Sky Login Redirect

更新日志

4.2.4 – 2026-06-12

• New – Generic login error messages (Starter): optionally replace WordPress’s username-revealing login, lost-password and email-login errors with a single neutral message, so attackers can’t tell whether a username or email address exists on your site (account enumeration). Enable it under Login Redirect → Tweaks → Admin tweaks. Harmless notices like “empty password” are left intact; the message is customizable via the slr_generic_login_error_message filter.
• New – Cloudflare Turnstile anti-spam protection (Platinum). Adds a free, privacy-friendly, no-puzzle CAPTCHA to the WordPress login, registration and lost-password forms to stop spam bots and brute-force attempts. Enable it and paste your site/secret keys under Login Redirect → Tweaks → Spam protection. Programmatic logins (XML-RPC, REST, application passwords) are never affected.

4.2.3 – 2026-06-02

• Fix – Fatal error (TypeError) on login when another plugin’s login_redirect/logout_redirect filter callback returned a non-string value (e.g. true). The redirect arguments are now normalised to a string or null before being passed to the strictly-typed RedirectManager, so the plugin no longer crashes wp-login.php.
• Hardening – The WooCommerce and EDD redirect handlers and the custom login URL filter now defensively normalise any non-string value passed by third-party plugins (including arrays/objects), preventing the same class of error across all redirect filters.

4.2.2 – 2026-06-02

• Fix – Users not covered by any redirect rule (including administrators) were forced to the homepage on login/logout. The plugin now preserves the default WordPress destination (e.g. the dashboard) when no rule matches the user, so a rule scoped to specific roles only affects those roles.
• Fix – Role-based content restriction restricted every page the role viewed instead of only the pages selected in the rule. It now respects the chosen “Content to restrict” list, consistent with user- and logged-out-based rules.
• Improvement – Both redirect rules and content restriction rules now match against all of a user’s roles instead of only the primary role, so multi-role users are handled correctly.

4.2.1 – 2026-05-31

• Security – Modal login brute-force protection now uses a transient instead of the non-persistent object cache, so the rate limiter works on sites without Redis/Memcached.
• Security – Client IP detection now trusts only REMOTE_ADDR by default; spoofable proxy headers (X-Forwarded-For, CF-Connecting-IP) are opt-in via the slr_rate_limit_ip filter, closing a rate-limit bypass.
• Fix – Fatal error on the modal login form caused by a missing get_current_url() import.
• Fix – WooCommerce registration redirect no longer discards the default destination when the custom redirect is disabled.
• Fix – Possible TypeError when building a nav-menu login/logout link with no saved link type.
• Internal – Removed redundant wp_set_current_user()/wp_set_auth_cookie() after wp_signon() in AJAX login.
• Internal – PERF-005 migration: removed a duplicate option read and guarded upgrader array keys.

4.2.0 – 2026-05-29

• New – IPs are now correctly detected, when behind a proxy.
• New – Migrate 5 fields to CF association with lazy-loaded paginated search.
• Fix – Two separate CookieManager instances were created.
• Fix – Restrict rule header template now displays the selected content-to-restrict title at a glance
• Fix – Rule header template: defensive typeof check for slr_xrole[0] against future association field format changes
• New – carbonade_pipe(): reconstructs CF complex (repeater) fields from flat pipe-delimited wp_option rows without Carbon Fields being booted — safe on wp-login.php and any frontend context
• Internal – slr_options_cache() shared cache loader: carbonade() and carbonade_pipe() share a single get_cached_options() call per request

Older versions changes can be found in the changelog