Get WordPress
Get WordPress
WordPress.org

Plugin Directory

Melapress Login Security

  • Submit a plugin
  • My favorites
  • Log in
  • Submit a plugin
  • My favorites
  • Log in

Melapress Login Security

By Melapress
Download
  • Details
  • Reviews
  • Development
Support

Description

COMPREHENSIVE WORDPRESS LOGIN SECURITY PLUGIN

Melapress Login Security enables you to effortlessly set login security policies that put you firmly in the driver’s seat of your WordPress sites. Policies are highly customizable and granular and can be implemented by user role or site-wide for complete control over the security of your WordPress login processes.

Use the free edition of Melapress Login Security to implement WordPress password requirements such as minimum length and complexity rules. The plugin also allows you to set password expiration policies, prevent password reuse, limit failed login attempts, and automatically disable inactive user accounts, among other things. This helps you:

  • Prevent unauthorized login attempts
  • Protect against brute force attacks
  • Comply with GDPR with a login consent notice

Features list

A secure WordPress login starts right here. Explore all of the features included with the free edition of Melapress Login Security:

Set password policies

Strong passwords are your first line of defense against bad actors looking to gain access to your site. Set password requirement policies to make sure users set strong passwords. Set policies by user role or site-wide and define policy priority for users with multiple roles.

  • Set minimum password length
  • Mandate use of upper case and lower case characters, numeric digits, and special characters
  • Set an automatic password expiration policy and advise users when their password is about to expire
  • Disallow users from recycling passwords
  • Provide users with helpful instructions during the password configuration stage
  • Disable password reset links
  • Mandate WordPress password reset on the first login

Limit login attempts

Limit failed login attempts and put an end to brute force attacks. Protect your login form by automatically disabling user accounts after a number of failed login attempts. Choose between manual unlocking by an admin or automatic unlock after a cooldown period.

Temporary login without password

Provide temporary and secure login access to third-parties, like developers, editors, employees or others, without a password. It works by providing the user with a temporary login link that expires after a certain amount of time, or after a number of uses. This prevents you from having to create new user accounts manually, while simultaneously reducing the security risks associated with old, unused user accounts.

Change WordPress login URL

Easily deploy security-by-obscurity tactics and change your WordPress login page URL using a plugin! Hiding the default login page from hackers makes it more difficult to find, potentially reducing brute force attacks and other unauthorized access attempts. After you change the default wp-admin URL, you can set a 404 for the old login page or redirect it to any page of your choosing.

Limit login page access by IP address(es)

Limit access to the WordPress login page by IP address(es) for additional security.

GDPR login page consent notice

Easily meet GDPR requirements by adding a GDPR consent notice to the login page. This is required for GDPR and PCI DSS compliance, thus ensuring your WordPress site login page is in compliance.

Emergency password reset

Discovered suspicious behavior? Reset all users’ passwords with just one click and regain instant control.

Upgrade to Melapress Login Security Premium and get even more benefits.

The premium edition of Melapress Login Security comes bundled with even more features, which enable you to take your WordPress website login security to the next level. Disable inactive WordPress user accounts and force passwords to be reset once accounts have been unlocked. Inactive accounts can be managed within a single dashboard for increased efficiency and faster response times. Moreover, you can set accounts to be locked out after a number of failed login attempts and customize the duration and method of unlocking them.

Premium features list

  • Everything in the free version
  • Add an additional security layer with security questions users must answer when performing actions such as password reset and account unlock
  • Automatically send users an email whenever there’s a login with their username from an unrecognized device with an option to terminate the session remotely
  • Extend or shorten session durations for better balance between security and user convinience
  • One-click integration with third-party plugins such as WooCommerce, LearnDash, Memberpress, and many others
  • Automatically disable inactive WordPress users after a set time
  • Add Geo-blocking rules to restrict login page traffic to specific countries, or block traffic from specific countries
  • Restrict users’ login to a specific IP address, or a configurable number of IP addresses
  • Restrict WordPress users’ login time by day and/or hours
  • Restrict login credentials to email, username, or both
  • Add a GDPR consent notice to the login page
  • See reports of when users were last active, what’s their password age, and whose password is expired
  • Receive detailed weekly summary reports over email of password resets and changes, user account lockouts, and more!

| UPGRADE TO PREMIUM |

Why you should use Melapress Login Security

Melapress Login Security is a WordPress plugin built from the ground up to help you address security concerns and secure your WordPress login. Supercharge login credentials for maximum effectiveness and put a stop to unlimited login attempts, weak passwords, and inactive users. Set up policies to reduce your attack surface area such as login times restrictions, change the WordPress login URL, and much more.

Free and premium support

Support for the free edition of Melapress Login Security is free on the WordPress support forums. Premium world-class support via one-to-one email is available to the Premium users – upgrade to premium to benefit from priority support.

For any other queries, feedback, or if you simply want to get in touch with us, please use our contact form.

MAINTAINED & SUPPORTED BY MELAPRESS

Melapress builds high-quality WordPress security & admin plugins such as WP 2FA, Melapress Role Editor,and WP Activity Log, the #1 user-rated activity log plugin for WordPress.

Visit our website to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.

Install the plugin from within WordPress

Keeping a secure WordPress login page is easy with Melapress Login Security. Simply:

  1. From your WordPress dashboard, navigate to Plugins > Add New
  2. Search for “Melapress Login Security”
  3. Install & activate Melapress Login Security from your Plugins page

Install the plugin manually (via file upload)

  1. Download the plugin from the WordPress plugins repository
  2. Unzip the zip file and upload the folder to the /wp-content/plugins/ directory
  3. Activate the Melapress Login Security plugin through the Plugins page in WordPress

Screenshots

  • The configurable login security policies in the plugin.
  • The plugin is highly configurable, allowing you to fine tune the plugin’s functionality to fit your requirements.
  • You can configure different login security policies for every user role, or exclude the role from the policies, or simply inherit the site-wide policies for every role.
  • Change the login page URL as a security hardening technique, restrict access via IP address(es), and also add a GDPR consent message, which is required by PCI DSS and GDPR compliance regulations.
  • Easily create temporary secure logins without passwords that automatically expire after a specific period or a number of use.

  • In the Premium edition you can also limit the traffic to the login page by country or a number of countries.

  • Users are notified when their password expires.
  • It is very easy for a user to know what their password should include or not because the policies which are not met when setting a new password are highlighted in red.
  • In the Premium edition you can also restrict the number of IP addresses a user can log in from, allowing you to easily control account sharing and boost user security.
  • In the Premium edition the Reports allow you to see the last time users were active, the last time they reset their password, and those users with an expired password.

FAQ

Where can I go for further reading and documentation?

You can find more detailed information about WordPress website security, password security and user management, security best practices, and much more in the recommended reads linked below:

  • WordPress Password Policy: Enforcing strong passwords
  • WordPress security & hardening – the definitive guide
  • The definitive guide to WordPress security plugins

Is Melapress Login Security free?

Melapress Login Security comes in both free and premium editions. The free edition comes packed with several security measure features to protect your WordPress login, including:

  • Password policies for all your users
  • Limit login attempts
  • Change login URL
  • GDPR login page notification

The premium edition adds features such as:

  • Login times restrictions
  • Inactive users policies
  • IP restrictions
  • Geo-blocking
  • One-click integration with WooCommerce, Memberpress, LearnDash, and others
  • and much more!

What is the difference between free and premium?

The free edition includes all basic features without any restrictions to help you improve your WordPress login security. The premium edition adds several features over and above what is available in the free edition, enabling you to improve your WordPress login security even further.

Can I get support if I get stuck?

Support for the Free edition of the plugin is provided only via the WordPress.org support forums. You can also refer to our support pages for all the technical and product documentation.

If you are using the Premium edition, you get direct access to our support team via one-to-one email support.

How does Melapress Login Security secure my website?

Melapress Login Security secures different aspects of the WordPress login process to increase the overall security of your site. Depending on which edition you get and which policies you activate, the plugin is flexible enough to enable you to be as restrictive as you like.

While the plugin is extensive, it is not a silver bullet, and you should still take other security measures, such as enabling two factor authentication.

How does limiting login attempts improve security?

Brute force attacks rely on unlimited login attempts to try as many username and password combinations as possible until they hit the right combination. By limiting login attempts, you effectively stop brute force attacks by removing the one thing they rely on to breach your login page.

How effective is changing the default WordPress login URL?

Changing the login page URL is a security technique known as security-by-obscurity. Its entire premise is to make resources harder to find – but not impossible. This means that changing the wp-admin page URL can be an effective strategy when combined with other techniques such as using strong passwords and two factor authentication.

Does the plugin receive updates?

Melapress Login Security is actively supported and receives regular updates. Refer to the plugin changelog for more information about past updates.

How do I uninstall Melapress Login Security?

You can uninstall Melapress Login Security just as easily as you would with any other plugin. Simply login to your WP admin dashboard, navigate to Plugins > Installed Plugins, locate Melapress Login Security, and then click on Deactivate and then Uninstall.

To remove all settings, navigate to Login Security > Settings and enable the Delete database data upon uninstall setting before deactivating and uninstalling the plugin.

What data does Melapress Login Security send?

The free edition does not send any data whatsoever. The premium edition, on the other hand, only sends licensing data to our server. All WordPress login security settings remain in your WordPress database. Furthermore, the plugin does not collect any user data.

How can I report security bugs?

You can report security bugs through the Patchstack Vulnerability Disclosure Program. Please use this form. For more details please refer to our Melapress plugins security program.

Reviews

Excellent Plug-In with Excellent Support

totallyminimad 25 di Jugn dal 2025 1 reply
This is a great plug-in to enhance security and also works alongside Melapress 2FA plug-in where others do not. Great response from support too. Thank you!

Très bon plugin et excellent support

delemo 21 di Mai dal 2025 1 reply
Login Security brings together, in a clear and easy-to-use way, all the options for setting up a robust password policy.Support is readily available.

Awesome plugin

kacper3355 25 di Avrîl dal 2025 1 reply
Great plugin to enhance your WP security. Works as intended, keep up the good work! Thanks.

Works well

billhodgson 22 di Avrîl dal 2025 1 reply
Good plugin, lots of options.

Very good support

holecutterstore 3 di Avrîl dal 2025 1 reply
My staging site had Melapress security, which I hadn’t been using, but now starting to use. It was at a back level – 1.3.1. I upgraded to 2.1.0. When I followed the link for the migration from 1.3.1 to 2.1.0, the migration failed. The reason is I had originally installed Melapress 1.3.1 and selected to ‘NOT DELETE’ database entrees when ‘deactivating and deleting’ the plugin. This caused the migration to 2.1.0 to FAIL, as there were residual entries with MLS prefix from WP_OPTIONS. Melapress support quickly identified MY MISTAKE – and I successfully upgraded to 2.1.0. THANK YOU!

Very Good support and plugin

Dziubek 7 di Març dal 2025
Very Good support and plugin.
Read all 14 reviews

Contributors & Developers

“Melapress Login Security” is open source software. The following people have contributed to this plugin.

Contributors
  • Melapress

“Melapress Login Security” has been translated into 3 locales. Thank you to the translators for their contributions.

Translate “Melapress Login Security” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

2.2.0 (2025-07-15)

  • Security fix

    • Fixed a security vulnerability reported by Kr0d.
  • Plugin improvements

    • Adjusted all emails sent by the plugin to include the new Melapress logo.
    • Added more UI/UX elements to better assist the site admin during plugin configuration (e.g. Policies per role tabs).
    • Added Various code sanitization checks and adjustments throughout the plugin for improved overall security.
  • Bug fixes

    • Fixed a few logic errors that could cause “Reset all users” passwords to malfunction when certain password policies were enabled.
    • Fixed a bug that caused custom role policies to not be enforced correctly and instead use the “site-wide” policies.
    • Fixed the “Delete” button which was not working in the list of temporary login users.
    • Fixed an issue with bulk-sending password resets from the Users page, which could have bypassed plugin policies that disallow initiating password resets.
    • Fixed a user-reported 503 HTTP that could occur when password resets were initiated.
    • Fixed a user-reported PHP error that could occur when editing pages on specific site/server setups.
    • Fixed a bug that prevented WordPress native error messages from being hidden when the login URL had been changed.
    • Fixed a user-reported bug in which users were unable to reset their password even when the disallow password resets option was disabled on a multisite network.
    • Fixed an issue where the password recycling feature was not enforced on the WooCommerce password update form unless site-wide policies were active.
    • Fixed a scenario that caused users excluded from all password policies to be unable to initiate a password reset.
    • Fixed the aesthetics of the password policies list inside the LearnDash registration form.
    • Fixed a bug that could cause the “Reset password on next login” option to not be enforced correctly for some users.
    • “Restrict login based on email address or username only” now works as expected when enforced for certain roles – previously was only working as expected when used as a site-wide policy.
    • Fixed support for Easy Digital Downloads forms—now fully compatible with the latest version of Easy Digital Downloads.
    • Revisited all third party supported plugins and made small visual tweaks (alignment fixes, display errors etc).
  • Known issue

    • Some settings might not be imported correctly via the Export/Import Feature of the plugin, and which will be addressed in the next update.

2.1.1 (2025-04-07)

  • Bug fixes

    • Fixed a vulnerability reported by Wordfence: Missing Authorization leading to Unauthenticated Arbitrary User Deletion.
    • Resolved a UI issue in the calendar view for the Temporary Logins custom expiry date filter.
    • Fixed a bug that prevented the “Hide WordPress native errors on login form” feature from working correctly when the login URL was changed or when running on a multisite network.
    • Multisite: Addressed PHP errors that occurred when certain plugin cron jobs were executed.
    • Multisite: Addressed a bug which was causing the “User notification templates” page to be hidden on certain site setups
    • Fixed a bug preventing “Disallow old passwords” feature to work on 3rd party forms, unless “Password policies” are globally active in plugin settings.
    • Fixed an internal plugin conflict between “Disallow old passwords” feature and Temporary logins, which in some edge cases could prevent new Temporary logins to be made
  • Plugin improvements

    • Users excluded from password policies are now also exempt from Security Questions enforcement.
    • Users with an expired password can now log in if the policy is disabled in the plugin settings.
    • Improved Temporary Logins UI with a more compact layout.
    • Strengthened security by adding additional nonce and capability checks across the plugin.

2.0.1 (2024-12-10)

Version 2.0.1 (2024-12-10) Maintenance update

  • New features

    • Timed Logins: Users login token can now expire as close of business (optional)

      • Plugin improvements
    • Various UI improvements to policies / reset all passwords area
    • WP 2FA + Unrecognised Device policies now operate in harmony, enforcing only after 2FA has been passed

      • Bug fixes
    • Fixed bug which caused expired user logins to count as a failure.
    • Fixed potential error caused on specific custom password-less registration methods.
    • Fixed bug which stopped multiple users from being unlocked at once
    • Fixed formatting of email templates
    • Summary email: fixed ‘random’ readout of year
    • Fixed some small PHP deprecation warnings.

2.0.0 (2024-11-05)

  • New features

    • Security questions: require users to configure security questions that can be used to verify users when resetting passwords and unlocking user accounts, thus the website administrator does not need to be involved.
    • Unrecognized devices policy: users will be alerted via email each time there is a login with their username from a device that was not used before, and are also given the option to remotely log out that session.
    • IP address restriction setting for the login page: restrict access to the login page by IP address(es).
    • Session cookies settings: configure the expiration time of the WordPress session cookies, including those used when the user checks the “Remember me” option in the login page.
    • Added the shortcode mls_user_password_expiry_notice so admins can add the password expiry notice on custom user portals etc.
    • Added the hook mls_user_set_as_inactive that can be used when a user’s account is disabled by the Inactive users policy.
    • Setting to restrict logins by either username or email address only. By default you can login to WordPress by using any.
    • New option in the “Reset all passwords” feature that requires all users to change their password on their next login, instead of resetting the passwords of all users and sending them an email. This is mostly used for users who do not / cannot receive emails to reset their passwords.
    • Setting to disable the built-in WordPress password auto suggestion when resetting or changing the password.
    • Setting in the “Password expiration policy” to configure when the user should be notified of the password expiration date after dismissing the notification.
    • Added out-of-the-box support for Easy Digital Downloads and ProfilePress; enforce the login and password policies on these plugins’ forms with just one-click.
    • Added a “Last login time” column in the users’ page, giving the admin an easy overview of users’ login activity.
  • Plugin improvements

    • Generic / overall code updates and enhancements – ensuring code adheres to the WordPress coding standards, added comments where needed, improved nonce checks and much more.
    • Applied several coding updates that result in noticeable overall better plugin performance and resources usage.
    • Every password policy can now be enabled / disabled individually, rather than all together.
    • Reorganized the order of the policies in the settings, and grouped the password, user account and login policies.
    • Updated all the prefixes in the plugin’s code and also in the settings to MLS_. Included a manual updating process to handle the update.
    • Improved overall support for Paid Membership Pro.
    • Standardized the spacing, help text placement and settings’ layout for a more uniform and easy to use UI.
    • All emails the plugin uses are now available as templates that can be edited.
    • Moved all wp_mail functions to a single emailer class.
    • Added a default value to the “password expiry” notification setting.
    • Updated several strings / help text in the plugin for better explanation and guidance for users.
    • Added a default notification for when the sending of password reset links is disabled.
    • Updated the email and notifications templates section; separated the notifications from the email templates, making it much easier for the user to edit them.
    • Updated the default email and notification templates.
    • Bumped up the minimum version of PHP to 7.3.
  • Bug fixes

    • Fixed the check for password expiry emails – in some cases plugin was sending multiple emails to users.
    • Fixed: Excluded user with admin role still locked due to inactive users policy.
    • Fixed: Conflict with WP Engine MU plugin – WP Engine’s plugin does not account for an error if passed to it even if the hook returns both WP_User and WP_Error.
    • Fixed: plugin was not considering the full stop character, and other characters as a special character in passwords (had a specific hardcoded list).
    • Fixed: Locked users page was not showing up when using a Professional plan license.
    • Fixed: Upgrade admin notice not showing up in a multisite environment.
    • Fixed: Login page consent / GDPR notification shows in the login page after migration even when the setting is disabled.
    • Fixed: weekly summary email reports new users as having reset their passwords.
    • Fixed an edge case in which a just unlocked user cannot log in to the multisite network due to too many redirects error.
    • Fixed: multiple password policies settings changes not saved when one of the changes is to set the password minimum length policy to 5.
    • Fixed: failed login attempts was adding up the failed logins of multiple users when they are logging in from the same IP address, resulting in locked accounts that should have not been locked.
    • Fixed: several issues with enforcing password policies on WooCommerce pages, and also improved the logic of when specific notifications should be shown on WooCommerce pages.
    • Fixed: Password history feature was allowing some of the old passwords to be reused in some edge cases.
    • Fixed a PHP fatal error in class-optionshelper.php which was caused when upgrading from a much older version of the plugin to the most recent one.

Refer to the complete plugin changelog for more detailed information about what was new, improved and fixed in previous version updates of Melapress Login Security.

Meta

  • Version 2.2.0
  • Last updated 5 dîs ago
  • Active installations 2.000+
  • WordPress version 5.5 or higher
  • Tested up to 6.8.2
  • PHP version 7.3 or higher
  • Languages

    Dutch, Dutch (Belgium), English (US), and Polish.

    Translate into your language

  • Tags
    Brute Forcelimit login attemptslimit loginsloginlogin security
  • Advanced View

Ratings

5 out of 5 stars.
  • 14 5-star reviews 5 stars 14
  • 0 4-star reviews 4 stars 0
  • 0 3-star reviews 3 stars 0
  • 0 2-star reviews 2 stars 0
  • 0 1-star reviews 1 star 0

Add my review

See all reviews

Contributors

  • Melapress

Support

Got something to say? Need help?

View support forum

  • A rivuart di
  • Gnovis
  • Hosting
  • Privacy
  • Showcase
  • Temis
  • Plugins
  • Patterns
  • Impare
  • Supuart
  • Developers
  • WordPress.tv ↗
  • Get Involved
  • Events
  • Donate ↗
  • Five for the Future
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org

Friulian

  • Visit our X (formerly Twitter) account
  • Visit our Bluesky account
  • Visit our Mastodon account
  • Visit our Threads account
  • Visit our Facebook page
  • Visit our Instagram account
  • Visit our LinkedIn account
  • Visit our TikTok account
  • Visit our YouTube channel
  • Visit our Tumblr account
Il codiç al é puisie.