History

4.0.
0 - 2014-03-25 - Chris Wiegman

Initial Release
4.0.1 - 2014-03-25 - Packaging Bot (modules/free)
Initial Release
4.0.2 - 2014-03-25 - Packaging Bot (core)
Initial Release
4.0.3 - 2014-03-26 - Packaging Bot (lib/icon-fonts)
Fixed issue with admin menu icons not functioning properly on sites that have
an ABSPATH or WP_CONTENT_DIR of "/".
Initial Release
Initial Release
Fixed history.txt (for iThemes customers)
Moved upgrade to separate function for more seamless update
Upgrade system rewritten for better functionality
Make sure 404 doesn't fail if there is not a 404.php in the theme
Make sure WordPress root URLs render correctly
Filewrite now only builds rules on demand.
Fixed dismiss button on intro modal for small screens
General cleanup and typo fixing
Updated modules/free to version 1.0.3
only save post meta for ssl when the value is true
fixed missing admin user settings if only one part had been changed
SSL Redirection working properly on front end. No more redirect errors
hide backend will warn of the new url when saving
hide backend will now email the notification email(s) when the login area has
been moved
Added BackupBuddy coupon
Added ability to manually purge log table
Added "Show intro" button next to screen options to bring the intro modal
back
Added ability to use HTML in error messages
Minor copy and other tweaks
Private posts will now work with hide backend
Added an option for custom login action that can bypass hide login
Allow admin-ajax.php to bypass hide backend
Added filters for external backup plugins to register with the dashboard
Enable theme compatibility mode by default
Miscellaneous copy and function doc fixes
Execute permanent ban on the correct lockout count, not the next one
Updated quick ban rules to match standard ban rules (will work with proxy)
Fixed an NGINX rule that didn't actually block XMLRPC.php
Updated rule order on ban users
Fixed a bug that could prevent away from from turning off in certain time
configurations (this resulted in the return to homepage on login)
Updated some function doc
Update plugin build
Fixed bug preventing file change scanning from advancing when chunked
Don't autoload file list on non-multisite installations
Make sure away mode settings transfer from 3.x or disable away mode
Make sure unset admin user field remains if the other setting has been fixed
Removed admin user from settings table of contents
Make sure array input is trimmed in file change module
Correct input type on file change settings sanitization
Use full URL on file change warning redirect to prevent invalid target
Reduce erroneous hide backend change warnings
When accessing htaccess or wpconfig make sure opening settings changes are
664 instead of 644 to reduce issues
Update hackrepair.com's Agents blacklist
Make sure global settings save button matches others
Fixed link in locout email
Email address settings retain end of line
Sanitize email addresses on save and not just use
Make sure whitelist is actually an array before trying to process
Make sure rewrite rules show on dashboard when file writing isnt allowed
Added extra information to dashboard server information to help
troubleshooting
Clean up away mode to prevent lockouts on update or other points
Updated core to version 1.0.9
Make sure logs directory is present before trying to use it
Log a message when witelisted host triggers a lockout
Don't create log files if they're not going to be used
Miscellaneous typos and orther bugfixes
Add pro tab if pro modules need it
Upgrade module loader to only load what is needed
Make sure backup directory is present before trying to use it
Make sure backup file method is respected on all backup operations
Added ability to limit number of backups saved to disk
Minor typo and other fixes
Only load front-end classes as needed
Add link to free support at .org forums
Remove select(?ed) from suspicious query strings for 3.9 compatibility
Fixed domain mapping issue (requires http://wordpress.org/plugins/wordpress-
mu-domain-mapping/ domain mapping plugin)
Remove array type errors on 404 pages
Remove remaining create function calls
Make sure uploads directory is only working in blog 1 in multisite
Better checks for run method in module loader
XMLRPC soft block should now work with WordPress mobile app
Make sure "remove write permissions" works
Better descriptions on white list
Add pro table of contents if needed
Make sure security admin bar item works
Make sure lockout message only happens when needed
Suppress errors on readlink calls
Make sure class is present for permanent ban
Make sure white list is an array
Fix white listed IPs not working
Log when Away-mode is triggered
Make sure away mode file isn't accidently deleted
Make sure away mode doesn't even allow access to the login form (as it didn't
in 3.x)
Enhance warnings on "Change content directory" settings
Better descriptions on white lists
Fixed XMLRPC label
Better XMLRPC Dashboard status
Don't allow logout action on wp-login.php with hide backend
Better check for variable in SSL admin
Miscelaneous typos and other fixes
Remove extra file lock on saving .htaccess, nginx.conf and wp-config.php.
Only flock will be used in these operations
Fixed a function not found error in the brute force module
Improved content filtering in SSL so that more images and other content will
link with appropriate protocol.
Fixed hide backend in cases where a lockout has expired
Miscelaneous typos and other fixes.
Added on-demand malware scanning for the homepage
Fixed Error in 404 scanning if path field was empty
Updated hackrepair.com's default blacklist
Modified support reminder to ask users to upgrade rather than donate
Use get_home_path() in place of ABSPATH to account for WordPress core in a
different directory than wp-content
Use PHP comments in index.php file to account for the possibility of a scan
including the file in which case the html comment could result in an error
Fixed various typos throughout the plugin dashboard
Added ability to prevent file change scanning from running on a given page
load by defining ITSEC_FILE_CHECK_CRON to true
Cleaned up file change logging reports to me more clear when no files have
been changed
Added feature to immediately ban user "admin" when no user "admin" exists on
the site and a host tries to log in with it anyway
Added blank line to end of all textarea input to make it easier to input data
Added brute force checks to XMLRPC calls to prevent brute force attacks
against XMLRPC
Added malware and malware scheduling modules
Added better URL validation to ITSEC_LIB
Added exception for 127.0.0.1 to prevent a local server from being locked out
of a site during wp-cron or other calls
Added button to quickly add current IP address to permanent whitelist
Added appropriate message for logs page when logs are not available due to
"file only" logging being selected
Fixed an inadvertant disabling of file change scans intrudced in 4.3
Make sure pro core module loads to remove upsell when pro has already been
purchased.
Clean up notifications for file change detection and malware scanning
Clean up notifications for file change detection and malware scanning
Ensure that individual module updates fire when updating the plugin
Added function to retrieve current URL from the front-end
Remove error message if WP_Error is returned with wp_remote_post in malware
scan
Fixed bug where away-mode was still enabled after one-time period has passed
which could result in away mode activating when it should not
Fixed error in brute force protection that counts valid logins with XML-RPC
as bad logins towards a brute force lockout.
Low Severity Security Fix - Lack of access control patched - Sucuri (reported
19Aug2014)
Fixed an error in XMLRPC blocking when $username variable cannot be found
New Feature: Add IPCheck Brute Force API integration
New Feature: Add ability to receive a daily digest email instead of
individual emails per event.
Enhancement: Added "Go Pro" menu item to admin menus.
Enhancement: Added button to release IP address from temporary whitelist.
Fixed: introduction screen should now display completely on computers with
low-resolution screens.
Fixed: multisite bug that still showed BackupBuddy (if present) even though
BackupBuddy is not multisite compatible.
Fixed: Scrolling table of contents should not cover side-bar items on pro.
Fixed: When changing admin user login form will no show the correct path when
WordPress is not installed in the same directory as the website address.
Fixed: File locking will try to create the iThemes Directory if it isn't
already present rather than just saying a lock could not be attained.
New Feature: Add IPCheck Brute Force API integration
Enhancement: Reordered sidebar items to make it easier for the user to get to
the information they need from iThemes
Fixed: The plugins_loaded hook which fires on logout will now fire later to
improve compatibility with iThemes Exchange
Fixed: multisite bug that still showed BackupBuddy (if present) even though
BackupBuddy is not multisite compatible.
Fixed: Added an extra flag in an attempt to reduce duplicate file-change
detection executions.
Fixed: Added missing index.php files to directories that were missing them to
ensure no information could be attained if directory is turned on.
Fixed: Make sure hide backend rewrite rules are consistent with the correct
location of the WordPress login page when WordPress is not installed in the main
website folder.
Fixed: Fixed an error whereas an empty filter could display an error when
building the log tables.
Fixed: Fixed an error that could occur on multisite due to a missing "core"
object
Fixed: Force stylesheet reload for new nags and other items by pushing plugin
build number to stylesheet registrations
Fixed: Fixed typos in digest email.
Fixed: Fixed typos in default network lockout message.
Fixed: Force stylesheet reload for new nags and other items by pushing plugin
build number to stylesheet registrations
Fixed: fixed possible undefined api_error variable on line 316 if WordPress
believes the email address is invalid.
Fixed: failed calls to various apis will no longer throw a php error on
failure.
4.4.7 - 2014-09-11 - Packaging Bot (lib/icon-fonts)
Add support for ContactBuddy
Enhancement: Added a link to the actual timezone settings in the general
settings page (instead of the top of the page)
Fixed: Fixed missing "no changes" text in file change emails.
Fixed: Formatting of individual file change emails will now work.
Fixed: Fixed a bug in ban users user agents that would cause a crash on
Apache if the user agent contained a space
Fixed: When an invalid backup directory is detected it will not fail but will
instead reset it to the original.
New Feature: Automatically generate strong passwords
New Feature: Password expiration
Fixed: When an invalid log directory is detected it will not fail but will
instead reset it to the original.
Fixed: No more duplicate digest emails
Fixed: No more "Array" message appearing in digest emails from user lockouts
Fixed: HTML in traditional file log emails will display correctly.
Fixed: From address in notification emails will now display correctly.
Fixed: MySQL errors will no longer appear for missing iThemes Security
tables. Instead it will attempt to recreate them.
Enhancement: Updated copy on Virustotal API key to indicate that a private
key is not needed.
Fixed: More complete check for user id when resettings password will prevent
undefined index login on line 62 error.
Fixed: Fixed a bug that prevented the api key from saving after resetting the
key.
Fixed: Removed errors that could occur due to the use of custom capabilities
and roles.
Fixed: fixed duplicate ID issue from user_id_exists calls.
Fixed: Fixed an error in the lockout module that results in an error for
users of multisite
Fixed: Notification emails will no longer send if not turned on
Fixed: Duplicate messages will not be allowed in digest emails
Fixed: Duplicate digest emails will have a far lesser chance of sending
Fixed: User lockout count in email notifications will now be correct
Fixed: Error on line 1312 when iThemes API is actived with version 4.4.15
New Pro Feature: Dashboard widget. Get important information and handle user
blocking right from the WordPress Dashboard.
Fixed: When using wp-cron for file checking cron check will run daily instead
of hourly.
New Pro Feature: Dashboard widget. Get important information and handle user
blocking right from the WordPress Dashboard.
New Pro Feature: File change scanning will now compare WordPress core files
to the WordPress.org repository.
Fixed: Make sure php_gid is always defined to prevent error message if the
function is not usable.
Fixed: Link to BackupBuddy in admin bar will now work correctly.
New Pro Feature: File change scanning will now compare WordPress core files
to the WordPress.org repository.
Enhancement: More time/date information is now shown in the logs for file
change scanning
Fixed: Filechange will no longer show false positives with every change in
DST (although this will cause run round of such notifications on update).
Fixed: Link to malware scanning logs will work.
New Pro Feature: Temporary privilege escalation
Security Fix: Fixed possible XSS vulnerability in ITSEC_Lib. - Low priority -
Thanks to http://planetzuda.com
New Feature: Perform file scan via iThemes Sync
New Feature: Perform malware scan via iThemes Sync
Fixed: Make sure to esc urls on SSL redirects (unreported minor security fix)
Fixed: Added filters to SSL to try to catch more assets
Fixed: Suspicious query strings feature should no longer conflict with many
plugins
Fixed: File change detection should no longer throw an error if opendir
failed
New Pro Feature: wp-cli integration
New Feature: Temporarily whitelist your IP address via iThemes Sync
New Feature: Override proxy IP detection
New feature: Hide admin bar (if desired)
Enhancement: Added filter to allow for custom log pages
Enhancement: Added debug constant to help troubleshoot multiple emails
Enhancement: Added constant to force digest emails via wp-cron instead of
custom timing
Fixed: Various missing variable fixes were added
Fixed: MySQL errors on MySQL 5.6 during activation were fixed.
Fixed: HTML emails now contain HTML tag
Fixed: Lockout count in emails should now be more accurate
New Feature: Perform file scan via iThemes Sync
New Feature: Perform malware scan via iThemes Sync
Fixed: Make sure to esc urls on SSL redirects (unreported minor security fix)
Fixed: Added filters to SSL to try to catch more assets
Fixed: Suspicious query strings feature should no longer conflict with many
plugins
Fixed: File change detection should no longer throw an error if opendir
failed
New Pro Feature: wp-cli integration
New Feature: Temporarily whitelist your IP address via iThemes Sync
New Feature: Override proxy IP detection
New feature: Hide admin bar (if desired)
Enhancement: Added filter to allow for custom log pages
Enhancement: Added debug constant to help troubleshoot multiple emails
Enhancement: Added constant to force digest emails via wp-cron instead of
custom timing
Fixed: Various missing variable fixes were added
Fixed: MySQL errors on MySQL 5.6 during activation were fixed.
Fixed: HTML emails now contain HTML tag
Fixed: Lockout count in emails should now be more accurate
Fixed: Removed unneeded fields in malware
New Pro Feature: Google reCAPTCHA
Fix/Enhancement: Code refactoring of numerous modules
Fix: Hiding available updates in multi-site will no longer block wp-cli from
detecting updates.
Fix: Removed leftover JavaScript debugging statements.
New Feature: Add file/folder permissions check to Dashboard
Fix/Enhancement: Minor refactoring of various core components
Fix: Fixed duplicate module listsing on log page dropdown
Fix: Fixed missing lockouts on iThemes Sync dashboard
New Feature: Change WordPress Salts
Enhancement: Refactored ITSEC_Lib and ITSEC_Files for better usability and
new functions to make changing salts possible
Bug Fix: Generating wp-config.php file updates no longer produces warnings.
Bug Fix: Fixed .htaccess file modifications failing.
Fix: Quick banning IPs will now work correctly if existing htaccess rules are
in place
Fix: minor bug fixes and typo corrections.
Enhancement: Limit the number of lockouts that can be displayed at any given
time in the dashboard.
Fix: Make sure header error messages are suppressed when performing a
lockout.
Fix: Fix error message from missing login information when displaying
lockouts.
Bug Fix: When a file scan is run from iThemes Sync, a warning will no longer
be added to the site's error log.
Bug Fix: Fixed regression that prevented adding wildcard IP's in the form of
'XXX.XXX.XXX.*' to Ban Hosts.
Enhancement: Translation files can now be stored in
WP_LANG_DIR/plugins/ithemes-security-pro for
iThemes Security Pro and WP_LANG_DIR/plugins/better-wp-security for
iThemes Security free version.
Bug Fix: The file permissions check will no longer list a warning if the
plugins directory has permissions of 755.
Bug Fix: Fixed incorrect text describing the "Backups to Retain" database
backup setting.
Bug Fix: Security fix for XSS vulnerability. Thanks to Ole Aass (@oleaass)
for finding and disclosing this vulnerability to the iThemes Security team.
4.7.0 - 2015-06-17 - Chris Jean
Enhancement: Updated to use new file modification API.
Enhancement: Added HackRepair.com blacklist for Nginx.
Enhancement: Improved Nginx support for System Tweak features.
Enhancement: Updates to wp-config.php, .htaccess, and nginx.conf files now
support more systems.
Enhancement: Combined the "Force SSL for Dashboard" and "Force SSL for Login"
settings to a unified "Force SSL for Dashboard" setting. This is due to how the
FORCE_SSL_LOGIN define was deprecated in WP 4.0.0.
Enhancement: Added comments to wp-config.php, .htaccess, and nginx.conf
updates that indicate which settings affect the specific entries.
Enhancement: Added translation support for previously static strings,
including strings used for comments in wp-config.php, .htaccess, and nginx.conf
files.
Enhancement: Improved generation of valid referers for use by the Reduce
Comment Spam feature.
Enhancement: Broadened the server support in the import settings code.
Enhancement: Added new library classes for managing files, directories, and
config files.
Enhancement: Improved error messages for when file writes fail.
Enhancement: Improved error messages for when export file creation fails.
Enhancement: Improved error messages for situations when the .htaccess,
nginx.conf, or wp-config.php files may need to be manually updated.
Bug Fix: Added support for Apache 2.4 without the access_compat module.
Bug Fix: Fixed condition where forcing SSL on front-end pages could cause
infinite redirection loops with specific setups of nginx to Apache reverse proxy
servers.
Bug Fix: Fixed scenarios where the site would be forced to load via https but
scripts, stylesheets, and images would load via http.
Bug Fix: Fixed invalid nginx.conf rule generation for the Reduce Comment Spam
feature.
Bug Fix: Corrected invalid parsing of some IP formats in Ban Hosts list.
Bug Fix: Improved error handling when reading or updating config files.
Bug Fix: Fixed various warnings that would display when changing settings.
Bug Fix: Fixed a situation where creation of a zipped export file would fail,
but an email would still be sent as if the zip was created successfully.
4.8.0 - 2015-07-06 - Chris Jean
Feature Removal: Removed the malware scanning features as VirusTotal no
longer supports scanning from WordPress sites. A replacement is in the works.
Bug Fix: The close button on the "Thank you for activating iThemes Security"
message now appears in the correct location.
Bug Fix: Removed the site's URL being displayed in the "Replace jQuery With a
Safe Version" setting details.
Bug Fix: Updated .htaccess rules to be compatible with Apache 2.4 without the
auth compat module.
Bug Fix: Enabling and disabling the "Remove File Writing Permissions" setting
now updates the file permissions properly.
Bug Fix: Web servers that cannot be recognized now default to Apache.
Enhancement: Updated the hackrepair lists.
4.9.0 - 2015-08-03 - Chris Jean
Feature Removal: Removed the "Remove WordPress Generator Meta Tag" feature as
it is not recommended due to limited security benefit and creating compatibility
issues.
Enhancement: Added the ability to undo the Content Directory change.
Bug Fix: No longer tries to load a non-existent JavaScript file for the salts
module.
Bug Fix: Fixed an issue with one-time database backups on multi-site
installs.
Bug Fix: Fixed issues related to locating .htaccess or nginx.conf files on
sites with WordPress installed in a separate directory.
Bug Fix: Fixed issues with PHP blocking in uploads directory not working with
certain non-standard setups.
Bug Fix: Minor change to fix a warning that can appear after changing the
Content Directory.
Bug Fix: Fixed a PHP fatal error that could occur on some servers when adding
a ban to the site's .htaccess or nginx.conf file.
5.0.0 - 2015-09-14 - Chris Jean
Compatibility Fix: Changed translation domain from it-l10n-better-wp-security
to better-wp-security. This change was necessary in order to be included in the
translate.wordpress.org project.
New Feature: Added malware scanning provided by Sucuri SiteCheck.
5.0.1 - 2015-09-15 - Chris Jean
Compatibility Fix: Added support for
ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY. Setting it to true can bypass "SSL peer
certificate or SSH remote key was not OK" errors on servers with bad SSL
configurations.
5.1.0 - 2015-10-15 - Chris Jean
New Feature: Added "Multiple Authentication Attempts per XML-RPC Request"
setting to the WordPress Tweaks section. When this setting is set to "Block",
iThemes Security will block brute force login attacks against XML-RPC as described
by Sucuri in this blog post: https://blog.sucuri.net/2015/10/brute-force-
amplification-attacks-against-wordpress-xmlrpc.html
Enhancement: Updated text describing the XML-RPC setting in the WordPress
Tweaks section to better explain what the setting is for and which setting is
recommended.
Enhancement: Improved IP detection when proxy detection is active by
processing the header set by CloudFlare.
Enhancement: Added a filter named itsec_filter_remote_addr_headers which can
be used to change which headers are searched for the client IP. This allows for
tailoring the IP detection for specific reverse proxies and load balancers.
Bug Fix: Updated the Banned Users settings to no longer add a newline to the
Ban Hosts input each time the settings page is saved.
Compatibility Fix: Updated code triggered by the
ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY define. This avoids plugin compatibility
issues that prevent disabling the SSL peer verification.
5.1.1 - 2015-11-10 - Chris Jean
Enhancement: Removed Yandex and Sogou from the HackRepair blacklist as they
are legitimate search engine bots.
Enhancement: Added detailed information about Sucuri malware scan errors to
Malware Scan log details.
Bug Fix: No longer enables display of database errors when an event is
logged.
5.2.0 - 2016-01-18 - Chris Jean & Aaron D. Campbell
Security Fix: Fixed PHP code that could allow AJAX requests to list
directories and files outside the directory structure of the WordPress
installation. Note that these AJAX requests required a logged in user with admin-
level privileges. This vulnerability was unable to be exploited by non-privileged
or anonymous requests.
Bug Fix: Updated the SSL feature to use 301 redirects rather than 302
redirects.
Bug Fix: Fixed situations where security nonces would incorrectly trigger
"security check" errors when enabling specific combinations of features on the
settings page.
Bug Fix: Enabling scheduled database backups and setting a backup interval of
0 days no longer results in a backup being created on every page load.
Bug Fix: Module-specific data is properly initialized/removed on plugin
activation, deactivation, and uninstallation.
Feature Removal: Removed the "Security Status" portion of the Security >
Dashboard page. This is in preparation for a new tool that provides suggestions
tailored to the site and server that Security is running on.
Enhancement: Updated the way the feature modules function in order to allow
them to be redesigned in a more efficient and flexible way for future releases.
Enhancement: Updated the File Change Detection feature to attempt a max
memory limit of 256M rather than 128M as some users experience out of memory issues
which could be fixed with the higher memory limit.
Enhancement: Updated the Database Backup feature to attempt a max memory
limit of 256M rather than 128M as some users experience out of memory issues which
could be fixed with the higher memory limit.
Enhancement: Added localization support for some non-localized strings.
Enhancement: Improved detection of multiple active versions of iThemes
Security.
Bug Fix: Comparisons of IPv4 addresses and ranges now include the IP's at the
edge of the ranges.
Bug Fix: IPv4 tests now work as expected when deciding if a blacklisted IP or
range overlaps a whitelisted IP's and ranges.
Bug Fix: Fixed styling issue that affected the display of the horizontal tabs
on settings pages in WordPress 4.5.
Bug Fix: Replaced old module sorting order in settings screens.
Bug Fix: Fixed PHP 7 compatibility issue that triggers the following error:
"Uncaught Error: Call to undefined function mysql_get_client_info()".
Bug Fix: Fixed warnings and errors that could occur when deleting the plugin.
Bug Fix: Fixed warning that could occur on a failed login when Local Brute
Force Detection is disabled.
Bug Fix: All data added to the options table by iThemes Security is removed
on uninstall.
Bug Fix: Fixed the cause of the following warning: call_user_func_array()
expects parameter 1 to be a valid callback, class 'ITSEC_SSL_Setup' does not have a
method 'execute_deactivate'
Enhancement: When a lockout is being executed, wp_logout() will only be
called if the current page request comes from a logged in user. This prevents
plugins that log logout events from logging log outs from unknown users.
Enhancement: Improved the descriptions used for some of the data displayed in
the "System Information" section of Security > Dashboard.
Enhancement: Added "Use MySQLi" entry to the "System Information" section of
Security > Dashboard to show whether the MySQLi driver is enabled.
Enhancement: Updated the "SQL Mode" entry in the "System Information" section
of Security > Dashboard to show the full details if that value is set.
Enhancement: Improved code that ensures that tables and options table entries
created by iThemes Security are removed on uninstall only when no other iThemes
Security plugin is active.
New Feature: Added support for IPv6 addresses. This includes support for IPv6
in lockouts, ban hosts, and white lists.
Bug Fix: Fixed issue that could cause username-based lockouts to fail for
long usernames.
Bug Fix: Fixed issue that prevented wildcard IP ranges from being blacklisted
or whitelisted.
Bug Fix: Removed warnings generated when the Away Mode module is disabled and
iThemes Sync contacts the site.
Enhancement: Updated descriptions of valid IP and IP range formats for the
Lockout White List and the Ban Hosts settings.
Enhancement: Updated host entries in log details to link to traceip.net
rather than ip-adress.com. This is because ip-adress.com does not support IPv6
addresses.
Enhancement: Updated some translatable strings relating to blacklisting and
whitelisting to allow for better translations.
Enhancement: Added details about how wildcard IP ranges are converted to CIDR
format (this improves performance).
Security Fix: Hardened the created backups and logs directories. Thanks to
Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue.
Security Fix: More secure backup and log file names. Thanks to Nicolas
Chatelain (SYSDREAM IT Security Services) for notifying us of this issue.
Bug Fix: The "NGINX Conf File" setting is now properly respected, causing the
generated NGINX configuration file to be stored in that location.
Enhancement: Generated database backup file names now contain a human-
readable timestamp in the format of YYYYMMDD-HHMMSS.
Enhancement: Zipped database backup files no longer contain a deeply nested
directory structure. Instead, they only contain the sql file.
Enhancement: When the "Force Unique Nickname" feature is enabled, the
generated display name now uses an improved randomization function.
Enhancement: Improved tabbing of rules in generated nginx.conf files.
Enhancement: Removed the "See what's new button" as it has fulfilled its
purpose.
Bug Fix: Updated code that generates the backups and logs directories to
ensure that it attempts to create the parent directory if it does not exist yet.
Bug Fix: Removed warnings that could be generated if the logs directory could
not be created.
Bug Fix: Database backup files sent via email no longer have a name without
an extension if zipping up the file fails.
Bug Fix: Fixed temporary whitelisting by preventing a temporarily whitelisted
IP from being locked out.
Bug Fix: Fixed issue that could cause a fatal error after changing the
content directory.
Bug Fix: Updated the link to sign up for security guide download to point to
a https address. This is better security and prevents warnings when submitting from
a http site in some browsers.
Bug Fix: If a cryptographically secure log file name can't be generated,
queue up log file writes until we can.
Security Fix: No longer using document.location to build 'Show Intro' link in
admin - Thanks to David Lodge (Pen Test Partners) for notifying us of this issue.
Bug Fix: Fixed some notices when certain multisite options are used on
BuddyPress
Enhancement: New itsec_white_ips filter to allow plugins that work with
external services to whitelist service IPs
Security Fix: Better caps checks for dismissal of changed file dialog -
Thanks to Julio Potier for notifying us of this issue.
Bug Fix: Make file change warning dialog text properly translatable
Enhancement: Adding 'itsec_log_event' action for logged events
Bug Fix: Throw a real 403 instead of a faked 404 for hide backend - Fixes
compatability with certain plugins including WordPress SEO. Hat tip to Joost de
Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention.
Enhancement: New user interface with both grid and list views for managing
settings.
Enhancement: New automatic temp whitelisting of IPs for users that manage
iThemes Security settings.
Enhancement: Better feedback on errors when modifying wp-config.php or server
config files.
Enhancement: Improved code efficiency of the Away Mode feature so that it
takes less processing time when active.
Enhancement: Rather than disabling features that have invalid user input, the
user now can fix the issue before saving.
Enhancement: Improved the efficiency of the plugin's loading code, reducing
the amount of time taken to run the plugin.
New Feature: Global settings now has a "Show Error Codes" setting that can
provide an error message's specific error code when it is enabled.
Bug Fix: More than one IP can now be temp whitelisted.
Bug Fix: Fixed a bug where some modules would be enabled or disabled when
they shouldn't be after upgrading to the latest version.
Bug Fix: Will not send notification emails about the new login address when
Hide Backend is enabled and doing an upgrade.
Compatibility Fix: Updated handling of wp_remote_get() responses in
preparation for changes coming in WordPress 4.6.
Bug Fix: Fixed error that would prevent nginx servers from being able to make
use of the "Reduce Comment Spam" feature of the WordPress Tweaks module.
Bug Fix: Restored missing log filter for 404 Detection log entries.
Bug Fix: Fixed links to Settings, Logs, and creating a backup on Multisite.
Enhancement: The "Write to Files" setting is now enabled by default.
Bug Fix: Don't rely on externally loaded MailChimp JavaScript.
Bug Fix: Fixed bug that could cause some sites to lose settings when
upgrading.
Bug Fix: Fixed SQL query for Database Backups when "Backup Full Database" is
enabled.
New Feature: Added a new File Permissions section on the settings page to
bring back the directory and file permissions listing feature found on the Security
> Dashboard page of older plugin versions.
Bug Fix: Fixed a situation where adding a very large list of IP's in the Ban
Hosts list would generate an invalid .htaccess file on some servers.
Enhancement: The Database Backups, Local Brute Force Protection, Network
Brute Force Protection, Strong Password Enforcement, and WordPress Tweaks features
are now active by default on new installations.
Enhancement: The WordPress Tweaks feature now uses the "Disable File Editor"
setting by default on new installations.
Enhancement: The WordPress Tweaks feature now sets the "Multiple
Authentication Attempts per XML-RPC Request" setting to "Block" by default on new
installations.
Enhancement: Improved the styling of notices.
New Feature: Added a new Security Check section on the settings page. This
new feature adds a tool to quickly ensure that the recommended features are enabled
and the recommended settings are used.
Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to
disable Away Mode.
Enhancement: The "Ban Lists" setting of Banned Users is now enabled by
default.
Bug Fix: Fixed a potential logging issue that could prevent some lockout
notices from being properly logged on non-English sites.
Bug Fix: Prevented some notices from displaying to users who do not need to
see them.
Bug Fix: Limited notices to only display on specific pages on the dashboard.
Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid
erroneously tripping PHP 7 compatibility checks.
Code Cleanup: Removed legacy code that is no longer needed.
Enhancement: Started tracking when a user was last seen as logged in and
active for future use.
Misc: Added a placeholder for the Pro feature "User Security Check".
5.6.2 - 2016-09-27 - Chris Jean
Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user
could receive different HTTP headers when testing a valid username/password
combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
Security Fix: Updated log output to prevent specific kinds of logged requests
from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us
about this issue.
Bug Fix: The Security > Security Check link now works as expected in
multisite.
Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature
from working properly.
Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that
were unrelated to request length.
Bug Fix: Corrected a settings description typo in Global Settings.
Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC
when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request
setting is set to "Block".
Misc: Added placeholder for the Version Management module of iThemes Security
Pro.
Misc: Updated build number to trigger some updates.
5.6.3 - 2016-10-11 - Chris Jean
Bug Fix: Removed the "Wget" user agent from the Hack Repair blacklist as it
can block wp-cron jobs on some hosts.
Bug Fix: Fixed error "PHP message: PHP Fatal error: 'continue' not in the
'loop' or 'switch' context".
Enhancement: Added new Daily Digest email design.
5.6.4 - 2016-10-14 - Chris Jean
Bug Fix: Fixed issue that reported invalid counts for host and user lockouts
in the daily digest email.
Bug Fix: Fixed issue that caused the daily digest email to be sent every day,
even if no lockouts occurred and no file changes were found.
Bug Fix: Fixed issue that could prevent saving of File Change settings,
resulting in an error messages of "A validation function for file-change received
data that did not have the required entry for latest_changes."
Bug Fix: Fixed iThemes Security Pro logo appearing in daily digest emails.
5.7.0 - 2016-10-31 - Chris Jean
Bug Fix: Fixed data save issue that could cause multiple notification emails
to be sent in a short period of time.
Bug Fix: Fixed issue that could cause the malware scanner to fail on sites
that change the arg_separator.output php.ini value from its default value.
Bug Fix: Removed redundant entries in the HackRepair blacklist.
Bug Fix: Enabling Protect System Files in System Tweaks will now only block
install.php for the current site. This fixes the issue where the setting can block
installation of a site in a subdirectory.
Bug Fix: Fixed problem that could cause requests for iThemes Security data
from iThemes Sync to fail due to large amounts of log entries.
Bug Fix: Scheduled backups now run if the ITSEC_BACKUP_CRON define is set
with a non-boolean value.
Bug Fix: Replaced static references to wp-includes with the WPINC define.
Bug Fix: Moved blocking of query strings containing %0[0-9A-F] characters
from the Non-English Characters setting to the Suspicious Query Strings setting as
those characters are control code characters and are not associated with a
language.
Bug Fix: Added escaping to some translation strings.
Bug Fix: Removed unused files from the WordPress Tweaks module directory.
Bug Fix: Fixed the Daily Digest email reversing the user and host lockout
counts.
Bug Fix: The database backup email no longer sends from the email address
configured in Settings > General. It now defaults to the same from address that the
wp_mail() function uses. This will fix the mail being blocked by some mail servers
due to a spoofed from address.
Enhancement: Updated the server config rules generated by the System Tweaks
settings. They are now more consistent between Apache, LiteSpeed, and nginx. They
are also more efficient and have been improved to limit accidentally blocking non-
targeted requests.
Enhancement: Updated the database backup email to a new design.
Enhancement: Added a note that the Filter Request Methods setting in System
Tweaks should not be enabled if the WordPress REST API is used. This is becasue the
DELETE HTTP method is blocked when the setting is enabled.
New Feature: Added setting to block requests for PHP files in the plugins
directory in System Tweaks.
New Feature: Added setting to block requests for PHP files in the themes
directory in System Tweaks.
5.7.1 - 2016-11-16 - Chris Jean
Bug Fix: Remote IP is now correctly identified if the server is behind a
reverse proxy that sends requests with more than one IP listed in a single header.
Bug Fix: Fixed the link for a user in the logs page so that it properly works
on sites that are inside a subdirectory.
Bug Fix: Improved how Strong Password Enforcement works on password resets to
improve compatibility with various plugins.
Bug Fix: Improved the logic for determining whether a user should have Strong
Password Enforcement applied. This covers situations where the user may have a
custom role, a customized default role, or added capabilities beyond their role.
Enhancement: Improved the logic for determing the requesting IP address to
better handle situations where the site is behind a reverse proxy.
Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to
ensure that a strong password was selected.
Enhancement: All links in Security that have target="_blank" now have added
rel attributes to protect against tabnapping.
Misc: Updated remaining ip-lookup.net links to instead link to traceip.net in
keeping with other links that were previously updated to traceip.net.
5.8.0 - 2016-11-29 - Chris Jean
Enhancement: Updated the lockouts notification email to a new design. This
new design also cleaned up the translation strings to allow better translations.
New Feature: Added a "Protect Against Tabnapping" feature in the WordPress
Tweaks section. Details of what this feature protects against can be found here:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-
vulnerability-ever/
Misc: Updated the description for the Lockout Period setting to indicate that
the default value of 15 minutes is recommended.
5.8.1 - 2016-12-06 - Chris Jean
Bug Fix: Fixed issue that could cause database backup emails to be sent
without the backup zip attached.
5.9.0 - 2016-12-08 - Chris Jean
New Feature: Added a "REST API" feature in the WordPress Tweaks section. This
new feature allows you to block or restrict access to the REST API.
6.0.0 - 2016-12-28 - Chris Jean
Bug Fix: Removed "comodo" from the list of user agents blocked by the
HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM
is able to function.
Updated Feature: Updated the "REST API" feature in the WordPress Tweaks
section. The feature now has proper support for protecting privacy on your site
without preventing the REST API from functioning.
Enhancement: Updated Security Check to enforce setting the "REST API" setting
to "Restricted Access".
6.1.0 - 2017-02-07 - Chris Jean
Enhancement: Added logging for failed two-factor, OAuth, and REST API
authentications.
Enhancement: Added logging details about the source of login failures and the
type of authentication that failed.
Enhancement: Due to improvements in tracking authentication failures, brute
force attempts using alternate authentication methods are more reliably found and
blocked.
Enhancement: The server's IP is treated as whitelisted and will not be
considered for lockouts or bans.
Enhancement: Reduced memory usage when creating a backup.
Enhancement: Changed log entry description of "IP Flagged as bad by iThemes
IPCheck" to "IP Flagged by Network Brute Force Protection". This should help
clarify the meaning of the log entry.
Enhancement: Improved efficiency of the Network Brute Force Protection
feature.
Bug Fix: Fixed bug that prevented Network Brute Force Protection from working
properly on some sites.
6.1.1 - 2017-02-09 - Chris Jean
Bug Fix: Fixed bug that prevented Away Mode from activating on some sites.
6.2.0 - 2017-03-14 - Chris Jean
Enhancement: Improved plugin performance by reducing the number of queries
made on each page.
Enhancement: Reduced memory and CPU usage due to various code improvements.
Bug Fix: A database backup will no longer be created when first activating
the plugin.
Bug Fix: Added compatibility for MySQL strict mode in database creation
syntax.
Bug Fix: Removed warning about a "non well formed numeric value encountered"
in PHP 7.1.
Bug Fix: Modifications to wp-config.php, .htaccess, and nginx.conf files are
now properly re-added upon reactivation.
Bug Fix: Fixed full settings for Hide Backend being displayed after disabling
the feature and saving the settings.
Bug Fix: Enabling or disabling the Hide Backend feature will update the "Log
Out" link so that it works as expected without having to load a new page.
Bug Fix: Enabling or disabling the Hide Backend feature now properly updates
the .htaccess/nginx.conf file on enable and disable rather than at some future
point.
Bug Fix: Fixed issue that could cause improper database table creation on
multisite sites.
Bug Fix: Fixed a bug that could prevent settings from saving properly if the
site was migrated to a new server or a new home path on the server.
6.2.1 - 2017-03-23 - Chris Jean
Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1.
This fixes issues with some alternate cron setups.
Bug Fix: Having more than one iThemes Security modification in a .htaccess,
nginx.conf, or wp-config.php file will no longer result in having all the file
content between each section removed when updating the file.
Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now
have their Windows-style newlines preserved when iThemes Security updates the file.
6.3.0 - 2017-07-06 - Chris Jean & Timothy Jacobs
Important: The way that Hide Backend functions changes in this release.
Previously, if your Hide Backend Login Slug was wplogin, going to
example.com/wplogin would result in the URL remaining example.com/wplogin. The new
implementation of this feature results in a redirect to a URL that looks as
follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be
desireable for some users, this change was necessary to fix longstanding
compatibility issues with other plugins. Once you access the login page using the
Login Slug page, a cookie is set with an expiration time of one hour. As long as
the cookie remains, you can access example.com/wp-login.php without having to
access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend
is working properly on your site, opening up a private browsing window is a quick
way to test without having to log out and clear cookies.
New Feature: Added support for iThemes Sync to run the Security Check feature
from inside the Sync service.
New Feature: Added support for the ITSEC_DISABLE_MODULES define.
Bug Fix: Removed warning: "Non-static method ITSEC_Setup::uninstall() should
not be called statically".
Bug Fix: Fixed the ability to manually enter a page number to navigate to on
the Security > Logs page.
Bug Fix: Fixed source of warning that could appear when creating a backup
while running a PHP version less than 5.4.
Bug Fix: Fixed source of notice that could appear when reseting a user's
password when the Strong Passwords Enforcement feature is enabled.
Bug Fix: Fixed bugs that prevented reporting of specific error messages
related to updating the wp-config.php file.
Bug Fix: Fixed an infinite loop that could occur when expiring a cookie and
Hide Backend is enabled.
Bug Fix: Fixed compatibility issue with the Jetpack plugin when Hide Backend
is enabled which could prevent Jetpack from redirecting users to the wordpress.com
login page.
Bug Fix: Fixed issue where access to wp-admin/admin-post.php when Hide
Backend is enabled.
Bug Fix: Fixed issue that could prevent "Register" and "Lost your password?"
links from working properly on the login page when Hide Backend is enabled.
Bug Fix: Fix fatal error when updating a profile.
Bug Fix: Fix strong passwords not being recognized as strong on the profile
page.
Bug Fix: Fix fatal error when registering a new user without specifying a
role ( iThemes Exchange ).
Bug Fix: Compatability with JetPack SSO and Password Requirements.
Bug Fix: Ensure viewport meta is defined when loading the password
requirements update password form.
Bug Fix: Hide Backend is now compatible with Jetpack Single Sign On.
Bug Fix: Hide Backend now hides registration pages on multisite sites.
Bug Fix: Fixed password-protected posts not properly handling the password
when Hide Backend is enabled.
Enhancement: Removed AhrefsBot from the HackRepair blacklist as they are
legitimate bot.
Enhancement: Improved efficiency of Hide Backend code, increasing site
performance when the feature is enabled.
Enhancement: Enforce strong passwords during log-in. Can be disabled via the
ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
Enhancement: Use canonical roles library to determine if a new user or an
updated role requires a strong password.
Enhancement: Introduce password requirements module to centralize handling of
password updates.
Enhancement: The Hide Backend hidden login URL is no longer leaked by
password-protected content.
Enhancement: Allow for searching through modules and settings.
Enhancement: Link to other module settings pages without forcing the page to
refresh.
Enhancement: Fire an action, "itsec_change_admin_user_id", when the admin
user id changes.
Enhancement: Changed default Hide Backend Register Slug from wp-register.php
to wp-signup.php since WordPress switched from using wp-register.php to wp-
signup.php for registrations. This will not affect existing sites.
Enhancement: Hide Backend functions purely in PHP code now rather than
relying half on PHP code and half on .htaccess and nginx.conf modifications. This
allows Hide Backend to function on web servers and server configurations that it
was previously not compatible with.
Misc: Updated or added phpDoc to many functions.
Misc: Updated Disable File Locking description.
Enhancement: Replaced file locking with database locking. This method of
locking is compatible with all systems as it does not require the ability to write
files. It also allows for locking to work on sites that have multiple front-end
servers with a shared database. Since file locking is no longer used, the Global
Settings > Disable File Locking setting was removed.
Enhancement: Add "Copy to Clipboard" functionality for server and wp-config
rules.
Bug Fix: Prevent 404s when following links in email notifications on a site
with Hide Backend enabled.
Bug Fix: Ensure uninstall process is not run when another version of iThemes
Security is still active.
Bug Fix: Fixed method of working around Hide Backend.
Bug Fix: Warnings are no longer generated when saving a user profile with a
role of "No role for this site" selected.
Enhancement: Simplified the SSL module to offer a simple Enable/Disable
setting and simplified explanations. The legacy settings are available by selecting
Advanced.
Enhancement: Added the itsec-get-ip filter to allow code to supply the remote
IP directly.
Enhancement: Enabling SSL support will only log you out if you are not
already on an https connection.
Enhancement: Improve password requirements compatibility with plugins and
systems that integrate with WordPress Users.
Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature
as its use (protecting against a specific jQuery bug:
https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
Bug Fix: Bumped version number of some scripts to ensure that they refresh
properly.
Bug Fix: Fixed way to work around Hide Backend on some hosts.
Bug Fix: Fixed logical error that prevented backups from executing.
Bug Fix: Fixed issue that could cause database locks to flood the database.
New Feature: Added a new setting in WordPress Tweaks: "Login with Email
Address or Username".
Enhancement: Host email images from the plugin instead of relying on iThemes
servers to help email clients marking messages as spam or blocking images.
Bug Fix: Error when searching for modules preventing modules from appearing.
Bug Fix: Use the wp_options table when acquiring locks in Multisite.
Bug Fix: Prevent duplicate daily digest emails on sites with high load.
Misc: Added Magic Links, a new Pro-only feature, to be activated by Security
Check.
Misc: Rearranged modules to be listed alphabetically.
Bug Fix: Fixed SQL query bug that resulted in the "Minutes to Remember Bad
Login (check period)" setting being ignored.
Bug Fix: Fixed bug that prevents wp-admin/install.php blocking from working
properly on nginx servers.
Bug Fix: Don't attempt to do an SSL redirect when WP CLI is running.
New Feature: Introduces the Notification Center, a centralized place to
manage and customize email notifications sent by iThemes Security.
Enhancement: Updated queries and prepare statements to account for changes to
the esc_sql() function in WordPress 4.8.3.
Bug Fix: Corrected some Javascript and CSS links not generating correctly on
Windows servers.
New Feature: Introduces a scheduling framework for handling events. Cron is
now used by default, and will switch to using an alternate scheduling system if it
detects an error. To disable this detection set ITSEC_DISABLE_CRON_TEST in your wp-
config.php file.
Important: The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have
been deprecated. Use ITSEC_USE_CRON instead.
Enhancement: Preserve notification settings when the responsible module is
deactivated.
Bug Fix: Process 404 lockouts on the 'wp' hook to prevent a headers have
already been sent warning message.
Bug Fix: Ensure Hide Backend emails are properly sent when activating Hide
Backend before saving the Notification Center for the first time.
Bug Fix: Prevent warning from being issued on new installs by allowing
previous settings to be preserved if they exist.
Bug Fix: Better handle WP_Error objects in mail errors that occurred before
updating to first patch release.
Bug Fix: A non static method was being called statically.
Bug Fix: Fix occasional duplicate backups and file scans.
Bug Fix: Fixed issue where scheduled events could repeat on sites that do not
properly support WordPress's cron system.
Bug Fix: Reactivating Away Mode now replaces the active file if you had
previously removed it.
Bug Fix: Ensure lockouts take effect immediately, even on systems where
changes to server configuration files do not take effect immediately.
Enhancement: Display user lockouts in Lockout Sidebar.
Bug Fix: Load translations on the plugins_loaded hook.
Bug Fix: Fixed method that could be used to discover hidden login slug on
some sites.
Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan
results if a scan previously failed.
Bug Fix: Update to the REST API "Restricted Access" feature to protect
against methods to work around the restricted access.
Bug Fix: Prevent login page being hidden when following the "Confirm Email
Address" notification URL.
Bug Fix: Hide Backend notifications not being properly sent when first
enabled.
Enhancement: Updated logging system to keep track of more information and
have more options to filter and sort log entries.
Enhancement: Improved efficiency of File Change Detection scanning.
Bug Fix: Fixed issue that could register loading the logging page as a failed
login attempt on some sites.
Security Fix: Fixed display of unescaped data on logs page.
Enhancement: The logging system now differentiates between WP-CLI commands,
WP-Cron scheduled events, and normal page requests.
Bug Fix: Fixed the File Change scanner in that it previously could fail to
exclude selected directories on some systems.
Bug Fix: Fixed situation that could cause lockout notifications being sent
for whitelisted IPs.
Bug Fix: Fixed issue where saving Global Settings would be blocked by an
unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
Bug Fix: Fixed issue that prevented log database entries from purging and log
file entries from rotating on a schedule.
New Feature: Added support for the new WordPress privacy features.
Enhancement: Added minimal API for adding additional entries to the Security
admin menu.
Enhancement: File Change Scan uses a new batching mechanism to prevent
crashing on hosts but still generating only one report per-day.
Enhancement: Introduce Distributed Storage framework for reducing the amount
of data stored in the WordPress options table. This should improve performance for
large sites using File Change.
Enhancement: Introduced Login Interstitial framework to consolidate code
between Password Requirements & Two Factor.
Bug Fix: Added ability to show object data for classes that are not loaded to
the Logs page.
Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings
feature in order to avoid blocking privacy export/erasure request confirmations.
Bug Fix: Ensure all users with the `manage_options` capability are available
when selecting contacts in the Notification Center.
Bug Fix: Fix clearing or previous file scans results.
Bug Fix: Fix warnings on debug file change log items.
Bug Fix: Fixed logging system references to "fatal-error" that should be
"fatal".
Bug Fix: Improve File Change recovery system on high-traffic websites.
Bug Fix: Improve clearing of previous File Change file hashes.
Bug Fix: Improved detection of REST API requests on sites without a home dir.
Bug Fix: Internal links to a filtered logs page.
Bug Fix: Prevent PHP warning about converting an array to a string when
adding notification data.
Bug Fix: Prevent PHP warning when completing database backups that are not
emailed to any recipients.
Bug Fix: Properly enforce strong passwords when on the WP Login Reset
Password page.
Bug Fix: Resolve warnings when upgrading file change settings.
Minor: File Scan "chunk" option is removed.
Minor: Make recovering file scan log smaller.
Minor: Page Load Scheduler: Unschedule single events before running them.
This mirrors the behavior of the WP Cron scheduler.
Minor: Security Digest now includes all lockouts that have occurred since the
last email.
Minor: Shrink storage size of file scans.
Minor: Specifying a manual file scan list has been removed.
Minor: Track raw memory used by the file change scanner as well.
Minor: Updated list of File Change excluded file types to include more media
extensions.
Misc: Added comment to prevent Tide from marking the plugin as not compatible
with PHP 5.3.
Tweak: Add description for File Change recovery related logs.
Tweak: Don't report removed files if the removal is caused by a new file
extension being excluded.
Tweak: File Change: Move "latest_changes" entry to a separate storage bucket
to improve performance on large sites.
Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.
Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()"
error that could occur when exporting or erasing personal data.
Bug Fix: Skip recovery if File Change storage is empty.
Enhancement: Add UI to cancel in progress File Scan.
Enhancement: Add basic admin debug page to help diagnosing and resolving
issues. Particularly with the events.
Enhancement: Add debug settings JSON editor.
Enhancement: Continually evaluate password strength for users instead of only
during registration.
Enhancement: Introduce Password Requirements module for managing and
enforcing password requirements.
Bug Fix: Accessing password requirement settings would not resolve properly
in some instances.
Bug Fix: Away Mode would not lock out users who were already logged-in during
the "away" period.
Bug Fix: Enforce the Strong Passwords requirement during Security Check.
Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not
proceeding with running events.
Bug Fix: If a password requirement has been disabled or is no longer
available, don't consider the password as needing a change.
Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not
allowed to use a weak password.
Bug Fix: Password strength would not be evaluated if password was set using
custom PHP or CLI commands.
Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling
loop on the first step.
Bug Fix: Remove distributed storage table on uninstall.
Tweak: Don't write to the tracked files setting if the file hash has not
changed.
Tweak: If no last password change date is recorded for the user, treat their
registration date as the last change date.
Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin
privileges are required to exploit this vulnerability. Thanks to Çlirim Emini,
Penetration Tester at sentry.co.com, for reporting this vulnerability.
Bug Fix: Provide default values for enabled requirements.
Enhancement: Add mitigation for the WordPress Attachment File Traversal and
Deletion vulnerability.
Tweak: Fire a WordPress action whenever settings are updated.
Bug Fix: Improved input sanitization on the logs page to prevent triggering
warnings.
New Feature: Allow for globally setting recipients for admin-targeted
notifications. All new notifications will default to the recipients in this list.
Notifications can be set to use the default list or switch to a custom list.
Enhancement: Added a setting to enable/disable the Grade Report feature of
Pro.
Tweak: Check if an IP is blacklisted on page load for compatibility with
servers that cannot process server configuration level bans immediately.
Tweak: Display a time diff until the next event on the Debug page.
Tweak: Use Logging API for tracking Notification Center errors.
Tweak: Register Scheduler Events whenever the plugin build changes.
Tweak: Allow for filtering logs by any module recorded.
Tweak: Account for 3rd-party Backup Plugin in Security Check.
Bug Fix: 404 detection for plugins that mark is_404 later in the hook
sequence.
Bug Fix: REST API Protection blocked the Taxonomies route for all users.
Bug Fix: Account for any CLI PHP SAPI instead of just WP-CLI in the SSL
Module.
Bug Fix: Fixed how the Grade Report enable/disable status is stored to fix
admin page loading issues on some sites.
Bug Fix: Fix serialization of closure error when a plugin registering a hook
with a closure is in the boot-up stack and the notification center is triggered too
early in the cycle.
Enhancement: Allow for selecting the particular Proxy header a server is
configured to use. Improve the language to indicate the importance of configuring
this setting. H/t Filippo Cavallarin CEO at wearesegment.com
Enhancement: Block access to git and svn repositories when System Tweaks ->
Protect System Files is enabled.
Tweak: Update jQuery Validation library to 1.17.0
Bug Fix: Improve detection of blocking the File Change Scan from being
scheduled if one is already being run.
Bug Fix: Prevent infinite recursion error when trying to access directories
outside of the allowed file tree.
Enhancement: Add Per-Content SSL toggle to the upcoming Block Editor
interface.
Enhancement: Add filter to the recipients list for email notifications:
"itsec_notification_{$notification}_email_recipients" and
"itsec_notification_email_recipients".
Enhancement: Add define "ITSEC_DISABLE_TEMP_WHITELIST" to disable the
Temporary IP Whitelisting for logged-in administrators.
Enhancement: Improve redirecting after processing a login interstitial from a
front-end login form.
Enhancement: Add loopback IP detection to Security Check.
Enhancement: Detect Server IPs in Security Check.
Tweak: Add additional safety checks when writing to system config files. This
will log a "Critical Issue" when the writing of an empty or partial config file is
detected and prevented.
Tweak: Improve File Change locking to help prevent failing scans on sites
with inconsistent cron scheduling.
Tweak: Improve "System Tweaks – Suspicious Query Strings – SQLI" to reduce
false positives.
Tweak: Improve "System Tweaks – Disable PHP" to block PHP files in apache
configurations that serve files with a trailing dot.
Tweak: Remove "Seznam Bot" from HackRepair List as it isn't present in the
latest version.
Bug Fix: Include Hide Backend token when emailing a password reset URL.
Bug Fix: Notification Center - Only send notifications to users with an exact
role match of selected roles instead of a fuzzy match based on selected
capabilities.
Bug Fix: Error when trying to edit reusable blocks with per-post SSL enabled.
Bug Fix: Resolve warnings on PHP 5.2.
Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from
running.
Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield
script when available to prevent new pop-up blocker behavior from killing the
links.
Tweak: Allow the log description column to word break for URLs or other
strings with no spaces.
Bug Fix: Hide Backend bypass on certain Apache configurations.
Bug Fix: Properly return error that occurs during a backup.
Bug Fix: Regex warning on PHP 7.3 in the File Change module.
Bug Fix: Resolve warning when a user is set to "No Role".
Bug Fix: Hide backend bypass.
New: iThemes Security Admin Notices are now conveniently located in the new
Security Messages Menu. Check your notices in the Security menu on the WordPress
Admin Bar.
Enhancement: Add Security Message when a Notification Center email fails to
send.
Enhancement: Replace Trace IP with IP Tracker Online.
Tweak: Remove 'DELETE' method from "System Tweaks -> Filter Request Methods"
Enhancement: New iThemes Sync Verb support for File Change.
Tweak: Add additional information about the login attempt when calling the
Network Brute Force API.
Bug Fix: Hide Backend Bypass.
Bug Fix: Strict Standards error during Sync request.
Bug Fix: wp_die() if a login interstitial session fails to be created instead
of throwing a fatal error.
7.5.0 - 2019-11-13 - Timothy Jacobs
Breaking Change: iThemes Security requires PHP 5.4 or later.
Enhancement: New Lockout Template screen.
Enhancement: Add confirmation button to Login Interstitial Async Actions when
on a different device.
Enhancement: Add filter to "Lookup IP" link.
Developer Note: There were significant changes to the internals of the
iThemes Security Lockout API in this release. If you are using the ITSEC_Lockout
class directly, all the API functions will continue to work, but will emit
deprecation notices when legacy behavior is being used. Please update any
integrations.
Bug Fix: Brute Force module reporting invalid logins using an email address
incorrectly.
Bug Fix: Improve lockout compatibility with caching plugins.
Bug Fix: Fix admin notice not being dismissed due to a REST API route that
was more narrowly defined than necessary.
Bug Fix: Admin Notices list did not refresh after dismissing a notice.
Bug Fix: Strong Passwords zxcvbn Library was not evaluating penalty strings
correctly.
Bug Fix: Fix PHP warning if there are multiple detected proxy headers.
7.6.0 - 2019-12-09 - Timothy Jacobs
Breaking Change: iThemes Security requires PHP 5.5 or later.
New Feature: iThemes Security now includes Security Check Pro to
automatically and correctly determine your visitors IP addresses. Enable this scan
by running Security Check and opting in to Security Check Pro or activate the
Security Check Pro module in Advanced Modules. H/t Jeremy Voisin
Enhancement: Run Security Check Pro IP Detection automatically once a day.
Enhancement: Manually re-run Security Check Pro IP Detection from the Global
Settings page.
7.6.1 - 2019-12-10 - Timothy Jacobs
Bug Fix: Properly notate that iThemes Security requires PHP 5.5 or greater.

History

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

History

Caricato da

Copyright:

Formati disponibili

4.0.

0 - 2014-03-25 - Chris Wiegman

Potrebbero piacerti anche