Changelog - OPShield v1.0.1

• All notable changes to the OPShield plugin in this version are documented below.

• [1.0.1] - 2026-03-07 🔴 Critical Security Fixes

Inverted Logic Fix: Resolved a critical bug where

restrict_admin_commands: true would block OPs instead of protecting them.

Existing OPs are now correctly exempted from command restrictions.

SHA-256 Password Hashing: Upgraded password storage and comparison from plain-text to SHA-256 hashing. Passwords are now securely hashed in memory to prevent exposure.

Secure Default Password: Added an automatic check for the default password (secure123). The plugin now generates a strong 16-character random password if the default is detected.

• 🛡️ New Security Features

Console Password Requirement: Added require_password_from_console (Default: false). When enabled, the console must provide the secret password to use /op or /deop.

/deop Protection: Extended password authentication to the /deop command, preventing unauthorized removal of admin rights.

Wildcard/Prefix Blocking: Introduced blocked_command_prefixes. Admins can now block entire namespaces (e.g., essentials:, minecraft:) to prevent bypasses via aliases.

Audit Logging: Implemented a dedicated audit log system. All authentication attempts and blocked command actions are now logged with timestamps in plugins/OPShield/audit.log.

• ⚙️ Configuration Changes Added require_password_from_console setting.

Added blocked_command_prefixes list.

Updated

config.yml

comments for better clarity on security features.

Added localization keys for de-op operations.

• 🛠️ Internal Improvements

Registered /op and /deop as internal overrides in plugin.yml for more reliable interception.

Normalized command processing to be more robust against casing and prefix bypasses.