Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
New Feature: Added support for iThemes Sync to run the Security Check feature
from inside the Sync service.
New Feature: Added support for the ITSEC_DISABLE_MODULES define.
Bug Fix: Removed warning: "Non-static method ITSEC_Setup::uninstall() should
not be called statically".
Bug Fix: Fixed the ability to manually enter a page number to navigate to on
the Security > Logs page.
Bug Fix: Fixed source of warning that could appear when creating a backup
while running a PHP version less than 5.4.
Bug Fix: Fixed source of notice that could appear when reseting a user's
password when the Strong Passwords Enforcement feature is enabled.
Bug Fix: Fixed bugs that prevented reporting of specific error messages
related to updating the wp-config.php file.
Bug Fix: Fixed an infinite loop that could occur when expiring a cookie and
Hide Backend is enabled.
Bug Fix: Fixed compatibility issue with the Jetpack plugin when Hide Backend
is enabled which could prevent Jetpack from redirecting users to the wordpress.com
login page.
Bug Fix: Fixed issue where access to wp-admin/admin-post.php when Hide
Backend is enabled.
Bug Fix: Fixed issue that could prevent "Register" and "Lost your password?"
links from working properly on the login page when Hide Backend is enabled.
Bug Fix: Fix fatal error when updating a profile.
Bug Fix: Fix strong passwords not being recognized as strong on the profile
page.
Bug Fix: Fix fatal error when registering a new user without specifying a
role ( iThemes Exchange ).
Bug Fix: Compatability with JetPack SSO and Password Requirements.
Bug Fix: Ensure viewport meta is defined when loading the password
requirements update password form.
Bug Fix: Hide Backend is now compatible with Jetpack Single Sign On.
Bug Fix: Hide Backend now hides registration pages on multisite sites.
Bug Fix: Fixed password-protected posts not properly handling the password
when Hide Backend is enabled.
Enhancement: Removed AhrefsBot from the HackRepair blacklist as they are
legitimate bot.
Enhancement: Improved efficiency of Hide Backend code, increasing site
performance when the feature is enabled.
Enhancement: Enforce strong passwords during log-in. Can be disabled via the
ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
Enhancement: Use canonical roles library to determine if a new user or an
updated role requires a strong password.
Enhancement: Introduce password requirements module to centralize handling of
password updates.
Enhancement: The Hide Backend hidden login URL is no longer leaked by
password-protected content.
Enhancement: Allow for searching through modules and settings.
Enhancement: Link to other module settings pages without forcing the page to
refresh.
Enhancement: Fire an action, "itsec_change_admin_user_id", when the admin
user id changes.
Enhancement: Changed default Hide Backend Register Slug from wp-register.php
to wp-signup.php since WordPress switched from using wp-register.php to wp-
signup.php for registrations. This will not affect existing sites.
Enhancement: Hide Backend functions purely in PHP code now rather than
relying half on PHP code and half on .htaccess and nginx.conf modifications. This
allows Hide Backend to function on web servers and server configurations that it
was previously not compatible with.
Misc: Updated or added phpDoc to many functions.
Misc: Updated Disable File Locking description.
6.4.0 - 2017-07-24 - Chris Jean & Timothy Jacobs
Enhancement: Replaced file locking with database locking. This method of
locking is compatible with all systems as it does not require the ability to write
files. It also allows for locking to work on sites that have multiple front-end
servers with a shared database. Since file locking is no longer used, the Global
Settings > Disable File Locking setting was removed.
Enhancement: Add "Copy to Clipboard" functionality for server and wp-config
rules.
Bug Fix: Prevent 404s when following links in email notifications on a site
with Hide Backend enabled.
Bug Fix: Ensure uninstall process is not run when another version of iThemes
Security is still active.
Bug Fix: Fixed method of working around Hide Backend.
Bug Fix: Warnings are no longer generated when saving a user profile with a
role of "No role for this site" selected.
6.5.0 - 2017-08-23 - Chris Jean & Timothy Jacobs
Enhancement: Simplified the SSL module to offer a simple Enable/Disable
setting and simplified explanations. The legacy settings are available by selecting
Advanced.
Enhancement: Added the itsec-get-ip filter to allow code to supply the remote
IP directly.
Enhancement: Enabling SSL support will only log you out if you are not
already on an https connection.
Enhancement: Improve password requirements compatibility with plugins and
systems that integrate with WordPress Users.
Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature
as its use (protecting against a specific jQuery bug:
https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
Bug Fix: Bumped version number of some scripts to ensure that they refresh
properly.
Bug Fix: Fixed way to work around Hide Backend on some hosts.
6.5.1 - 2017-08-23 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed logical error that prevented backups from executing.
Bug Fix: Fixed issue that could cause database locks to flood the database.
6.6.0 - 2017-09-06 - Chris Jean & Timothy Jacobs
New Feature: Added a new setting in WordPress Tweaks: "Login with Email
Address or Username".
Enhancement: Host email images from the plugin instead of relying on iThemes
servers to help email clients marking messages as spam or blocking images.
Bug Fix: Error when searching for modules preventing modules from appearing.
Bug Fix: Use the wp_options table when acquiring locks in Multisite.
Bug Fix: Prevent duplicate daily digest emails on sites with high load.
Misc: Added Magic Links, a new Pro-only feature, to be activated by Security
Check.
Misc: Rearranged modules to be listed alphabetically.
6.6.1 - 2017-09-21 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed SQL query bug that resulted in the "Minutes to Remember Bad
Login (check period)" setting being ignored.
Bug Fix: Fixed bug that prevents wp-admin/install.php blocking from working
properly on nginx servers.
Bug Fix: Don't attempt to do an SSL redirect when WP CLI is running.
6.7.0 - 2017-11-07 - Chris Jean & Timothy Jacobs
New Feature: Introduces the Notification Center, a centralized place to
manage and customize email notifications sent by iThemes Security.
Enhancement: Updated queries and prepare statements to account for changes to
the esc_sql() function in WordPress 4.8.3.
Bug Fix: Corrected some Javascript and CSS links not generating correctly on
Windows servers.
6.8.0 - 2018-01-10 - Chris Jean & Timothy Jacobs
New Feature: Introduces a scheduling framework for handling events. Cron is
now used by default, and will switch to using an alternate scheduling system if it
detects an error. To disable this detection set ITSEC_DISABLE_CRON_TEST in your wp-
config.php file.
Important: The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have
been deprecated. Use ITSEC_USE_CRON instead.
Enhancement: Preserve notification settings when the responsible module is
deactivated.
Bug Fix: Process 404 lockouts on the 'wp' hook to prevent a headers have
already been sent warning message.
Bug Fix: Ensure Hide Backend emails are properly sent when activating Hide
Backend before saving the Notification Center for the first time.
Bug Fix: Prevent warning from being issued on new installs by allowing
previous settings to be preserved if they exist.
Bug Fix: Better handle WP_Error objects in mail errors that occurred before
updating to first patch release.
Bug Fix: A non static method was being called statically.
Bug Fix: Fix occasional duplicate backups and file scans.
Bug Fix: Fixed issue where scheduled events could repeat on sites that do not
properly support WordPress's cron system.
Bug Fix: Reactivating Away Mode now replaces the active file if you had
previously removed it.
Bug Fix: Ensure lockouts take effect immediately, even on systems where
changes to server configuration files do not take effect immediately.
6.8.1 - 2017-01-29 - Chris Jean & Timothy Jacobs
Enhancement: Display user lockouts in Lockout Sidebar.
Bug Fix: Load translations on the plugins_loaded hook.
Bug Fix: Fixed method that could be used to discover hidden login slug on
some sites.
Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan
results if a scan previously failed.
Bug Fix: Update to the REST API "Restricted Access" feature to protect
against methods to work around the restricted access.
Bug Fix: Prevent login page being hidden when following the "Confirm Email
Address" notification URL.
Bug Fix: Hide Backend notifications not being properly sent when first
enabled.
6.9.0 - 2018-02-12 - Chris Jean & Timothy Jacobs
Enhancement: Updated logging system to keep track of more information and
have more options to filter and sort log entries.
Enhancement: Improved efficiency of File Change Detection scanning.
Bug Fix: Fixed issue that could register loading the logging page as a failed
login attempt on some sites.
6.9.1 - 2018-03-01 - Chris Jean & Timothy Jacobs
Security Fix: Fixed display of unescaped data on logs page.
Enhancement: The logging system now differentiates between WP-CLI commands,
WP-Cron scheduled events, and normal page requests.
Bug Fix: Fixed the File Change scanner in that it previously could fail to
exclude selected directories on some systems.
6.9.2 - 2018-03-08 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed situation that could cause lockout notifications being sent
for whitelisted IPs.
Bug Fix: Fixed issue where saving Global Settings would be blocked by an
unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
Bug Fix: Fixed issue that prevented log database entries from purging and log
file entries from rotating on a schedule.
7.0.0 - 2018-05-24 - Chris Jean & Timothy Jacobs
New Feature: Added support for the new WordPress privacy features.
Enhancement: Added minimal API for adding additional entries to the Security
admin menu.
Enhancement: File Change Scan uses a new batching mechanism to prevent
crashing on hosts but still generating only one report per-day.
Enhancement: Introduce Distributed Storage framework for reducing the amount
of data stored in the WordPress options table. This should improve performance for
large sites using File Change.
Enhancement: Introduced Login Interstitial framework to consolidate code
between Password Requirements & Two Factor.
Bug Fix: Added ability to show object data for classes that are not loaded to
the Logs page.
Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings
feature in order to avoid blocking privacy export/erasure request confirmations.
Bug Fix: Ensure all users with the `manage_options` capability are available
when selecting contacts in the Notification Center.
Bug Fix: Fix clearing or previous file scans results.
Bug Fix: Fix warnings on debug file change log items.
Bug Fix: Fixed logging system references to "fatal-error" that should be
"fatal".
Bug Fix: Improve File Change recovery system on high-traffic websites.
Bug Fix: Improve clearing of previous File Change file hashes.
Bug Fix: Improved detection of REST API requests on sites without a home dir.
Bug Fix: Internal links to a filtered logs page.
Bug Fix: Prevent PHP warning about converting an array to a string when
adding notification data.
Bug Fix: Prevent PHP warning when completing database backups that are not
emailed to any recipients.
Bug Fix: Properly enforce strong passwords when on the WP Login Reset
Password page.
Bug Fix: Resolve warnings when upgrading file change settings.
Minor: File Scan "chunk" option is removed.
Minor: Make recovering file scan log smaller.
Minor: Page Load Scheduler: Unschedule single events before running them.
This mirrors the behavior of the WP Cron scheduler.
Minor: Security Digest now includes all lockouts that have occurred since the
last email.
Minor: Shrink storage size of file scans.
Minor: Specifying a manual file scan list has been removed.
Minor: Track raw memory used by the file change scanner as well.
Minor: Updated list of File Change excluded file types to include more media
extensions.
Misc: Added comment to prevent Tide from marking the plugin as not compatible
with PHP 5.3.
Tweak: Add description for File Change recovery related logs.
Tweak: Don't report removed files if the removal is caused by a new file
extension being excluded.
Tweak: File Change: Move "latest_changes" entry to a separate storage bucket
to improve performance on large sites.
Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.
7.0.1 - 2018-05-25 - Chris Jean & Timothy Jacobs
Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()"
error that could occur when exporting or erasing personal data.
Bug Fix: Skip recovery if File Change storage is empty.
7.0.2 - 2018-06-14 - Chris Jean & Timothy Jacobs
Enhancement: Add UI to cancel in progress File Scan.
Enhancement: Add basic admin debug page to help diagnosing and resolving
issues. Particularly with the events.
Enhancement: Add debug settings JSON editor.
Enhancement: Continually evaluate password strength for users instead of only
during registration.
Enhancement: Introduce Password Requirements module for managing and
enforcing password requirements.
Bug Fix: Accessing password requirement settings would not resolve properly
in some instances.
Bug Fix: Away Mode would not lock out users who were already logged-in during
the "away" period.
Bug Fix: Enforce the Strong Passwords requirement during Security Check.
Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not
proceeding with running events.
Bug Fix: If a password requirement has been disabled or is no longer
available, don't consider the password as needing a change.
Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not
allowed to use a weak password.
Bug Fix: Password strength would not be evaluated if password was set using
custom PHP or CLI commands.
Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling
loop on the first step.
Bug Fix: Remove distributed storage table on uninstall.
Tweak: Don't write to the tracked files setting if the file hash has not
changed.
Tweak: If no last password change date is recorded for the user, treat their
registration date as the last change date.
7.0.3 - 2018-06-18 - Chris Jean & Timothy Jacobs
Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin
privileges are required to exploit this vulnerability. Thanks to Çlirim Emini,
Penetration Tester at sentry.co.com, for reporting this vulnerability.
Bug Fix: Provide default values for enabled requirements.
7.0.4 - 2018-06-27 - Chris Jean & Timothy Jacobs
Enhancement: Add mitigation for the WordPress Attachment File Traversal and
Deletion vulnerability.
Tweak: Fire a WordPress action whenever settings are updated.
Bug Fix: Improved input sanitization on the logs page to prevent triggering
warnings.
7.1.0 - 2018-08-15 - Chris Jean & Timothy Jacobs
New Feature: Allow for globally setting recipients for admin-targeted
notifications. All new notifications will default to the recipients in this list.
Notifications can be set to use the default list or switch to a custom list.
Enhancement: Added a setting to enable/disable the Grade Report feature of
Pro.
Tweak: Check if an IP is blacklisted on page load for compatibility with
servers that cannot process server configuration level bans immediately.
Tweak: Display a time diff until the next event on the Debug page.
Tweak: Use Logging API for tracking Notification Center errors.
Tweak: Register Scheduler Events whenever the plugin build changes.
Tweak: Allow for filtering logs by any module recorded.
Tweak: Account for 3rd-party Backup Plugin in Security Check.
Bug Fix: 404 detection for plugins that mark is_404 later in the hook
sequence.
Bug Fix: REST API Protection blocked the Taxonomies route for all users.
Bug Fix: Account for any CLI PHP SAPI instead of just WP-CLI in the SSL
Module.
Bug Fix: Fixed how the Grade Report enable/disable status is stored to fix
admin page loading issues on some sites.
Bug Fix: Fix serialization of closure error when a plugin registering a hook
with a closure is in the boot-up stack and the notification center is triggered too
early in the cycle.
7.2.0 - 2018-10-10 - Chris Jean & Timothy Jacobs
Enhancement: Allow for selecting the particular Proxy header a server is
configured to use. Improve the language to indicate the importance of configuring
this setting. H/t Filippo Cavallarin CEO at wearesegment.com
Enhancement: Block access to git and svn repositories when System Tweaks ->
Protect System Files is enabled.
Tweak: Update jQuery Validation library to 1.17.0
Bug Fix: Improve detection of blocking the File Change Scan from being
scheduled if one is already being run.
Bug Fix: Prevent infinite recursion error when trying to access directories
outside of the allowed file tree.
7.3.0 - 2019-02-14 - Chris Jean & Timothy Jacobs
Enhancement: Add Per-Content SSL toggle to the upcoming Block Editor
interface.
Enhancement: Add filter to the recipients list for email notifications:
"itsec_notification_{$notification}_email_recipients" and
"itsec_notification_email_recipients".
Enhancement: Add define "ITSEC_DISABLE_TEMP_WHITELIST" to disable the
Temporary IP Whitelisting for logged-in administrators.
Enhancement: Improve redirecting after processing a login interstitial from a
front-end login form.
Enhancement: Add loopback IP detection to Security Check.
Enhancement: Detect Server IPs in Security Check.
Tweak: Add additional safety checks when writing to system config files. This
will log a "Critical Issue" when the writing of an empty or partial config file is
detected and prevented.
Tweak: Improve File Change locking to help prevent failing scans on sites
with inconsistent cron scheduling.
Tweak: Improve "System Tweaks – Suspicious Query Strings – SQLI" to reduce
false positives.
Tweak: Improve "System Tweaks – Disable PHP" to block PHP files in apache
configurations that serve files with a trailing dot.
Tweak: Remove "Seznam Bot" from HackRepair List as it isn't present in the
latest version.
Bug Fix: Include Hide Backend token when emailing a password reset URL.
Bug Fix: Notification Center - Only send notifications to users with an exact
role match of selected roles instead of a fuzzy match based on selected
capabilities.
Bug Fix: Error when trying to edit reusable blocks with per-post SSL enabled.
Bug Fix: Resolve warnings on PHP 5.2.
7.3.1 - 2019-02-21 - Chris Jean & Timothy Jacobs
Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from
running.
Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield
script when available to prevent new pop-up blocker behavior from killing the
links.
7.3.2 - 2019-03-19 - Chris Jean & Timothy Jacobs
Tweak: Allow the log description column to word break for URLs or other
strings with no spaces.
Bug Fix: Hide Backend bypass on certain Apache configurations.
Bug Fix: Properly return error that occurs during a backup.
Bug Fix: Regex warning on PHP 7.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Role".
7.3.3 - 2019-03-25 - Chris Jean & Timothy Jacobs
Bug Fix: Hide backend bypass.
7.4.0 - 2019-06-10 - Chris Jean & Timothy Jacobs
New: iThemes Security Admin Notices are now conveniently located in the new
Security Messages Menu. Check your notices in the Security menu on the WordPress
Admin Bar.
Enhancement: Add Security Message when a Notification Center email fails to
send.
Enhancement: Replace Trace IP with IP Tracker Online.
Tweak: Remove 'DELETE' method from "System Tweaks -> Filter Request Methods"
7.4.1 - 2019-08-15 - Chris Jean & Timothy Jacobs
Enhancement: New iThemes Sync Verb support for File Change.
Tweak: Add additional information about the login attempt when calling the
Network Brute Force API.
Bug Fix: Hide Backend Bypass.
Bug Fix: Strict Standards error during Sync request.
Bug Fix: wp_die() if a login interstitial session fails to be created instead
of throwing a fatal error.
7.5.0 - 2019-11-13 - Timothy Jacobs
Breaking Change: iThemes Security requires PHP 5.4 or later.
Enhancement: New Lockout Template screen.
Enhancement: Add confirmation button to Login Interstitial Async Actions when
on a different device.
Enhancement: Add filter to "Lookup IP" link.
Developer Note: There were significant changes to the internals of the
iThemes Security Lockout API in this release. If you are using the ITSEC_Lockout
class directly, all the API functions will continue to work, but will emit
deprecation notices when legacy behavior is being used. Please update any
integrations.
Bug Fix: Brute Force module reporting invalid logins using an email address
incorrectly.
Bug Fix: Improve lockout compatibility with caching plugins.
Bug Fix: Fix admin notice not being dismissed due to a REST API route that
was more narrowly defined than necessary.
Bug Fix: Admin Notices list did not refresh after dismissing a notice.
Bug Fix: Strong Passwords zxcvbn Library was not evaluating penalty strings
correctly.
Bug Fix: Fix PHP warning if there are multiple detected proxy headers.
7.6.0 - 2019-12-09 - Timothy Jacobs
Breaking Change: iThemes Security requires PHP 5.5 or later.
New Feature: iThemes Security now includes Security Check Pro to
automatically and correctly determine your visitors IP addresses. Enable this scan
by running Security Check and opting in to Security Check Pro or activate the
Security Check Pro module in Advanced Modules. H/t Jeremy Voisin
Enhancement: Run Security Check Pro IP Detection automatically once a day.
Enhancement: Manually re-run Security Check Pro IP Detection from the Global
Settings page.
7.6.1 - 2019-12-10 - Timothy Jacobs
Bug Fix: Properly notate that iThemes Security requires PHP 5.5 or greater.