{"id":6491,"date":"2026-04-23T20:12:42","date_gmt":"2026-04-23T18:12:42","guid":{"rendered":"https:\/\/wpmastertoolkit.com\/?p=6491"},"modified":"2026-04-23T20:12:46","modified_gmt":"2026-04-23T18:12:46","slug":"wpmastertoolkit-2-20-0-une-mise-a-jour-majeure-pour-la-securite-les-redirections-et-ladministration-wordpress","status":"publish","type":"post","link":"https:\/\/wpmastertoolkit.com\/en\/wpmastertoolkit-2-20-0-a-major-update-for-wordpress-security-redirects-and-administration\/","title":{"rendered":"WPMasterToolKit 2.20.0: a major update for security, redirects and WordPress administration"},"content":{"rendered":"

With the 2.20.0<\/strong>, WPMasterToolKit<\/strong> takes a real step forward. This update doesn't just add a few options or correct isolated details. It thoroughly strengthens the plugin's security, improves the robustness of several sensitive modules, and introduces some very useful new tools for the day-to-day administration of a WordPress site.<\/p>\n\n\n\n

The main theme of this release is clear: reduce attack surfaces, better control critical actions, secure sensitive data flows and enhance the arsenal of WordPress administrators<\/strong>. The result is a more coherent, more robust version, better suited to sites that want both greater management convenience and a higher level of protection.<\/p>\n\n\n\n

Major new features in WPMasterToolKit 2.20.0<\/h2>\n\n\n\n

Version 2.20.0 brings four new modules<\/strong> that meet concrete needs in terms of security, maintenance and SEO management.<\/p>\n\n\n\n

Block 404 PHP File Scanning<\/h3>\n\n\n\n

The module Block 404 PHP File Scanning<\/strong> blocks requests for non-existent PHP files when WordPress resolves them to a 404 error. Instead of letting this type of traffic through, the module returns a 403 Forbidden<\/strong> and adds a dedicated entry in the logs with the marker PHP404<\/strong>.<\/p>\n\n\n\n

It's a simple but highly effective protection against automated scans that look for vulnerable scripts, forgotten files or exploitable entry points on a WordPress site. In practice, this reduces the noise in queries and makes it easier to spot certain malicious recognition attempts.<\/p>\n\n\n\n

Custom COOKIEHASH<\/h3>\n\n\n\n

The new module Custom COOKIEHASH<\/strong> automatically adds a constant COOKIEHASH<\/code> randomly in the wp-config.php<\/code> when activated. Its purpose is to improve the isolation of the site's cookies by relying on a specific, robustly generated value.<\/p>\n\n\n\n

The module also removes this constant cleanly when deactivated. This new feature is part of a hardening logic that's simple to activate, but relevant for reinforcing WordPress cookie management in certain contexts.<\/p>\n\n\n\n

Redirect Manager<\/h3>\n\n\n\n

The module Redirect Manager<\/strong> is one of the most visible additions to this version. It provides a complete interface for create, modify, delete, import and export redirections<\/strong>.<\/p>\n\n\n\n

Designed to meet the real needs of site administrators and SEOs, it enables clean management of URL changes, deleted pages, migrations, redesigns and the recovery of old structures. The Pro version also adds a hits logging<\/strong>This allows you to track activity on configured redirects.<\/p>\n\n\n\n

Another important point: the module supports several execution modes depending on the environment, with redirections managed on the WordPress<\/strong>, Apache<\/strong> or Nginx<\/strong>. This makes it a true SEO and maintenance tool, capable of adapting to different hosting contexts.<\/p>\n\n\n\n

Password Expiration<\/h3>\n\n\n\n

The Pro module Password Expiration<\/strong> introduces a password expiry policy by user role. When a password exceeds the authorized duration, the user is logged out, his active sessions are invalidated and he is redirected to the reset process.<\/p>\n\n\n\n

This new feature will be of particular interest to multi-user sites, sensitive back-offices and all environments where access hygiene needs to be better controlled. It's a very useful addition for reinforcing good security practices on WordPress without relying on a separate plugin.<\/p>\n\n\n\n

A global hardening update<\/h2>\n\n\n\n

One of the most important points of WPMasterToolKit 2.20.0<\/strong> is that it is not a series of scattered patches. This version applies a logic of transversal hardening<\/strong> on the entire plugin.<\/p>\n\n\n\n

Enhanced capacity checks<\/h3>\n\n\n\n

Many administration, AJAX and form submission workflows have been tightened up with stricter capability controls. In practice, this means that sensitive actions now explicitly require the right permissions depending on context.<\/p>\n\n\n\n

This standardization reduces the risk of a critical action being performed by an account that should not have access to it.<\/p>\n\n\n\n

Enhanced CSRF protection<\/h3>\n\n\n\n

Nonces management has been strengthened in several configuration forms, entry points admin_init<\/code>AJAX handlers and backup flows. The aim is clear: to better protect administration actions against forged requests.<\/p>\n\n\n\n

This is not an isolated improvement on a single module, but a more general upgrade of the entire plugin.<\/p>\n\n\n\n

Stricter validation of entries<\/h3>\n\n\n\n

Version 2.20.0 also tightens the validation of inputs manipulated by several modules. These include dynamic identifiers, file names, paths, SQL tables, certain columns and regex patterns.<\/p>\n\n\n\n

This in-depth work is particularly visible on functions that affect sensitive areas such as the database, files and exports.<\/p>\n\n\n\n

More secure file and database operations<\/h3>\n\n\n\n

Operations involving paths, multiple selections, copies, deletions, archives or dynamic tables now benefit from additional safeguards. This reduces the risk of directory traversal, unexpected processing or abuse linked to manipulated entries.<\/p>\n\n\n\n

The modules most affected on the security side<\/h2>\n\n\n\n

Although the general philosophy of this release is based on an overall reinforcement, certain modules deserve particular attention.<\/p>\n\n\n\n

Password Protection<\/h3>\n\n\n\n

The module Password Protection<\/strong> abandons a hard-coded cookie secret in favor of a value derived from the password defined by the administrator, in a spirit close to WordPress' native behavior for certain protected content.<\/p>\n\n\n\n

In concrete terms, cookies become linked to the password set. If this password changes, old cookies become invalid. This version also improves flag management secure<\/code> cookies to better respect HTTPS and validate the redirect URL to avoid open redirects.<\/p>\n\n\n\n

Temporary Login<\/h3>\n\n\n\n

The module Temporary Login<\/strong> removes the plain-text password from the administration URL and replaces it with a saner mechanism based on a short-lived server token, accompanied by a one-shot display of the password.<\/p>\n\n\n\n

In addition, a system for limiting connection failures by user and IP has been added to limit abuse of magic links. The throttle is cleaned after successful authentication.<\/p>\n\n\n\n

Two-Factor Authentication<\/h3>\n\n\n\n

The module Two-Factor Authentication<\/strong> receives several important enhancements. Public endpoints wp_ajax_nopriv<\/code> are better protected against abuse, responses are more uniform to limit enumeration and the limitation counter is reset after successful code validation.<\/p>\n\n\n\n

The popup interface has also been improved to better inform the user in the event of a rate limit. Finally, a concrete bug has been fixed for e-mail address-based connections, where retrieving the user in certain AJAX handlers could block retrieval of the 2FA method and code generation.<\/p>\n\n\n\n

Force SSL<\/h3>\n\n\n\n

The module Force SSL<\/strong> reinforces its HTTPS redirection logic by relying on the canonical host of home_url<\/code> rather than on a HTTP_HOST<\/code> potentially manipulable. It's an unobtrusive change, but an important one for making the construction of secure redirections more reliable.<\/p>\n\n\n\n

Maintenance Mode<\/h3>\n\n\n\n

The module Maintenance Mode<\/strong> improves the entropy of its bypass token by replacing a generation that is too low with random_bytes<\/code>. This reduces the risk of token prediction to bypass maintenance mode.<\/p>\n\n\n\n

Administer<\/h3>\n\n\n\n

The module Administer<\/strong> benefits from a substantial security upgrade. Identifiers are no longer exposed in HTML or URLs, authentication is based on a cleaner session mechanism, auto-login remains compatible with expected uses, and the file can self-delete on expiry.<\/p>\n\n\n\n

The set has also been realigned with Adminer v5+<\/strong>This improves both the security and consistency of the module.<\/p>\n\n\n\n

Add Essentials Shortcodes Pro<\/h3>\n\n\n\n

On the Pro side, the Add Essentials Shortcodes<\/strong> secures access to the WordPress options reading shortcode with a logic of whitelist<\/strong>. Options are blocked by default and must be explicitly authorized by an administrator. Outputs are also escaped to reduce XSS risks.<\/p>\n\n\n\n

Redirect Manager: a new feature with a strong SEO impact<\/h2>\n\n\n\n

Among the new features of this version, Redirect Manager<\/strong> is undoubtedly the one that will have the most immediate impact for many users.<\/p>\n\n\n\n

This module provides centralized redirection management with :<\/p>\n\n\n\n

    \n
  • a dedicated administration interface ;<\/li>\n\n\n\n
  • base storage ;<\/li>\n\n\n\n
  • support for exact redirects and regexes ;<\/li>\n\n\n\n
  • query parameter management ;<\/li>\n\n\n\n
  • several execution modes depending on the infrastructure.<\/li>\n<\/ul>\n\n\n\n

    In WordPress mode, the module intercepts the request via template_redirect<\/code>It first searches for an exact match, then tests regexes if necessary. It can compare parameters in any order, ignore them or pass them on to the target, depending on the setting chosen.<\/p>\n\n\n\n

    This makes it a very useful tool for :<\/p>\n\n\n\n

      \n
    • site migrations ;<\/li>\n\n\n\n
    • URL structure redesigns ;<\/li>\n\n\n\n
    • correction of broken backlinks ;<\/li>\n\n\n\n
    • reuse of old content ;<\/li>\n\n\n\n
    • management of deleted pages ;<\/li>\n\n\n\n
    • improving user experience and technical SEO.<\/li>\n<\/ul>\n\n\n\n

      In the environment Apache<\/strong> or Nginx<\/strong>The module also opens the door to redirections closer to the server layer, which can be interesting depending on performance or architectural constraints.<\/p>\n\n\n\n

      Even greater security for sensitive modules<\/h2>\n\n\n\n

      File Manager<\/h3>\n\n\n\n

      The module File Manager<\/strong> has been tightened up on upload validation, file names, Windows separators, directory limits, certain low-level operations and recursive copies involving symlinks.<\/p>\n\n\n\n

      The aim is to more firmly prevent unauthorized access to the file system.<\/p>\n\n\n\n

      Search Replace in Database<\/h3>\n\n\n\n

      The module Search Replace in Database<\/strong> adds defense-in-depth with a real-time table whitelist, strict table match checks, cleaner validation of SQL identifiers and safeguards on regexes used for replacements.<\/p>\n\n\n\n

      SMTP Mailer<\/h3>\n\n\n\n

      The module SMTP Mailer<\/strong> sees several entry points better protected, including send tests, previews of captured content and certain OAuth callbacks linked to supplier authentication.<\/p>\n\n\n\n

      Mail Catcher<\/h3>\n\n\n\n

      The module Mail Catcher<\/strong> also reinforces access controls on the viewing and previewing of captured messages, to prevent the exposure of sensitive content to unauthorized accounts.<\/p>\n\n\n\n

      Other notable enhancements in WPMasterToolKit 2.20.0<\/h2>\n\n\n\n

      In addition to the large security block and new modules, this release brings a number of useful enhancements.<\/p>\n\n\n\n

      Disallow Access WP Sensible Files<\/h3>\n\n\n\n

      The module Disallow Access WP Sensible Files<\/strong> extends protection to more files, such as readme<\/code> and changelog<\/code> in txt, md and html formats, in addition to license.txt<\/code>. It also blocks certain sensitive direct accesses to wp-admin<\/code> and wp-includes<\/code>.<\/p>\n\n\n\n

      Disallow Bad Requests<\/h3>\n\n\n\n

      The module Disallow Bad Requests<\/strong> corrects a false positive on search URLs containing Cyrillic or other non-Latin characters, which could produce long UTF encoded URLs.<\/p>\n\n\n\n

      Blacklisted Usernames<\/h3>\n\n\n\n

      The module Blacklisted Usernames<\/strong> adds 24 new forbidden usernames based on recent security trends and reports, improving protection against certain trivial login attempts.<\/p>\n\n\n\n

      Auto Regenerate Salt Keys<\/h3>\n\n\n\n

      The module Auto Regenerate Salt Keys<\/strong> changes its default frequency to Never<\/strong>. This choice is intended to avoid certain side-effects with plugins that rely on salt keys to encrypt or protect sensitive data.<\/p>\n\n\n\n

      Automatic regeneration therefore becomes an explicit choice, while manual regeneration remains available.<\/p>\n\n\n\n

      Why this version is important<\/h2>\n\n\n\n

      WPMasterToolKit 2.20.0<\/strong> is an important update because it doesn't just seek to accumulate new features. It consolidates what already exists, standardizes security practices, adds genuinely useful modules and improves the plugin's operational control in a wide variety of contexts.<\/p>\n\n\n\n

      For WordPress administrators, this means:<\/p>\n\n\n\n

        \n
      • more control ;<\/li>\n\n\n\n
      • less unnecessary exposure;<\/li>\n\n\n\n
      • better control of access ;<\/li>\n\n\n\n
      • more comprehensive tools for managing redirects ;<\/li>\n\n\n\n
      • greater resistance to scans, abuse and sensitive flows.<\/li>\n<\/ul>\n\n\n\n

        For production sites, this version is clearly a step in the right direction in terms of stability<\/strong>of safety<\/strong>of readability of logs<\/strong> and risk reduction<\/strong>.<\/p>\n\n\n\n

        Conclusion<\/h2>\n\n\n\n

        With this release, WPMasterToolKit 2.20.0<\/strong> confirms its philosophy: to offer an all-in-one WordPress plugin capable of replacing several specialized extensions, while retaining a modular logic and optimized loading.<\/p>\n\n\n\n

        This version is distinguished by a highly successful balance between new features<\/strong>, SEO improvements<\/strong> and safety hardening<\/strong>. Visit Redirect Manager<\/strong>, Password Expiration<\/strong>, Custom COOKIEHASH<\/strong> and Block 404 PHP File Scanning<\/strong>The additions are tangible. And with the overall reinforcement of many existing modules, this update also brings an immediate gain in robustness.<\/p>\n\n\n\n

        For WPMasterToolKit users, 2.20.0 isn't just a maintenance release. It's a structuring release, designed to make WordPress more secure, cleaner to administer and better equipped for real-world needs.<\/p>","protected":false},"excerpt":{"rendered":"

        With version 2.20.0, WPMasterToolKit takes a real step forward. This update doesn't just add a few options or correct isolated details. It thoroughly reinforces the plugin's security, improves the robustness of several sensitive modules and introduces some very useful new tools for the day-to-day administration of a WordPress site. The [...]<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_surecart_dashboard_logo_width":"180px","_surecart_dashboard_show_logo":true,"_surecart_dashboard_navigation_orders":true,"_surecart_dashboard_navigation_invoices":true,"_surecart_dashboard_navigation_subscriptions":true,"_surecart_dashboard_navigation_downloads":true,"_surecart_dashboard_navigation_billing":true,"_surecart_dashboard_navigation_account":true,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6491","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"acf":[],"_links":{"self":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts\/6491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/comments?post=6491"}],"version-history":[{"count":1,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts\/6491\/revisions"}],"predecessor-version":[{"id":6492,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts\/6491\/revisions\/6492"}],"wp:attachment":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/media?parent=6491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/categories?post=6491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/tags?post=6491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}