Release v3.1.0: Login Security & 2FA Management

🔐 New Features

Login Security Commands

Two new WP-CLI commands for managing Wordfence Login Security module:

• wp wfls-config - Generic Login Security configuration

  • Get/set individual Login Security settings
  • List all settings with search and filtering
  • Export/import with --managed-only blueprint support

• wp wfls-2fa - Role-based Two-Factor Authentication management

  • Configure 2FA requirements per role (required/optional/disabled)
  • Set grace periods for 2FA enforcement
  • Enable remember device feature
  • Quick command: wp wfls-2fa require-admin

📋 Usage Examples

Require 2FA for Administrators

wp wfls-2fa configure --administrator=required

Configure 2FA with Grace Period

wp wfls-2fa configure \
  --administrator=required \
  --editor=required \
  --enable-grace-period \
  --grace-period=7

List Current 2FA Status

wp wfls-2fa list

Export Login Security Settings

wp wfls-config export /tmp/login-security.json --managed-only

⚙️ Technical Details

• 20 Manageable Settings: Role-based 2FA, grace periods, CAPTCHA, XML-RPC, WooCommerce integration
• Conditional Loading: Commands only load when Login Security module is active
• Native API: Uses WordfenceLS\Controller_Settings API
• Separate Table: Supports wp_wfls_settings table
• Full Features: Dry-run mode, validation, export/import, force flags

📦 Installation

Download wf-settings-cli-3.1.0.zip and install via WordPress admin or WP-CLI:

wp plugin install wf-settings-cli-3.1.0.zip --activate

🔄 Upgrade from v3.0.0

No breaking changes. Simply upgrade and the new Login Security commands will be available if the Login Security module is active.

📝 Full Changelog

See CHANGELOG for complete version history.

What's Changed in v3.1.0:

• New: wp wfls-config command for managing Wordfence Login Security settings
• New: wp wfls-2fa command for role-based 2FA management
• Feature: Configure 2FA requirements per role (administrator, editor, author, contributor, subscriber)
• Feature: Set 2FA grace periods and remember device options
• Feature: Export/import Login Security settings with --managed-only support
• Enhancement: 20 additional manageable settings for Login Security module
• Enhancement: Conditional loading - Login Security commands only load when module is active

📚 Documentation

Full documentation available in README.md

Requirements

• Wordfence Security plugin (with Login Security module for wfls-* commands)
• WP-CLI
• WordPress 5.0+
• PHP 7.2+

---

Full Changelog: v3.0.0...v3.1.0

Release v3.0.0: Comprehensive managed settings coverage

🎉 MAJOR RELEASE

This is a major release that dramatically expands the plugin's capability to manage Wordfence settings. We've increased coverage from 42 to 115 manageable settings - a 173% increase - providing comprehensive control over all free Wordfence features.

---

🚀 What's New

Expanded Settings Coverage

Before (v2.x): 42 basic settings
Now (v3.0): 115 comprehensive settings

Blueprint exports (--managed-only) now include:

Category	Settings	What's New
🔐 Brute Force	20	+10 (Password policies, 2FA, breach detection)
🛡️ Firewall & WAF	13	+10 (WAF alerts, whitelist, custom messages)
🔍 Scanner	32	+20 (Advanced scans, exclusions, GeoIP)
📧 Alerts	15	+6 (Severity, throttling, non-admin logins)
⏱️ Rate Limiting	10	NEW (Throttling for crawlers, humans, 404s)
📊 Live Traffic	10	NEW (Monitoring, filtering, ajax watchers)
⚙️ General Security	15	NEW (Misc security options)

---

✨ New Features by Category

🔐 Brute Force Protection (20 settings)

New in v3.0:

• loginSec_breachPasswds - Breach password checking policy
• loginSec_breachPasswds_enabled - Enable breach checking
• loginSec_disableApplicationPasswords - Block app passwords
• loginSec_disableOEmbedAuthor - Disable oEmbed author discovery
• loginSec_enableSeparateTwoFactor - Separate 2FA for users
• loginSec_requireAdminTwoFactor - Require 2FA for admins
• loginSec_strongPasswds - Strong password enforcement
• loginSec_strongPasswds_enabled - Enable password strength
• alertOn_firstAdminLoginOnly - Alert only on first admin login
• alertOn_firstNonAdminLoginOnly - Alert only on first user login

🛡️ Firewall & WAF (13 settings)

New in v3.0:

• bannedURLs - Patterns to ban
• blockCustomText - Custom block page message
• blockedTime - Block duration (seconds)
• whitelisted - Whitelisted IP addresses
• wafAlertInterval - WAF alert throttling interval
• wafAlertOnAttacks - Alert on WAF attacks
• wafAlertThreshold - Attack count threshold
• wafAlertWhitelist - WAF alert whitelist
• displayAutomaticBlocks - Show auto-blocks in UI
• allowed404s - Allowed 404 URL patterns

🔍 Scanner (32 settings)

New in v3.0:

• scansEnabled_checkGSB - Google Safe Browsing check
• scansEnabled_checkHowGetIPs - IP resolution check
• scansEnabled_checkReadableConfig - Readable config check
• scansEnabled_coreUnknown - Unknown core files
• scansEnabled_diskSpace - Disk space monitoring
• scansEnabled_fileContentsGSB - GSB file contents
• scansEnabled_geoipSupport - GeoIP database check
• scansEnabled_oldVersions - Old version detection
• scansEnabled_options - Options table scan
• scansEnabled_passwds - Password scan
• scansEnabled_suspectedFiles - Suspected file patterns
• scansEnabled_suspiciousAdminUsers - Admin username check
• scansEnabled_suspiciousOptions - Suspicious options
• scansEnabled_wafStatus - WAF status check
• scansEnabled_wpscan_directoryListingEnabled - Directory listing
• scansEnabled_wpscan_fullPathDisclosure - Path disclosure
• scan_exclude - Exclusion patterns
• scan_include_extra - Additional scan paths
• scan_force_ipv4_start - Force IPv4 for scans
• scan_max_resume_attempts - Max resume attempts
• lowResourceScansEnabled - Low resource mode

📧 Alerts (15 settings)

New in v3.0:

• alertOn_nonAdminLogin - Alert on non-admin logins
• alertOn_lostPasswdForm - Alert on password reset
• alertOn_wafDeactivated - Alert when WAF deactivated
• alertOn_throttle - Alert on rate limit hits
• alertOn_severityLevel - Minimum severity for alerts
• email_summary_dashboard_widget_enabled - Dashboard widget

⏱️ Rate Limiting (10 settings) - NEW CATEGORY

• max404Crawlers - Max 404s for crawlers
• max404Crawlers_action - Action (throttle/block)
• max404Humans - Max 404s for humans
• max404Humans_action - Action for humans
• maxGlobalRequests - Global request limit
• maxGlobalRequests_action - Global action
• maxRequestsCrawlers - Crawler request limit
• maxRequestsCrawlers_action - Crawler action
• maxRequestsHumans - Human request limit
• maxRequestsHumans_action - Human action

📊 Live Traffic (10 settings) - NEW CATEGORY

• liveTrafficEnabled - Enable live traffic
• liveTraf_displayExpandedRecords - Expanded display
• liveTraf_ignoreIPs - IPs to ignore
• liveTraf_ignorePublishers - Ignore publishers
• liveTraf_ignoreUA - User agents to ignore
• liveTraf_ignoreUsers - Users to ignore
• liveTraf_maxAge - Max age (days)
• liveTraf_maxRows - Max rows to store
• ajaxWatcherDisabled_admin - Disable admin ajax monitoring
• ajaxWatcherDisabled_front - Disable frontend ajax monitoring

⚙️ General Security (15 settings) - NEW CATEGORY

• other_blockBadPOST - Block malformed POST
• other_hideWPVersion - Hide WordPress version
• other_WFNet - Wordfence network participation
• other_scanComments - Scan comments for threats
• other_pwStrengthOnUpdate - Password strength on update
• deleteTablesOnDeact - Delete data on deactivation
• disableCodeExecutionUploads - Prevent code in uploads
• disableWAFIPBlocking - Disable WAF IP blocking
• allowLegacy2FA - Allow legacy 2FA
• checkSpamIP - Check IPs against spam lists
• ssl_verify - Verify SSL certificates
• spamvertizeCheck - Spamvertize checking
• liveActivityPauseEnabled - Pause live activity
• showAdminBarMenu - Show in admin bar
• advancedCommentScanning - Enhanced comment scanning

---

📊 Settings Breakdown

Total Wordfence Settings: 282
├─ Manageable (Free features): 115 ✅
├─ Premium-only: ~20 ❌
└─ Read-only/Internal: ~147 ❌

Blueprint Coverage: 40.8% of all settings (100% of manageable)

---

🎯 Use Cases

1. Complete Security Baseline

# Export comprehensive security configuration
wp wf-config export /tmp/complete-baseline.json --managed-only

# Now includes 115 settings vs. 42 in v2.x

2. Password Policy Enforcement

# Deploy password policies across all sites
wp wf-config set loginSec_strongPasswds 'all'
wp wf-config set loginSec_strongPasswds_enabled 1
wp wf-config set loginSec_breachPasswds_enabled 1

3. Rate Limiting Configuration

# Configure 404 detection
wp wf-config set max404Humans 10
wp wf-config set max404Humans_action 'throttle'
wp wf-config set max404Crawlers 20
wp wf-config set max404Crawlers_action 'block'

4. Traffic Monitoring Setup

# Enable and configure live traffic
wp wf-config set liveTrafficEnabled 1
wp wf-config set liveTraf_maxRows 5000
wp wf-config set liveTraf_ignorePublishers 1

---

🔄 Migration Guide

From v2.x to v3.0

Good News: No breaking changes! Your existing workflows continue to work.

Recommended Actions:

1. Re-export blueprints to capture 73 new settings:

   wp wf-config export /tmp/blueprint-v3.json --managed-only

2. Compare old vs new blueprints:

   # v2.x blueprint: 42 settings
   # v3.0 blueprint: 115 settings

3. Review new settings and update your baseline as needed

4. No code changes required - all CLI commands remain the same

---

⚠️ What's NOT Included

To maintain compliance and avoid premium feature conflicts, the following are excluded from managed settings:

Premium Features:

• Country blocking (cbl_* settings)
• Premium-only scan features
• License/subscription management

Read-Only/Internal:

• API keys, encryption keys, hashes
• Timestamps, migration flags, versions
• Scan results, statistics, counters
• Cache data, internal state
• UI preferences, tour states

---

📦 Installation & Upgrade

Upgrading from v2.x

# Backup current plugin
cp -r wp-content/plugins/wf-settings-cli wp-content/plugins/wf-settings-cli.backup

# Update via WP-CLI
wp plugin update wf-settings-cli-3.0.0.zip

# Or via git
cd wp-content/plugins/wf-settings-cli
git pull origin main

New Installation

# Via WP-CLI
wp plugin install wf-settings-cli-3.0.0.zip --activate

# Via git
cd wp-content/plugins
git clone https://github.com/pimschaaf/wf-settings-cli.git
wp plugin activate wf-settings-cli

---

🐛 Bug Fixes

None - this is a pure feature expansion release. All v2.0.4 bug fixes are included.

---

🔗 Resources

• Documentation: README.md
• GitHub: pimschaaf/wf-settings-cli
• Issues: Report bugs
• Changelog: Full changelog

---

💬 Feedback

We'd love to hear how you're using v3.0! Share your feedback:

• GitHub Issues
• GitHub Discussions
• WordPress Support Forums

---

Full Changelog: v2.0.4...v3.0.0

v2.0.4 - Configuration Blueprints & Enhanced Export

v2.0.4 - Configuration Blueprints & Enhanced Export

🎯 What's New

Configuration Blueprints

Export only the settings this plugin can manage - perfect for creating reusable security configuration templates!

# Create a security baseline blueprint (~42 managed settings)
wp wf-config export /tmp/security-blueprint.json --managed-only

# vs. full export (all 280+ Wordfence settings including internal state)
wp wf-config export /tmp/full-audit.json

Why Use Blueprints?

Full Export (wp wf-config export):

• All 280+ Wordfence settings
• Includes internal state, counters, timestamps
• Best for: Complete audits, full backups, troubleshooting

Blueprint Export (wp wf-config export --managed-only):

• Only ~42 manageable settings (security policies)
• Clean, focused configuration
• Best for: Site migrations, standardization, version control

✨ Features

New --managed-only Flag

• Export only settings that can be managed by this plugin's commands
• Includes: brute force protection, firewall, scanner, and alert settings
• Excludes: internal state, API keys, transient data

Enhanced Export Functionality

• ✅ Better error handling with JSON encoding validation
• ✅ Binary blob (LONGBLOB) data support
• ✅ Shows bytes written confirmation
• ✅ Handles invalid UTF-8 characters gracefully
• ✅ Detailed error messages for troubleshooting

🚀 Use Cases

1. Site Migrations

# Export from production
wp wf-config export /tmp/prod-security.json --managed-only

# Apply to staging
wp wf-config import /tmp/prod-security.json --url=staging.com --backup

2. Standardized Deployments

# Create your security baseline once
wp wf-config export /tmp/baseline.json --managed-only

# Deploy to multiple sites
for site in site1.com site2.com site3.com; do
  wp wf-config import /tmp/baseline.json --url=$site --force
done

3. Version Control

# Store your security policies in git
wp wf-config export config/wordfence-baseline.json --managed-only
git add config/wordfence-baseline.json
git commit -m "Update security baseline: increase lockout duration"

4. Audits & Compliance

# Smaller, focused export makes auditing easier
wp wf-config export /tmp/audit-$(date +%Y%m%d).json --managed-only

# Review only the settings that matter for compliance
cat /tmp/audit-20251030.json | jq '.settings'

🔧 Settings Included in Blueprints

Blueprints include 42 manageable settings:

• Brute Force (10): Login security, max failures, lockout duration
• Firewall (3): Firewall enabled, auto-block settings
• Scanner (12): Scan types, sensitivity, limits
• Alerts (9): Email addresses, alert triggers

Full list available in the documentation.

📚 Documentation Updates

• Added "Configuration Blueprints & Site Migrations" section
• Updated all command examples
• Added comparison table: Full vs Blueprint exports
• Comprehensive use case examples

Full Changelog: v2.0.3...v2.0.4

v2.0.3 - Table Case Sensitivity Fix

What's Changed

Bug Fix: Fixed table name case sensitivity issue that caused "Table 'wp_wfConfig' doesn't exist" errors on systems using lowercase table names.

Changes

• 🐛 Fixed table name case sensitivity for Wordfence configuration table
• ✨ Now uses wfDB::networkTable() method to respect Wordfence's table naming convention
• 📈 Improved compatibility with different MySQL/MariaDB case sensitivity configurations

Technical Details

The plugin was hardcoding the table name as $wpdb->prefix . 'wfConfig' (CamelCase), but Wordfence supports both CamelCase and lowercase table names depending on the database configuration. The fix replaces this with wfDB::networkTable('wfConfig'), which automatically detects and uses the correct case.

Files Changed

• includes/class-wf-config-cli.php (2 locations)
• includes/class-wf-brute-force-cli.php (1 location)

Full Changelog: v2.0.2...v2.0.3

Version 2.0.2 - Fix plugin loading order

Version 2.0.2 - Fix plugin loading order

• Fixed: Plugin loading order issue where WP-CLI commands weren't registered
• Fixed: Wrapped command registration in 'plugins_loaded' hook to ensure Wordfence loads first
• Improved: Commands now properly available when both plugins are active

This fixes the issue where wf-settings-cli was loading before wordfence, causing the wfConfig class check to fail even though Wordfence was active.

Full Changelog: v2.0.1...v2.0.2

Version 2.0.1 - WordPress.org Compliance

Version 2.0.1 - WordPress.org Compliance Fixes

Fixed

• Replaced date() with gmdate() to avoid timezone issues per WordPress standards
• Added proper phpcs:ignore annotations for database queries with valid explanations
• Updated "Tested up to" field to WordPress 6.8
• Removed .gitignore from distribution (hidden files not allowed in WordPress.org)

Compliance

• All changes ensure compatibility with WordPress.org plugin directory requirements
• Ready for WordPress.org submission

Files Changed

• wf-settings-cli.php - Version bump and coding standards
• readme.txt - Updated WordPress compatibility and changelog
• includes/class-wf-brute-force-cli.php - Date function and PHPCS fixes
• includes/class-wf-config-cli.php - Date function and PHPCS fixes

Full Changelog: v1.0.0...v2.0.1

WF Settings CLI v1.0.0 - Initial Release

WF Settings CLI v1.0.0

First stable release of WF Settings CLI - an independent WP-CLI tool for managing WF Security plugin settings.

Features

• ✅ Generic wp wf-config command for any setting
• ✅ Brute force protection configuration
• ✅ Firewall settings management
• ✅ Scanner configuration
• ✅ Alert management
• ✅ Automatic backups & restore
• ✅ Export/import as JSON
• ✅ Dry-run mode

Legal Compliance

• GPLv3 licensed
• Public API only (wfConfig class)
• No premium feature access
• Trademark compliant
• Independent tool (not affiliated with Wordfence)

Installation

cd wp-content/plugins
git clone https://github.com/pimschaaf/wf-settings-cli.git
wp plugin activate wf-settings-cli

### Requirements
- WordPress 5.0+
- PHP 7.2+
- WP-CLI
- Wordfence Security (free version)

See README.md for complete documentation.