Login Lockdown

Version 1.0.5

June 9, 2026

Bumped minimum Craft CMS to ^5.9.18 (was ^5.8.0) so consumers no longer install Craft versions affected by GHSA-gj2p-p9m4-c8gw, GHSA-qrgm-p9w5-rrfw, and GHSA-33m5-hqp9-97pw, all patched in Craft 5.9.18
Stopped committing composer.lock — distributed plugins shouldn't ship lock files, since consumers resolve dependencies against their own. This also clears noise from Dependabot scans of transitive dependencies that don't actually affect consumers
Added a .github/dependabot.yml restricting Composer scans to direct dependencies and only opening PRs when a new version falls outside the existing constraint, so future Dependabot activity reflects real security updates rather than lockfile churn

March 24, 2026

Non-admin users with plugin access can now view the blocked IPs page without getting a 403 error
CP nav item now hidden for users without plugin access permission

February 4, 2026

February 2, 2026

Corrected GitHub repository URLs in composer.json documentation and support links

February 2, 2026

February 2, 2026

Brute force protection for Craft CMS control panel login
Brute force protection for front-end login forms
Configurable failed attempt threshold and time window
Configurable lockout duration
IP whitelist to exclude trusted addresses from blocking
Email notifications when IPs are blocked
Pushover notifications when IPs are blocked
Control panel interface for viewing and managing blocked IPs
CLI commands for managing blocked IPs (login-lockdown/block/list, add, remove, check)
CLI command for cleaning up old records (login-lockdown/cleanup)
Proxy-aware IP detection (Cloudflare, X-Forwarded-For, X-Real-IP)
Environment variable support for all settings using $ENV_VAR syntax