The new version for Magic Login and Magic Login Pro has been released today. This release brings a few security fixes and enhancements. Here are brief details about this release;
- Keep token data hashed. In prior versions, the login token was stored plain as usermeta. To protect against this threat vector, the token data will be hashed before saving. With this update, the existing tokens will not update; please keep this in mind.
- Retrieving Client IP without respecting
HTTP_X_FORWARDED_FOR: Magic Login Pro has functionality that limits the login attempt for the IP address to mitigate DOS attacks. Since HTTP_X_FORWARDED_FOR can be easily spoofed, we have removed the support for HTTP_X_FORWARDED_FOR header. If your WordPress setup is behind on a proxy, you can use magic_login_client_ip filter to trust allowed proxies and correct the IP address of the client.
- Username-only mode: You can define ( ‘MAGIC_LOGIN_USERNAME_ONLY’, true ); to accept login requests by username only.
- Better HTML detection before adding line breaks: If you are adding a custom template for the email, automatic line breaks will not mess up your template.
- Email Subject: Pro users can setup the email subject on the settings page.
- Small tweaks & fixes
Thanks to @snicco for reporting security issues. We highly advise updating the plugin ASAP due to security fixes.