=== iThemes Security (formerly Better WP Security) ===

Contributors: ithemes, chrisjean, mattdanner, timothyblynjacobs

Tags: security, security plugin, malware, hack, secure, block, SSL, admin,
htaccess, lockdown, login, protect, protection, anti virus, attack, injection,
login security, maintenance, permissions, prevention, authentication,
administration, password, brute force, ban, permissions, bots, user agents, xml
rpc, security log
Requires at least: 4.7
Tested up to: 5.3
Stable tag: 7.6.1
Requires PHP: 5.5
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

== License ==
Released under the terms of the GNU General Public License.

== Description ==

= iThemes Security is the #1 WordPress Security Plugin =

iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure
and protect your WordPress site. On average, 30,000 new websites are hacked each
day. WordPress sites can be an easy target for attacks because of plugin
vulnerabilities, weak passwords and obsolete software.

Most WordPress admins don't know they're vulnerable, but iThemes Security works to
lock down Wordpress, fix common holes, stop automated attacks and strengthen user
credentials. With advanced features for experienced users, our WordPress security
plugin can help harden WordPress.

= Maintained and Supported by iThemes =

iThemes has been building and supporting WordPress tools since 2008 like
BackupBuddy, our <a href="http://ithemes.com/purchase/backupbuddy">WordPress backup
plugin</a>. With our full range of WordPress <a
href="http://ithemes.com/find/plugins/">plugins</a>, <a
href="http://ithemes.com/find/themes/">themes</a> and <a
href="http://ithemes.com/training">training</a>, WordPress security is the next
step in providing you with everything you need to build the WordPress web.

= Get Plugin Support and Pro Features =

Get added peace of mind with professional support from our expert team and pro
features to take your site's security to the next level with <a
href="http://ithemes.com/security">iThemes Security Pro</a>.

Pro Features:

* Two-Factor Authentication - Use a mobile app such as Google Authenticator or

Authy to generate a code or have a generated code emailed to you.
* WordPress Salts & Security Keys - The iThemes Security plugin makes updating your
WordPress keys and salts easy.
* Malware Scan Scheduling - Have your site scanned for malware automatically each
day. If an issue is found, an email is sent with the details.
* Password Security - Generate strong passwords right from your profile screen.
* Password Expiration - Set a maximum password age and force users to choose a new
password. You can also force all users to choose a new password immediately (if
needed).
* Google reCAPTCHA - Protect your site against spammers.
* User Action Logging - Track when users edit content, login or logout.
* Import/Export Settings - Saves time setting up multiple WordPress sites.
* Dashboard Widget - Manage important tasks such as user banning and system scans
right from the WordPress dashboard.
* Online File Comparison - When a file change is detected it will scan the origin
of the files to determine if the change was malicious or not. Currently works only
in WordPress core but plugins and themes are coming.
* Temporary Privilege Escalation - give a contractor or someone else temporary
admin or editor access to your site that will automatically reset itself.
* wp-cli Integration - Manage your site's security from the command line.

= iThemes Sync Integration =

Manage more than one WordPress site? Manage Away Mode, release lockouts and keep
your themes, plugins and WordPress core up to date from one dashboard with iThemes
Sync. <a href="http://ithemes.com/sync/">Start managing 10 WordPress sites for free
with iThemes Sync</a>.

= iThemes Brute Force Attack Protection Network =

iThemes Security takes brute force attack protection to the next level by banning
users who have tried to break into other sites from breaking into yours. The
iThemes Brute Force Attack Protection Network will automatically report IP
addresses of failed login attempts and will block them for a length of time
necessary to protect your site based on the number of sites that have seen a
similar attack.

= Protect =

iThemes Security works to protect your site by blocking bad users and increasing
the security of passwords and other vital information.

* Prevents brute force attacks by banning hosts and users with too many invalid
login attempts
* Scans your site to instantly report where vulnerabilities exist and fixes them in
seconds
* Bans troublesome user agents, bots and other hosts
* Strengthens server security
* Enforces strong passwords for all accounts of a configurable minimum role
* Forces SSL for admin pages (on supporting servers)
* Forces SSL for any page or post (on supporting servers)
* Turns off file editing from within WordPress admin area
* Detects and blocks numerous attacks to your filesystem and database

= Detect =

iThemes Security monitors your site and reports changes to the filesystem and
database that might indicate a compromise. iThemes Security also works to detect
bots and other attempts to search vulnerabilities.

* Detects bots and other attempts to search for vulnerabilities.

* Monitors filesystem for unauthorized changes.
* Run a scan for malware and blacklists on the homepage of your site.
* Receive email notifications when someone gets locked out after too many failed
login attempts or when a file on your site has been changed.

= Obscure =
iThemes Security hides common WordPress security vulnerabilities, preventing
attackers from learning too much about your site and away from sensitive areas like
your site's login, admin, etc.

* Changes the URLs for WordPress dashboard areas including login, admin and more
* Completely turns off the ability to login for a given time period (away mode)
* Removes theme, plugin, and core update notifications from users who do not have
permission to update them
* Removes Windows Live Write header information
* Removes RSD header information
* Renames "admin" account
* Changes the ID on the user with ID 1
* Changes the WordPress database table prefix
* Changes wp-content path
* Removes login error messages

= Recover =

iThemes Security makes regular backups of your WordPress database, allowing you to
get back online quickly in the event of an attack. Use iThemes Security to create
and email database backups on a customizable schedule.

For complete site backups and the ability to restore or move WordPress to a new
host or domain, check out <a
href="http://ithemes.com/purchase/backupbuddy">BackupBuddy</a>.

= Other WordPress Security Benefits =

* Makes it easier for users not accustomed to WordPress to remember login and admin
URLs by customizing default admin URLs
* Detects hidden 404 errors on your site that can affect your SEO such as bad links
and missing images

= WordPress Security Tutorials =

Learn how to use our WordPress security plugin with our series of <a
href="http://ithemes.com/tutorial/category/ithemes-security/">in-depth tutorial
videos</a>:

* <a href="http://ithemes.com/tutorials/getting-started-ithemes-security-part-
1/">Getting Started</a>
* <a href="http://ithemes.com/tutorials/getting-started-ithemes-security-part-2-
global-settings/">Global Settings</a>
* <a href="http://ithemes.com/tutorials/getting-started-ithemes-security-part-3-
404-detection/">404 Detection</a>
* <a href="http://ithemes.com/tutorials/getting-started-ithemes-security-part-4-
away-mode/">Away Mode</a>
* <a href="http://ithemes.com/tutorials/getting-started-ithemes-security-part-5-
banned-users/">Banned Users</a>
* <a href="http://ithemes.com/tutorials/getting-started-ithemes-security-part-6-
brute-force-protection/">Brute Force Protection</a>

= Compatibility =

* Works on multi-site (network) and single site installations

* Works with Apache, LiteSpeed or NGINX (Note: NGINX will require you to manually
edit your virtual host configuration)
* Features like database backups and file checks can be problematic on servers
without a minimum of 64MB of RAM. All testing servers allocate 128MB to WordPress
and usually don't have any other plugins installed.

= Translations =

* Spanish by <a href="http://www.webhostinghub.com/">Andrew Kurtis</a>

Please <a href="http://ithemes.com/contact" target="_blank">let us know</a> if you

would like to contribute a translation.

= Warning =

Please read the installation instructions and FAQ before installing this WordPress
security plugin. iThemes Security makes significant changes to your database and
other site files which can be problematic, so a backup is strongly recommended
before making any changes to your site with this plugin. While problems are rare,
most support requests involve the failure to make a proper backup before
installation.

== Installation ==

NOTE: iThemes Security makes significant changers to your database and other site
files which can be problematic, so a backup is strongly recommended before making
any changes to your site with this plugin. While problems are rare, most support
requests involve the failure to make a proper backup before installation.

1. BEFORE YOU BEGIN: Back up your WordPress database, config file, and .htaccess
file. We recommend using <a
href="http://ithemes.com/purchase/backupbuddy">BackupBuddy</a>, our WordPress
backup plugin for a complete site backup.
2. Upload the zip file to the `/wp-content/plugins/` directory
3. Unzip
4. Activate the plugin through the 'Plugins' menu in WordPress
5. Visit the Security menu for checklist and options

DISCLAIMER: Under no circumstances do we release this plugin with any warranty,

implied or otherwise. We cannot be held responsible for any damage that might arise
from the use of this plugin.

== Frequently Asked Questions ==

= Why does iThemes Security require the latest WordPress version? Can't I use a
slightly older version? =
* One of the best security practices for a WordPress site owner is keeping software
up to date. Because of this, we only test this plugin on the latest stable version
of WordPress and will only guarantee it works in the latest version.

= Will this plugin completely stop all attacks on my site? =

* No. iThemes Security is designed to help improve the security of your WordPress
installation from many common attack methods, but it cannot prevent every possible
attack. Nothing replaces diligence and good practice. This plugin makes it a little
easier for you to apply both.

= Is this plugin only for new WordPress installs or can I use it on existing sites,
too? =
* Many of the changes made by this plugin are complex and can break existing sites.
While iThemes Security can be installed on either a new or existing site, we
strongly recommend making a <a href="http://ithemes.com/purchase/backupbuddy"
target="_blank">complete backup</a> of your existing site before applying any
features included in this plugin.

= Will this plugin work on all servers and hosts? =

* iThemes Security requires Apache or LiteSpeed and mod_rewrite or NGINX to work.
* While this plugin should work on all hosts with Apache or LiteSpeed and
mod_rewrite or NGINX, it has been known to experience problems in shared hosting
environments where it runs out of resources such as available CPU or RAM. For this
reason, it is extremely important that you make a backup of your site before
installing on any existing site. If you run out of resources during an operation
such as renaming your database table, you may need your backup to be able to
restore access to your site.
* Finally, please make sure you have adequate RAM if you plan to use the file
change detector or make large backups.

= Does this work with network or multisite installations? =

* Yes. We're in the process of developing more documentation, so we'll update this
as soon as it's ready.

= Can I help? =
* Of course! We are in constant need of testers. In addition, we can always use
help with translations for internationalization. <a
href="http://ithemes.com/contributing-to-ithemes-security/">For more information on
contributing to iThemes Security, visit this page</a>.

= What changes does this plugin make that can break my site? =
* iThemes Security makes significant changes to your database and other site files
which can be problematic for existing WordPress sites. Again, we strongly
recommended making a complete backup of your site before using this plugin. While
problems are rare, most support requests involve the failure to make a proper
backup before installation. DISCLAIMER: Under no circumstances do we release this
plugin with any warranty, implied or otherwise. We cannot be held responsible for
any damage that might arise from the use of this plugin.
* Note that renaming the wp-content directory will not update the path in existing
content. Use this feature only on new sites or in a situation where you can easily
update all existing links.
* <a href="http://ithemes.com/fixing-ithemes-security-lockouts/">Fixing iThemes
Security Lockouts</a>
* <a href="http://ithemes.com/what-is-changed-by-ithemes-security/">What is Changed
By iThemes Security</a>

= I've enabled the Enforce SSL option, and it broke my site. How do I get back in?
=
* Open your wp-config.php file in a text editor and remove the following 2 lines:
* define('FORCE_SSL_LOGIN', true);
* define('FORCE_SSL_ADMIN', true);

= Where can I get help if something goes wrong? =

* Official support for this plugin is available for <a
href="http://ithemes.com/security/" target="_blank">iThemes Security Pro</a>
customers. Our team of experts is ready to help.

Free support may be available with the help of the community in the <a
href="http://wordpress.org/support/plugin/ithemes-security"
target="_blank">WordPress.org support forums</a> (Note: this is community-provided
support. iThemes does not monitor the WordPress.org support forums).

== Screenshots ==
1. WordPress security settings are organized into an easy-to-use dashboard.
2. Settings can also be managed in a list view.
3. Settings are easily configured and explained with descriptions.
4. Advanced WordPress security settings let you make more complex modifications to
your site.
5. Free malware scan powered by Sucuri SiteCheck.

== Changelog ==

= 7.6.1 =
* Bug Fix: Properly notate that iThemes Security requires PHP 5.5 or greater.

= 7.6.0 =
* Breaking Change: iThemes Security requires PHP 5.5 or later.
* New Feature: iThemes Security now includes Security Check Pro to automatically
and correctly determine your visitors IP addresses. Enable this scan by running
Security Check and opting in to Security Check Pro or activate the Security Check
Pro module in Advanced Modules. H/t Jeremy Voisin
* Enhancement: Run Security Check Pro IP Detection automatically once a day.
* Enhancement: Manually re-run Security Check Pro IP Detection from the Global
Settings page.

= 7.5.0 =
* Breaking Change: iThemes Security requires PHP 5.4 or later.
* Enhancement: New Lockout Template screen.
* Enhancement: Add confirmation button to Login Interstitial Async Actions when on
a different device.
* Enhancement: Add filter to "Lookup IP" link.
* Developer Note: There were significant changes to the internals of the iThemes
Security Lockout API in this release. If you are using the ITSEC_Lockout class
directly, all the API functions will continue to work, but will emit deprecation
notices when legacy behavior is being used. Please update any integrations.
* Bug Fix: Brute Force module reporting invalid logins using an email address
incorrectly.
* Bug Fix: Improve lockout compatibility with caching plugins.
* Bug Fix: Fix admin notice not being dismissed due to a REST API route that was
more narrowly defined than necessary.
* Bug Fix: Admin Notices list did not refresh after dismissing a notice.
* Bug Fix: Strong Passwords zxcvbn Library was not evaluating penalty strings
correctly.
* Bug Fix: Fix PHP warning if there are multiple detected proxy headers.

= 7.4.1 =
* Enhancement: New iThemes Sync Verb support for File Change.
* Tweak: Add additional information about the login attempt when calling the
Network Brute Force API.
* Bug Fix: Hide Backend Bypass.
* Bug Fix: Strict Standards error during Sync request.
* Bug Fix: wp_die() if a login interstitial session fails to be created instead of
throwing a fatal error.

= 7.4.0 =
* New: iThemes Security Admin Notices are now conveniently located in the new
Security Messages Menu. Check your notices in the Security menu on the WordPress
Admin Bar.
* Enhancement: Add Security Message when a Notification Center email fails to send.
* Enhancement: Replace Trace IP with IP Tracker Online.
* Tweak: Remove 'DELETE' method from "System Tweaks -> Filter Request Methods"
= 7.3.3 =
* Bug Fix: Hide backend bypass.

= 7.3.2 =
* Tweak: Allow the log description column to word break for URLs or other strings
with no spaces.
* Bug Fix: Hide Backend bypass on certain Apache configurations.
* Bug Fix: Properly return error that occurs during a backup.
* Bug Fix: Regex warning on PHP 7.3 in the File Change module.
* Bug Fix: Resolve warning when a user is set to "No Role".

= 7.3.1 =
* Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from
running.
* Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script
when available to prevent new pop-up blocker behavior from killing the links.

= 7.3.0 =
* Enhancement: Add Per-Content SSL toggle to the upcoming Block Editor interface.
* Enhancement: Add filter to the recipients list for email notifications:
"itsec_notification_{$notification}_email_recipients" and
"itsec_notification_email_recipients".
* Enhancement: Add define "ITSEC_DISABLE_TEMP_WHITELIST" to disable the Temporary
IP Whitelisting for logged-in administrators.
* Enhancement: Improve redirecting after processing a login interstitial from a
front-end login form.
* Enhancement: Add loopback IP detection to Security Check.
* Enhancement: Detect Server IPs in Security Check.
* Tweak: Add additional safety checks when writing to system config files. This
will log a "Critical Issue" when the writing of an empty or partial config file is
detected and prevented.
* Tweak: Improve File Change locking to help prevent failing scans on sites with
inconsistent cron scheduling.
* Tweak: Improve "System Tweaks – Suspicious Query Strings – SQLI" to reduce false
positives.
* Tweak: Improve "System Tweaks – Disable PHP" to block PHP files in apache
configurations that serve files with a trailing dot.
* Tweak: Remove "Seznam Bot" from HackRepair List as it isn't present in the latest
version.
* Bug Fix: Include Hide Backend token when emailing a password reset URL.
* Bug Fix: Notification Center - Only send notifications to users with an exact
role match of selected roles instead of a fuzzy match based on selected
capabilities.
* Bug Fix: Error when trying to edit reusable blocks with per-post SSL enabled.
* Bug Fix: Resolve warnings on PHP 5.2.

= 7.2.0 =
* Enhancement: Allow for selecting the particular Proxy header a server is
configured to use. Improve the language to indicate the importance of configuring
this setting. H/t Filippo Cavallarin CEO at wearesegment.com
* Enhancement: Block access to git and svn repositories when System Tweaks ->
Protect System Files is enabled.
* Tweak: Update jQuery Validation library to 1.17.0
* Bug Fix: Improve detection of blocking the File Change Scan from being scheduled
if one is already being run.
* Bug Fix: Prevent infinite recursion error when trying to access directories
outside of the allowed file tree.
= 7.1.0 =
* New Feature: Allow for globally setting recipients for admin-targeted
notifications. All new notifications will default to the recipients in this list.
Notifications can be set to use the default list or switch to a custom list.
* Enhancement: Added a setting to enable/disable the Grade Report feature of Pro.
* Tweak: Check if an IP is blacklisted on page load for compatibility with servers
that cannot process server configuration level bans immediately.
* Tweak: Display a time diff until the next event on the Debug page.
* Tweak: Use Logging API for tracking Notification Center errors.
* Tweak: Register Scheduler Events whenever the plugin build changes.
* Tweak: Allow for filtering logs by any module recorded.
* Tweak: Account for 3rd-party Backup Plugin in Security Check.
* Bug Fix: 404 detection for plugins that mark is_404 later in the hook sequence.
* Bug Fix: REST API Protection blocked the Taxonomies route for all users.
* Bug Fix: Account for any CLI PHP SAPI instead of just WP-CLI in the SSL Module.
* Bug Fix: Fixed how the Grade Report enable/disable status is stored to fix admin
page loading issues on some sites.
* Bug Fix: Fix serialization of closure error when a plugin registering a hook with
a closure is in the boot-up stack and the notification center is triggered too
early in the cycle.

= 7.0.4 =
* Enhancement: Add mitigation for the WordPress Attachment File Traversal and
Deletion vulnerability.
* Tweak: Fire a WordPress action whenever settings are updated.
* Bug Fix: Improved input sanitization on the logs page to prevent triggering
warnings.

= 7.0.3 =
* Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin
privileges are required to exploit this vulnerability. Thanks to Çlirim Emini,
Penetration Tester at sentry.co.com, for reporting this vulnerability.
* Bug Fix: Provide default values for enabled requirements.

= 7.0.2 =
* Enhancement: Add UI to cancel in progress File Scan.
* Enhancement: Add basic admin debug page to help diagnosing and resolving issues.
Particularly with the events.
* Enhancement: Add debug settings JSON editor.
* Enhancement: Continually evaluate password strength for users instead of only
during registration.
* Enhancement: Introduce Password Requirements module for managing and enforcing
password requirements.
* Bug Fix: Accessing password requirement settings would not resolve properly in
some instances.
* Bug Fix: Away Mode would not lock out users who were already logged-in during the
"away" period.
* Bug Fix: Enforce the Strong Passwords requirement during Security Check.
* Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not
proceeding with running events.
* Bug Fix: If a password requirement has been disabled or is no longer available,
don't consider the password as needing a change.
* Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not
allowed to use a weak password.
* Bug Fix: Password strength would not be evaluated if password was set using
custom PHP or CLI commands.
* Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling loop
on the first step.
* Bug Fix: Remove distributed storage table on uninstall.
* Tweak: Don't write to the tracked files setting if the file hash has not changed.
* Tweak: If no last password change date is recorded for the user, treat their
registration date as the last change date.

= 7.0.1 =
* Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()" error
that could occur when exporting or erasing personal data.
* Bug Fix: Skip recovery if File Change storage is empty.

= 7.0.0 =
* New Feature: Added support for the new WordPress privacy features.
* Enhancement: Added minimal API for adding additional entries to the Security
admin menu.
* Enhancement: File Change Scan uses a new batching mechanism to prevent crashing
on hosts but still generating only one report per-day.
* Enhancement: Introduce Distributed Storage framework for reducing the amount of
data stored in the WordPress options table. This should improve performance for
large sites using File Change.
* Enhancement: Introduced Login Interstitial framework to consolidate code between
Password Requirements & Two Factor.
* Bug Fix: Added ability to show object data for classes that are not loaded to the
Logs page.
* Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings
feature in order to avoid blocking privacy export/erasure request confirmations.
* Bug Fix: Ensure all users with the `manage_options` capability are available when
selecting contacts in the Notification Center.
* Bug Fix: Fix clearing or previous file scans results.
* Bug Fix: Fix warnings on debug file change log items.
* Bug Fix: Fixed logging system references to "fatal-error" that should be "fatal".
* Bug Fix: Improve File Change recovery system on high-traffic websites.
* Bug Fix: Improve clearing of previous File Change file hashes.
* Bug Fix: Improved detection of REST API requests on sites without a home dir.
* Bug Fix: Internal links to a filtered logs page.
* Bug Fix: Prevent PHP warning about converting an array to a string when adding
notification data.
* Bug Fix: Prevent PHP warning when completing database backups that are not
emailed to any recipients.
* Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password
page.
* Bug Fix: Resolve warnings when upgrading file change settings.
* Minor: File Scan "chunk" option is removed.
* Minor: Make recovering file scan log smaller.
* Minor: Page Load Scheduler: Unschedule single events before running them. This
mirrors the behavior of the WP Cron scheduler.
* Minor: Security Digest now includes all lockouts that have occurred since the
last email.
* Minor: Shrink storage size of file scans.
* Minor: Specifying a manual file scan list has been removed.
* Minor: Track raw memory used by the file change scanner as well.
* Minor: Updated list of File Change excluded file types to include more media
extensions.
* Misc: Added comment to prevent Tide from marking the plugin as not compatible
with PHP 5.3.
* Tweak: Add description for File Change recovery related logs.
* Tweak: Don't report removed files if the removal is caused by a new file
extension being excluded.
* Tweak: File Change: Move "latest_changes" entry to a separate storage bucket to
improve performance on large sites.
* Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.
= 6.9.2 =
* Bug Fix: Fixed situation that could cause lockout notifications being sent for
whitelisted IPs.
* Bug Fix: Fixed issue where saving Global Settings would be blocked by an
unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only".
* Bug Fix: Fixed issue that prevented log database entries from purging and log
file entries from rotating on a schedule.

= 6.9.1 =
* Security Fix: Fixed display of unescaped data on logs page.
* Enhancement: The logging system now differentiates between WP-CLI commands, WP-
Cron scheduled events, and normal page requests.
* Bug Fix: Fixed the File Change scanner in that it previously could fail to
exclude selected directories on some systems.

= 6.9.0 =
* Enhancement: Updated logging system to keep track of more information and have
more options to filter and sort log entries.
* Enhancement: Improved efficiency of File Change Detection scanning.
* Bug Fix: Fixed issue that could register loading the logging page as a failed
login attempt on some sites.

= 6.8.1 =
* Enhancement: Display user lockouts in Lockout Sidebar.
* Bug Fix: Load translations on the plugins_loaded hook.
* Bug Fix: Fixed method that could be used to discover hidden login slug on some
sites.
* Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan results if
a scan previously failed.
* Bug Fix: Update to the REST API "Restricted Access" feature to protect against
methods to work around the restricted access.
* Bug Fix: Prevent login page being hidden when following the "Confirm Email
Address" notification URL.
* Bug Fix: Hide Backend notifications not being properly sent when first enabled.

= 6.8.0 =
* New Feature: Introduces a scheduling framework for handling events. Cron is now
used by default, and will switch to using an alternate scheduling system if it
detects an error. To disable this detection set ITSEC_DISABLE_CRON_TEST in your wp-
config.php file.
* Important: The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have been
deprecated. Use ITSEC_USE_CRON instead.
* Enhancement: Preserve notification settings when the responsible module is
deactivated.
* Bug Fix: Process 404 lockouts on the 'wp' hook to prevent a headers have already
been sent warning message.
* Bug Fix: Ensure Hide Backend emails are properly sent when activating Hide
Backend before saving the Notification Center for the first time.
* Bug Fix: Prevent warning from being issued on new installs by allowing previous
settings to be preserved if they exist.
* Bug Fix: Better handle WP_Error objects in mail errors that occurred before
updating to first patch release.
* Bug Fix: A non static method was being called statically.
* Bug Fix: Fix occasional duplicate backups and file scans.
* Bug Fix: Fixed issue where scheduled events could repeat on sites that do not
properly support WordPress's cron system.
* Bug Fix: Reactivating Away Mode now replaces the active file if you had
previously removed it.
* Bug Fix: Ensure lockouts take effect immediately, even on systems where changes
to server configuration files do not take effect immediately.

= 6.7.0 =
* New Feature: Introduces the Notification Center, a centralized place to manage
and customize email notifications sent by iThemes Security.
* Enhancement: Updated queries and prepare statements to account for changes to the
esc_sql() function in WordPress 4.8.3.
* Bug Fix: Corrected some Javascript and CSS links not generating correctly on
Windows servers.

= 6.6.1 =
* Bug Fix: Fixed SQL query bug that resulted in the "Minutes to Remember Bad Login
(check period)" setting being ignored.
* Bug Fix: Fixed bug that prevents wp-admin/install.php blocking from working
properly on nginx servers.
* Bug Fix: Don't attempt to do an SSL redirect when WP CLI is running.

= 6.6.0 =
* New Feature: Added a new setting in WordPress Tweaks: "Login with Email Address
or Username".
* Enhancement: Host email images from the plugin instead of relying on iThemes
servers to help email clients marking messages as spam or blocking images.
* Bug Fix: Error when searching for modules preventing modules from appearing.
* Bug Fix: Use the wp_options table when acquiring locks in Multisite.
* Bug Fix: Prevent duplicate daily digest emails on sites with high load.
* Misc: Added Magic Links, a new Pro-only feature, to be activated by Security
Check.
* Misc: Rearranged modules to be listed alphabetically.

= 6.5.1 =
* Bug Fix: Fixed logical error that prevented backups from executing.
* Bug Fix: Fixed issue that could cause database locks to flood the database.

= 6.5.0 =
* Enhancement: Simplified the SSL module to offer a simple Enable/Disable setting
and simplified explanations. The legacy settings are available by selecting
Advanced.
* Enhancement: Added the itsec-get-ip filter to allow code to supply the remote IP
directly.
* Enhancement: Enabling SSL support will only log you out if you are not already
on an https connection.
* Enhancement: Improve password requirements compatibility with plugins and
systems that integrate with WordPress Users.
* Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature as
its use (protecting against a specific jQuery bug:
https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
* Bug Fix: Bumped version number of some scripts to ensure that they refresh
properly.
* Bug Fix: Fixed way to work around Hide Backend on some hosts.

= 6.4.0 =
* Enhancement: Replaced file locking with database locking. This method of locking
is compatible with all systems as it does not require the ability to write files.
It also allows for locking to work on sites that have multiple front-end servers
with a shared database. Since file locking is no longer used, the Global Settings >
Disable File Locking setting was removed.
* Enhancement: Add "Copy to Clipboard" functionality for server and wp-config
rules.
 * Bug Fix: Prevent 404s when following links in email notifications on a site with
Hide Backend enabled.
* Bug Fix: Ensure uninstall process is not run when another version of iThemes
Security is still active.
* Bug Fix: Fixed method of working around Hide Backend.
* Bug Fix: Warnings are no longer generated when saving a user profile with a role
of "No role for this site" selected.

= 6.3.0 =
* Important: The way that Hide Backend functions changes in this release.
Previously, if your Hide Backend Login Slug was wplogin, going to
example.com/wplogin would result in the URL remaining example.com/wplogin. The new
implementation of this feature results in a redirect to a URL that looks as
follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be
desireable for some users, this change was necessary to fix longstanding
compatibility issues with other plugins. Once you access the login page using the
Login Slug page, a cookie is set with an expiration time of one hour. As long as
the cookie remains, you can access example.com/wp-login.php without having to
access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend
is working properly on your site, opening up a private browsing window is a quick
way to test without having to log out and clear cookies.
* New Feature: Added support for iThemes Sync to run the Security Check feature
from inside the Sync service.
* New Feature: Added support for the ITSEC_DISABLE_MODULES define.
* Bug Fix: Removed warning: "Non-static method ITSEC_Setup::uninstall() should not
be called statically".
* Bug Fix: Fixed the ability to manually enter a page number to navigate to on the
Security > Logs page.
* Bug Fix: Fixed source of warning that could appear when creating a backup while
running a PHP version less than 5.4.
* Bug Fix: Fixed source of notice that could appear when reseting a user's
password when the Strong Passwords Enforcement feature is enabled.
* Bug Fix: Fixed bugs that prevented reporting of specific error messages related
to updating the wp-config.php file.
* Bug Fix: Fixed an infinite loop that could occur when expiring a cookie and Hide
Backend is enabled.
* Bug Fix: Fixed compatibility issue with the Jetpack plugin when Hide Backend is
enabled which could prevent Jetpack from redirecting users to the wordpress.com
login page.
* Bug Fix: Fixed issue where access to wp-admin/admin-post.php when Hide Backend
is enabled.
* Bug Fix: Fixed issue that could prevent "Register" and "Lost your password?"
links from working properly on the login page when Hide Backend is enabled.
* Bug Fix: Fix fatal error when updating a profile.
* Bug Fix: Fix strong passwords not being recognized as strong on the profile
page.
* Bug Fix: Fix fatal error when registering a new user without specifying a role (
iThemes Exchange ).
* Bug Fix: Compatability with JetPack SSO and Password Requirements.
* Bug Fix: Ensure viewport meta is defined when loading the password requirements
update password form.
* Bug Fix: Hide Backend is now compatible with Jetpack Single Sign On.
* Bug Fix: Hide Backend now hides registration pages on multisite sites.
* Bug Fix: Fixed password-protected posts not properly handling the password when
Hide Backend is enabled.
* Enhancement: Removed AhrefsBot from the HackRepair blacklist as they are
legitimate bot.
* Enhancement: Improved efficiency of Hide Backend code, increasing site
performance when the feature is enabled.
 * Enhancement: Enforce strong passwords during log-in. Can be disabled via the
ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
* Enhancement: Use canonical roles library to determine if a new user or an
updated role requires a strong password.
* Enhancement: Introduce password requirements module to centralize handling of
password updates.
* Enhancement: The Hide Backend hidden login URL is no longer leaked by password-
protected content.
* Enhancement: Allow for searching through modules and settings.
* Enhancement: Link to other module settings pages without forcing the page to
refresh.
* Enhancement: Fire an action, "itsec_change_admin_user_id", when the admin user
id changes.
* Enhancement: Changed default Hide Backend Register Slug from wp-register.php to
wp-signup.php since WordPress switched from using wp-register.php to wp-signup.php
for registrations. This will not affect existing sites.
* Enhancement: Hide Backend functions purely in PHP code now rather than relying
half on PHP code and half on .htaccess and nginx.conf modifications. This allows
Hide Backend to function on web servers and server configurations that it was
previously not compatible with.
* Misc: Updated or added phpDoc to many functions.
* Misc: Updated Disable File Locking description.

= 6.2.1 =
* Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1.
This fixes issues with some alternate cron setups.
* Bug Fix: Having more than one iThemes Security modification in a .htaccess,
nginx.conf, or wp-config.php file will no longer result in having all the file
content between each section removed when updating the file.
* Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now
have their Windows-style newlines preserved when iThemes Security updates the file.

= 6.2.0 =
* Enhancement: Improved plugin performance by reducing the number of queries made
on each page.
* Enhancement: Reduced memory and CPU usage due to various code improvements.
* Bug Fix: A database backup will no longer be created when first activating the
plugin.
* Bug Fix: Added compatibility for MySQL strict mode in database creation syntax.
* Bug Fix: Removed warning about a "non well formed numeric value encountered" in
PHP 7.1.
* Bug Fix: Modifications to wp-config.php, .htaccess, and nginx.conf files are now
properly re-added upon reactivation.
* Bug Fix: Fixed full settings for Hide Backend being displayed after disabling
the feature and saving the settings.
* Bug Fix: Enabling or disabling the Hide Backend feature will update the "Log
Out" link so that it works as expected without having to load a new page.
* Bug Fix: Enabling or disabling the Hide Backend feature now properly updates the
.htaccess/nginx.conf file on enable and disable rather than at some future point.
* Bug Fix: Fixed issue that could cause improper database table creation on
multisite sites.
* Bug Fix: Fixed a bug that could prevent settings from saving properly if the
site was migrated to a new server or a new home path on the server.

= 6.1.1 =
* Bug Fix: Fixed bug that prevented Away Mode from activating on some sites.

= 6.1.0 =
* Enhancement: Added logging for failed two-factor, OAuth, and REST API
authentications.
* Enhancement: Added logging details about the source of login failures and the
type of authentication that failed.
* Enhancement: Due to improvements in tracking authentication failures, brute
force attempts using alternate authentication methods are more reliably found and
blocked.
* Enhancement: The server's IP is treated as whitelisted and will not be
considered for lockouts or bans.
* Enhancement: Reduced memory usage when creating a backup.
* Enhancement: Changed log entry description of "IP Flagged as bad by iThemes
IPCheck" to "IP Flagged by Network Brute Force Protection". This should help
clarify the meaning of the log entry.
* Enhancement: Improved efficiency of the Network Brute Force Protection feature.
* Bug Fix: Fixed bug that prevented Network Brute Force Protection from working
properly on some sites.

= 6.0.0 =
* Bug Fix: Removed "comodo" from the list of user agents blocked by the
HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM
is able to function.
* Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section.
The feature now has proper support for protecting privacy on your site without
preventing the REST API from functioning.
* Enhancement: Updated Security Check to enforce setting the "REST API" setting to
"Restricted Access".

= 5.9.0 =
* New Feature: Added a "REST API" feature in the WordPress Tweaks section. This
new feature allows you to block or restrict access to the REST API.

= 5.8.1 =
* Bug Fix: Fixed issue that could cause database backup emails to be sent without
the backup zip attached.

= 5.8.0 =
* Enhancement: Updated the lockouts notification email to a new design. This new
design also cleaned up the translation strings to allow better translations.
* New Feature: Added a "Protect Against Tabnapping" feature in the WordPress
Tweaks section. Details of what this feature protects against can be found here:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-
vulnerability-ever/
* Misc: Updated the description for the Lockout Period setting to indicate that
the default value of 15 minutes is recommended.

= 5.7.1 =
* Bug Fix: Remote IP is now correctly identified if the server is behind a reverse
proxy that sends requests with more than one IP listed in a single header.
* Bug Fix: Fixed the link for a user in the logs page so that it properly works on
sites that are inside a subdirectory.
* Bug Fix: Improved how Strong Password Enforcement works on password resets to
improve compatibility with various plugins.
* Bug Fix: Improved the logic for determining whether a user should have Strong
Password Enforcement applied. This covers situations where the user may have a
custom role, a customized default role, or added capabilities beyond their role.
* Enhancement: Improved the logic for determing the requesting IP address to
better handle situations where the site is behind a reverse proxy.
* Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure
that a strong password was selected.
* Enhancement: All links in Security that have target="_blank" now have added rel
attributes to protect against tabnapping.
* Misc: Updated remaining ip-lookup.net links to instead link to traceip.net in
keeping with other links that were previously updated to traceip.net.

= 5.7.0 =
* Bug Fix: Fixed data save issue that could cause multiple notification emails to
be sent in a short period of time.
* Bug Fix: Fixed issue that could cause the malware scanner to fail on sites that
change the arg_separator.output php.ini value from its default value.
* Bug Fix: Removed redundant entries in the HackRepair blacklist.
* Bug Fix: Enabling Protect System Files in System Tweaks will now only block
install.php for the current site. This fixes the issue where the setting can block
installation of a site in a subdirectory.
* Bug Fix: Fixed problem that could cause requests for iThemes Security data from
iThemes Sync to fail due to large amounts of log entries.
* Bug Fix: Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a
non-boolean value.
* Bug Fix: Replaced static references to wp-includes with the WPINC define.
* Bug Fix: Moved blocking of query strings containing %0[0-9A-F] characters from
the Non-English Characters setting to the Suspicious Query Strings setting as those
characters are control code characters and are not associated with a language.
* Bug Fix: Added escaping to some translation strings.
* Bug Fix: Removed unused files from the WordPress Tweaks module directory.
* Bug Fix: Fixed the Daily Digest email reversing the user and host lockout
counts.
* Bug Fix: The database backup email no longer sends from the email address
configured in Settings > General. It now defaults to the same from address that the
wp_mail() function uses. This will fix the mail being blocked by some mail servers
due to a spoofed from address.
* Enhancement: Updated the server config rules generated by the System Tweaks
settings. They are now more consistent between Apache, LiteSpeed, and nginx. They
are also more efficient and have been improved to limit accidentally blocking non-
targeted requests.
* Enhancement: Updated the database backup email to a new design.
* Enhancement: Added a note that the Filter Request Methods setting in System
Tweaks should not be enabled if the WordPress REST API is used. This is becasue the
DELETE HTTP method is blocked when the setting is enabled.
* New Feature: Added setting to block requests for PHP files in the plugins
directory in System Tweaks.
* New Feature: Added setting to block requests for PHP files in the themes
directory in System Tweaks.

= 5.6.4 =
* Bug Fix: Fixed issue that reported invalid counts for host and user lockouts in
the daily digest email.
* Bug Fix: Fixed issue that caused the daily digest email to be sent every day,
even if no lockouts occurred and no file changes were found.
* Bug Fix: Fixed issue that could prevent saving of File Change settings,
resulting in an error messages of "A validation function for file-change received
data that did not have the required entry for latest_changes."
* Bug Fix: Fixed iThemes Security Pro logo appearing in daily digest emails.

= 5.6.3 =
* Bug Fix: Removed the "Wget" user agent from the Hack Repair blacklist as it can
block wp-cron jobs on some hosts.
* Bug Fix: Fixed error "PHP message: PHP Fatal error: 'continue' not in the
'loop' or 'switch' context".
* Enhancement: Added new Daily Digest email design.
= 5.6.2 =
* Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user
could receive different HTTP headers when testing a valid username/password
combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
* Security Fix: Updated log output to prevent specific kinds of logged requests
from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us
about this issue.
* Bug Fix: The Security > Security Check link now works as expected in multisite.
* Bug Fix: Fixed bug that could prevent the "Filter Long URL Strings" feature from
working properly.
* Bug Fix: Removed restrictions in the "Filter Long URL Strings" feature that were
unrelated to request length.
* Bug Fix: Corrected a settings description typo in Global Settings.
* Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when
the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting
is set to "Block".
* Misc: Added placeholder for the Version Management module of iThemes Security
Pro.
* Misc: Updated build number to trigger some updates.

= 5.6.1 =
* Bug Fix: Fixed a potential logging issue that could prevent some lockout notices
from being properly logged on non-English sites.
* Bug Fix: Prevented some notices from displaying to users who do not need to see
them.
* Bug Fix: Limited notices to only display on specific pages on the dashboard.
* Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid
erroneously tripping PHP 7 compatibility checks.
* Code Cleanup: Removed legacy code that is no longer needed.
* Enhancement: Started tracking when a user was last seen as logged in and active
for future use.
* Misc: Added a placeholder for the Pro feature "User Security Check".

= 5.6.0 =
* New Feature: Added a new Security Check section on the settings page. This new
feature adds a tool to quickly ensure that the recommended features are enabled and
the recommended settings are used.
* Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to
disable Away Mode.
* Enhancement: The "Ban Lists" setting of Banned Users is now enabled by default.

== Upgrade Notice ==

= 7.6.1 =
Version 7.6.1 contains new features and bug fixes. It is recommended for all users.