Beschrijving
DE HOOGST GEWAARDEERDE WORDPRESS BEVEILIGING EN FIREWALL PLUGIN
All-in-One Security (AIOS) is a security plugin designed especially for WordPress, now brought to you from the team at UpdraftPlus.
Customers love All-In-One Security because it’s easy to use, and it does a whole lot for free.
All-In-One Security gives you Login Security Tools, to keep bots at bay and protect your website from brute force attacks.
Our Web Application Firewall gives you automatic protection from security threats.
Content Protection Features protect what you’ve worked so hard to build; All-In-One Security eliminates comment spam and prevents other websites from stealing your content with features like iFrame prevention and copywriting protection.
Nog steeds aan het twijfelen?
- We zijn momenteel de enige WordPress beveiliging plugin met een 5 sterren gebruiker waardering bij meer dan 1 miljoen installaties.
- Our security team maintains a list of known exploits, actively building protections against them and releasing these as new firewall rules to free and paying customers, at the same time.
- We zijn al de nummer één ter wereld voor back-ups, dus je weet dat je ons ook kunt vertrouwen met de beveiliging van je site.
LOGIN SECURITY FEATURE SUITE
Protect against brute-force attacks and keep bots at bay. All-In-One Security takes WordPress’ default login security features to a whole new level.
- Ondersteunt best practice: All-In-One Security detecteert of een account de standaard ‘beheer’ gebruikersnaam heeft of als een gebruiker identieke login en weergave namen heeft, en vraagt de gebruiker dit te wijzigen ter ondersteuning van betere beveiliging praktijken.
- Verberg login pagina voor bots: configureer een aangepaste URL voor de WordPress ‘beheer’ login pagina, waardoor het moeilijker wordt voor bots om te vinden.
- Wijzig standaard
wp_
voorvoegsel: hackers gebruiken geautomatiseerde code om sites zoals de jouwe aan te vallen. Maak het hen moeilijker en bescherm je site met deze eenvoudige maar effectieve AIOS beveiligingsfunctie. - Login blokkering: Externe gebruikers die meerdere login pogingen doen, kunnen voor een ingestelde periode worden geblokkeerd. Je kunt ook gebruikers met ongeldige gebruikersnamen blokkeren. Bekijk een lijst van alle geblokkeerde gebruikers en ontgrendel met één klik.
- Rapportage: All-In-One Security biedt een schat aan informatie over site gebruikers. Bekijk activiteit op gebruikersnaam, IP-adres, login en uitlog datums en -tijden. Zie een lijst van gebruikers die momenteel zijn ingelogd en een lijst van alle mislukte login pogingen.
- Forceer uitloggen: zorg ervoor dat gebruikers niet eindeloos ingelogd blijven. Met All-In-One Security kun je gebruikers na een instelbare tijd uitloggen.
- Robot verificatie: voor extra beveiliging en om spam registraties te voorkomen, implementeer Cloudflare Turnstile, Google reCAPTCHA, eenvoudige wiskunde CAPTCHA of een honeypot op registratie pagina’s, of schakel handmatige toestemming van gebruikersaccounts in.
- Stopt gebruiker enumeratie: Voorkom dat externe gebruikers en bots gebruiker informatie ophalen via auteur permalink.
- Twee-factor authenticatie: All-In-One Security TFA ondersteunt Google Authenticator, Microsoft Authenticator, Authy en nog veel meer.
- Password strength tool: Calculates how long it would take for your password to be cracked through a brute force attack.
- General visitor lockout Put your site into “maintenance mode” and lock down the front-end to all visitors. This can be useful while doing back end tasks, like performing site upgrades or investigating security threats.
- WordPress Salts Security Feature Extended: All-In-One Security adds 64 new characters to WordPress Salts and changes them weekly, making it even more challenging for hackers to crack your users’ WordPress passwords.
FIREWALL & FILE PROTECTION SECURITY SUITE
A Web Application Firewall (WAF) is your website’s first line of defence, protecting your site by monitoring traffic and blocking malicious requests.
- Progressively activate firewall settings: These range from basic, intermediate and advanced.
- Automatic protection from the latest threats: Our team maintains a list of known exploits, actively building protections against them which are then released as new firewall rules to free and paying customers.
- 6G blacklist: All-In-One Security incorporates ‘6G Blacklist’ firewall rules, protecting your site against a known list of malicious URL requests, bots, spam referrers and other attacks (courtesy of Perishable Press).
- Protect against fake Google bots: Bots presenting as Google crawlers can steal your content and litter your webpage with comment spam. Protect against it with the All-In-One Security Web Application Firewall.
- Blacklist functionality: Ban users by IP address, IP address range or by specifying user agents.
- Prevent DDOS attacks: Prevent malicious users from performing DDOS attacks through a known vulnerability in WordPress XML-RPC pingback functionality.
- Prevent image hotlinking: Protect server bandwidth and your website’s content by preventing other sites from using your imagery via hotlinking.
- Cross site scripting (XSS) protection: All-In-One Security prevents attackers from injecting malicious script into your website via a special cookie.
- File change detection: Security scanners alert you to file changes in your WordPress system, so you can see if a change is legitimate or suspicious, and investigate as appropriate.
- Disable PHP file editing: Protect your PHP code by disabling the ability to edit files in the WordPress administration area.
- Permission setting alerts: Identify files or folders where the permission settings are not secure and correct with one-click.
- Ability to create custom rules: Advanced users can add custom rules to block access to various resources on your site.
- Access prevention: Prevent external users from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.
CONTENT PROTECTION SECURITY SUITE
Eliminate spam, protect your WordPress content, and your search engine rankings with these important security features from All-In-One-Security.
- Comment SPAM prevention : Webpages littered with spam comments damage your brand, effect the user experience and impact SEO.
All-In-One Security stops SPAM at the source by preventing comments that originate from other domains. AIOS automatically and permanently blocks spammers’ IP addresses. Site owners can use Cloudflare Turnstile or Google reCAPTCHA to reduce comment spam and block malicious users with just one click. - iFrame protection: Preventing other websites from reproducing your content via an ‘iFrame’ is a useful security feature that protects your intellectual property and your website visitors.
- Copywriting protection: Stop users from stealing your content by disabling the right-click, select and copy text function.
- Disable RSS and Atom Feeds: RSS and Atom Feeds can be used by bots to ‘scrape’ your website content and present it as their own. This feature prevents that by disabling RSS and Atom Feeds on your website.
LATEST AND GENERAL SECURITY FEATURES
- Audit Log: The All-In-One Security audit log gives Admins a view of events taking place on their WordPress website. They can see if anything strange is happening and detect security risks. For example, you can see if a plugin or theme has been added, removed, updated, activated or deactivated without your knowledge or consent.
INTERESTED IN AIOS PREMIUM?
For even greater protections, consider All-In-One Security (AIOS) Premium. It’s one of the most cost-effective and comprehensive WordPress Security plugins on the market and extends the powers of ‘Free’ with:
MALWARE SCANNING (Premium only)
Finding out by accident that your website’s security has been compromised due to malware is too late.
Malware can have a dramatic effect on search rankings. It can slow your site down, access customer data, send unsolicited emails, change your content or prevent users from accessing it.
- Alerts you to blacklisting: Search engines can very quickly blacklist a site hacked with malicious code. All-In-One Security Premium monitors your site’s status daily and alerts you if you’ve been blacklisted.
- Notification if something is amiss: We’ll notify you of any malware issues within 24 hours so you can take action, before it’s too late.
- Response time monitoring: You’ll know immediately if website response time is negatively affected.
- Up-time monitoring: All-In-One Security checks website uptime every 5 minutes. We’ll notify you if your site/server goes down.
- Flexible assignment: Register and remove WordPress sites from security scanning at any time.
- Security Reports: Security Reports are available via the ‘My Account’ page and directly via email.
FLEXIBLE TWO-FACTOR AUTHENTICATION (PREMIUM ONLY)
TFA is available in our free packages. All-In-One Security Premium affords whole new levels of control over how TFA is implemented.
- Role specific configuration: Make TFA compulsory for certain roles, e.g. for admin and editor roles.
- Require TFA after set time period: For example, you could require all admins to have TFA once their accounts are a week old.
- Trusted Devices: Ask for TFA after a chosen number of days for trusted devices instead of on every login.
- Anti-bot Protection: Option to hide the existence of forms on WooCommerce login pages unless JavaScript is active.
- Customise design layout: Customise the design of TFA so that it aligns with your existing web design.
- Emergency Codes: Generate a one-time use emergency code to allow access if your device is lost.
- Multisite Compatible: Compatible with WordPress multisite networks and sub-sites.
- Support for login forms: Support for WooCommerce and Affiliates-WP, Elementor Pro, bbPress and all third-party login forms without any further coding needed. Also compatible with ‘Theme my Login’
SMART 404 BLOCKING (PREMIUM ONLY)
404 errors occur when someone legitimately mistypes a URL, but they’re also generated by hackers searching for security weaknesses in your site.
- Block bots producing 404s: All-In-One Security Premium automatically and permanently blocks IP addresses of bots and hackers based on how many 404 errors they generate.
- Reporting: Handy charts keep you informed of how many 404s have occurred and which IP address or country is producing them
COUNTRY BLOCKING (PREMIUM ONLY)
Most security attacks come from a handful of countries and so it’s possible to prevent most attacks with our country blocking tool.
* Block traffic based on country of origin: All-In-One Security Premium utilises an IP database that promises 99.5% accuracy.
* Block traffic to specific pages: Block access to your whole WordPress site or on a page-by-page basis.
* Whitelist some users from blocked countries: Whitelist IP addresses or IP ranges even if they are part of a blocked country.
PREMIUM SUPPORT
- Unlimited support: Personalised, email support as and when you need it.
- Fastest response times: We offer a response time of three days. 99% of All-In-One Security Premium customers receive a response to
their enquiry within 24 hours.
Plugin Ondersteuning
- If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via https://teamupdraft.com/all-in-one-security/
Ontwikkelaars
- Indien je een ontwikkelaar bent en je hebt extra hooks of filters nodig voor deze plugin laat ons dat dan weten.
Vertalingen
- All-In-One Security plugin kan vertaald worden naar elke taal.
Momenteel beschikbare vertalingen:
- Engels
- Duits
- Spaans
- Frans
- Hongaars
- Italiaans
- Zweeds
- Russisch
- Chinees
- Portugees (Brazilië)
- Perzisch
Privacybeleid
Deze plugin kan IP-adressen verzamelen om veiligheidsredenen, zoals het verminderen van brute force login bedreigingen en kwaadaardige activiteiten. De verzamelde informatie wordt opgeslagen op je server. Er wordt geen informatie verzonden naar derden of externe serverlocaties.
Gebruik
Ga naar de instellingen menu nadat u het activeren plugin en volg de instructies.
Blokken
Deze plugin heeft 1 blok.
- Twofactor User Settings
Installatie
Om te beginnen met je WordPress site veiliger te maken:
- Upload het bestand ‘all-in-one-wp-security.zip’ vanaf de pagina Plugins->Nieuw toevoegen in het WordPress beheerpaneel.
- Activeer de plugin via het ‘Plugins’ menu in WordPress
- Ga naar het menu Instellingen onder ‘WP-beveiliging’ en activeer de beveiligingsfuncties van de plug-in .
FAQ
-
Hoe wordt All-In-One Security (AIOS) ondersteund?
-
Klanten van ‘gratis’ AIOS kunnen ondersteuning krijgen vanaf deze pagina. Selecteer ‘Ondersteuning’ uit de tabs hierboven en plaats een onderwerp. We streven ernaar om alle ondersteuning aanvragen binnen 24 uur te beantwoorden tijdens de werkweek.
-
Is All-In-One Security compatibel met andere plugins?
-
Ja. AIOS werkt soepel met de meeste populaire WordPress plugins.
-
Wordt All-in-One-Security regelmatig geüpdatet?
-
Ja. WordPress beveiliging is iets dat in de loop van de tijd evolueert. We updaten AIOS regelmatig met nieuwe beveiliging functies (en oplossingen indien nodig) zodat je ervan verzekerd kunt zijn dat je site blijft profiteren van nieuwe beveiliging beschermingstechnieken zolang je ze nodig hebt.
-
Zal All-In-One Security mijn site vertragen?
-
Nee.
-
De beslissing is aan jou. ‘Gratis’ AIOS bevat een webapplicatie firewall, uitgebreide login beveiligingsgereedschap inclusief twee-factor authenticatie en alle nieuwste aanbevolen WordPress beveiligingspraktijken en technieken. Maar als je WordPress site een zakelijke site is, als het laat zien wat je doet, of wie je bent, raden we over het algemeen AIOS Premium aan. Prijzen beginnen vanaf slechts $70 per jaar.
-
AIOS Premium scant je WordPress site op malware en houdt tegelijkertijd de reactietijd en uptime van je site in de gaten, waarbij je binnen 24 uur op de hoogte wordt gebracht van eventuele problemen. AIOS Premium klanten profiteren ook van praktische ondersteuning via e-mail (in plaats van via WP Support forums). Extra beveiligingsgereedschap omvat landblokkering, slimme 404 foutblokkering en geavanceerde twee-factor authenticatie. Meer informatie is beschikbaar op onze All-In-One Security site
-
In de webwinkel koop je je favoriete abonnement. Na het voltooien van de aankoop ontvang je een e-mail met een link om de plugin te downloaden. Je kunt de link ook vinden via je “Mijn account” pagina. Na het downloaden van het zip-bestand, installeer en activeer je de plugin via WP beheer->Plugins->Toevoegen->Plugin uploaden. De premium versie breidt de gratis versie uit. Daarom moet je de gratis versie geïnstalleerd en actief houden. Je wordt ook gevraagd om je AIOS gebruikersnaam en wachtwoord in te voeren om je site aan licenties te koppelen. Dit stelt de plugin in staat om updates te ontvangen.
-
Yes, you need to have the free version of the plugin installed and activated before installing Premium. Premium plugin is an add-on that requires the free version to be present.
-
Werkt All-In-One Security met multisite netwerk installaties?
-
Ja, AIOS Premium is compatibel met WordPress multisites. Voor multisite netwerken zal de bescherming van toepassing zijn op het netwerk als geheel, en het dashboard en de opties zullen beschikbaar zijn op de hoofdpagina van de WordPress multisite.
-
Kan een WordPress beveiliging plugin alle aanvallen op mijn site stoppen?
-
Er is geen 100% garantie dat een beveiliging plugin in staat zal zijn om tegen alle aanvallen te beschermen, aangezien er altijd de mogelijkheid is van onbekende WordPress kwetsbaarheden of andere onverwachte factoren, en aanvallers altijd op zoek zijn naar nieuwe manieren om beschermingen te omzeilen. Echter, All-In-One Security biedt goede bescherming tegen bekende aanval methoden en is voortdurend in ontwikkeling om beschermingen te monitoren en te verbeteren.
-
Werkt All-In-One Security op alle servers en hosts?
-
AIOS zou compatibel moeten zijn met de meeste hosts, tenzij de host specifiek het gebruik van beveiliging plugins heeft beperkt. Evenzo werken bepaalde functies mogelijk niet op sommige servers, vooral Windows/IIS platforms. Functies die het ‘.htaccess’ bestand gebruiken, zijn niet van toepassing op een Windows IIS server of NGINX server (maar er wordt gewerkt aan de ontwikkeling om die beveiligingen naar alle servers te porten).
-
Ontwikkelings- en testsites hebben hun eigen licentie nodig als updates voor de plugin nodig zijn. Deze sites kunnen echter van de licentie worden losgekoppeld wanneer ze hun doel hebben gediend. Je kunt de licentie loskoppelen via de WP beheer->Plugins pagina van de site, en het zal beschikbaar zijn om opnieuw toegewezen te worden aan een andere site.
-
Is the All In One Security & Firewall Plugin GDPR and other privacy law compliant?
-
Please read more about GDPR compliance here: https://teamupdraft.com/privacy/ .
Beoordelingen
Bijdragers & ontwikkelaars
“All-In-One Security (AIOS) – Security and Firewall” is open source software. De volgende personen hebben bijgedragen aan deze plugin.
Bijdragers“All-In-One Security (AIOS) – Security and Firewall” is vertaald in 16 localen. Dank voor de vertalers voor hun bijdragen.
Vertaal “All-In-One Security (AIOS) – Security and Firewall” naar jouw taal.
Interesse in ontwikkeling?
Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.
Changelog
5.4.1 – 21/May/2025
- FIX: Call to undefined function AIOWPS\Firewall\sanitize_text_field() fatal error solved.
- FIX: Resolved an issue where some information in the debugging report email was inconsistent with the information shown at Dashboard > Debugging
- FIX: Fixed a “call to undefined function wp_strip_tags” error in wp-security-user-login.php
- FIX: Resolved an issue where raw HTML was displaying in the info box under User Security > User Accounts > User Display Name
- FIX: Renamed the login page when it was exposed via auth_redirect by other plugins (e.g., Gravity Forms preview)
- FIX: Fixed an issue where the password reset functionality did not work with the renamed login page feature
- FIX: Resolved missing translations on the login page after enabling the “Rename login page” feature
- FIX: Updated the custom login page layout to match the new default WordPress login page design
- FIX: Fixed the redirection issue occurring after plugin reactivation when the cookie brute force options are saved in the database
- FIX: Fixed the undefined variable $error in wp-security-user-security-commands.php
- FIX: Fixed the login lockout request issue
- FIX: Bulk “Delete selected” action in the Audit Log list was not working
- FIX: Corrected AIOWSPEC prefixes to AIOWPSEC
- FIX: The 5G Firewall switch is behaving inversely, enabling it removes .htaccess rules, while disabling adds them.
- FIX: Fixed the HTML code shown incorrectly on the .htaccess tab
- TWEAK: Updated links to point to our new website
5.4.0 – 27/Mar/2025
- FIX: Replaced firewall URI parsers with non-WordPress methods
- FIX: Resolved PHP 5.6 compatibility issue caused by the ?? operator in 5.3.10
5.3.10 – 26/Mar/2025
- FEATURE: Added commenting capability to IP whitelists
- FEATURE: Added diagnostics reporting
- FEATURE: Added a whitelist and user role-based access limit to the REST API firewall
- FIX: “Undefined index: path” error when front-end HTTP Authentication is enabled.
- FIX: Resolved dashboard translation issue where text lacked whitespace and was not properly translated
- TWEAK: Remove uses of unserialize without restriction of allowed_classes
- TWEAK: Refactored IP commands class to use response helper
- TWEAK: Removed WP REST API tab
- TWEAK: Switched “Critical Feature Status” toggle buttons on the dashboard to a status light system
- TWEAK: Updated the security strength meter on the dashboard
- TWEAK: Improved the dashboard widget to display a chart showing the number of logins over the last 7 days
- TWEAK: Enhanced the maintenance mode switch on the dashboard for consistency with the rest of the plugin
- TWEAK: Converted Brute Force menu actions to use AJAX
- TWEAK: Updated seasonal notices
5.3.8 – 16/Dec/2024
- FIX: Updated the plugin notices to fix translation related fatal errors.
5.3.7 – 5/Dec/2024
- TWEAK: Change response code for blocked unauthorized REST requests to 403.
- TWEAK: Temporarily removed firewall logging
5.3.6 – 3/Dec/2024
- FIX: Resolved an issue with the AIOS_Firewall_Resource class
5.3.5 – 24/Nov/2024
- FIX: Custom .htaccess rules are now properly escaped, with backslashes removed.
- FIX: Import settings failed when visitor lockout messages had text alignment or other formatting applied
- FIX: The audit log filter for event type now works correctly, even when the event type is translated into languages other than English
- FIX: Resolved text overflow in the blue box on the Settings > WP Version Info page
- FIX: Some user meta keys were not being removed after uninstalling the plugin
- FIX: Subsites no longer incorrectly detect the Database Prefix feature as active
- FIX: Prevented fatal errors from missing firewall resources, replacing them with debug log entries
- FIX: WordPress database error: BLOB, TEXT, GEOMETRY, or JSON columns cannot have a default value set
- FIX: The load_plugin_textdomain function is called during the init action, and translations are applied afterward
- FIX: Renamed login page is now using the WordPress translations
- TWEAK: Added a filter for PHP firewall rules templates
- TWEAK: Updated the country code field for audit logs to be based on the IP address (Premium)
- TWEAK: Improved the text in the 404 detection tab
- TWEAK: Moved the allowlist into the blacklist tab, and renamed it to “Block & Allow Lists”
- TWEAK: Moved the WP REST API feature to the PHP rules tab
- TWEAK: Refactored multiple command classes to use the new AJAX response helper method: Tools, File scan, Files, Settings, and Log commands classes
- TWEAK: Updated the UI for the .htaccess rules, Captcha settings and file protection tabs
- TWEAK: Added a note in Settings > Delete plugin settings tab
- TWEAK: Early calls to get_plugin_data() no longer require translations
- TWEAK: Refactored the firewall command class to use the response helper method
- TWEAK: Added a constant AIOS_DISABLE_HTTP_AUTHENTICATION. Define this in your wp-config.php to disable HTTP authentication
5.3.4 – 21/Oct/2024
- FEATURE: Added a HTTP authentication feature that allows protecting the site with a username/password login.
- FIX: Added a new method to reset the firewall rules under general settings
- FIX: Resolved the issue with post cache which caused an issue with comment spam prevention
- TWEAK: Added a helper class for API requests
- TWEAK: Removed whitespaces at end of sentences
5.3.3 – 16/Sep/2024
- FEATURE: Added captcha option for WooCommerce classic guest checkout page.
- FIX: Fixed responsive layout issues with dashboard notice logo on mobile devices.
- FIX: Turnstile captcha widget showing multiple times
- FIX: Solved memory issue for reading larger host system log file
- FIX: Removed .htaccess options from the Settings menu on Nginx, IIS and unsupported web servers
- FIX: Resolved UX popup issue and firewall allowlist sanitization
- FIX: Resolved an issue where bulk table actions were still executed even if the confirmation dialog was canceled.
- FIX: Added a null check to prevent PHP warnings in firewall rules
- TWEAK: Ajaxified the actions in the settings, filesystem security, spam prevention and user security menu
- TWEAK: Added Ajax support to list tables and the audit log
- TWEAK: Added CAPTCHA field to MemberPress forgot password and registration forms
- TWEAK: Excluded .htaccess tabs from settings if the server is not supported
- TWEAK: Updated the firewall rules UI and malware scanner description
- TWEAK: Tweaked the htaccess backup method to generate the random filename
- TWEAK: Removed ‘prevent access to default WP files’ from .htaccess and added ‘license.txt’ to deletion list.
5.3.2 – 06/Aug/2024
- FIX: Bug that allowed subsite admins to delete audit logs of other subsites
- FIX: Disabled blacklisting on subsites because the PHP-based firewall currently applies to the entire multisite
- FIX: An issue with getting the google bot ip ranges
- TWEAK: Added extra protections in place before modifying the .htaccess file
- TWEAK: Actions in the tools, firewall and scanner menu are now processed via AJAX
- TWEAK: Trimmed leading and trailing whitespace from inputs in the WHOIS lookup tab
- TWEAK: Added a confirmation pop-up when users clear records in the Debug Logs table
- TWEAK: Added captcha support for the MemberPress plugin
- TWEAK: Improved the UX of the WP REST API options
- TWEAK: Internal code improvements to improve maintainability
- TWEAK: Updated the feature manager to improve performance
- TWEAK: Fixed the issue of blank tables on mobile view
5.3.1 – 26/Jun/2024
- FEATURE: Added CAPTCHA to password protected pages/posts
- FIX: Captcha not showing on the BuddyPress registration page
- FIX: WooCommerce logout issue when the renamed login page and login whitelist features are both enabled
- FIX: Missing CAPTCHAs when multiple WooCommerce login and register forms are on the same page
- FIX: Fixed an issue with the 404 detection actions
- FIX: A UI issue with the 2FA QR code image
- TWEAK: Added the attribute data-cfasync=”false” to the default captcha url to allow loading on Cloudflare Rocket Loader
- TWEAK: Purge login lockdown table records after 90 days to restrict size. The AIOS_PURGE_LOGIN_LOCKOUT_RECORDS_AFTER_DAYS constant has been added to change the default.
- TWEAK: Updated the malware scanner frequency text from daily to weekly
- TWEAK: Updated the password strength meter UI for the password tool
- TWEAK: Add a ‘Lock IP’ and ‘Blacklist IP’ link to the IP column of the audit log.
- TWEAK: Enhance fake Googlebot detection. In the case where gethostbyaddr fails, the firewall will fallback to checking against known Googlebot IP ranges
- TWEAK: Updated the column header for the “Permanent Blocked IP Addresses” table to be consistent with other tables
- TWEAK: Prevent warning when DISALLOW_FILE_EDIT has already been defined
- TWEAK: Fix instances of one translation function being used for multiple sentences
- TWEAK: Improved the UX during AJAX calls
- TWEAK: Removed Trash spam comments duplicated description
5.3.0 – 01/May/2024
- FEATURE: Added bulk force logout features for logged in users
- FIX: An issue with the WooCommerce my account page logout function when the cookie based brute force feature is turned on
- FIX: Warning undefined array key SCRIPT_FILENAME
- FIX: Custom redirection after login not working if url contains the redirect_to parameter
- FIX: List of administrator accounts not showing on the user security page
- FIX: Issue with cookie based bruteforce prevention solved if salt postfix feature is on.
- FIX: Fixed country field not showing in the 404 event logs (Premium)
- FIX: Fixed country field not showing in the smart 404 blocked IP log (Premium)
- TWEAK: Fixed translation issue not showing as per admin user set language instead of site settings
- TWEAK: Firewall upgrade changes are applied without access to the admin interface
- TWEAK: Change the labels for the switches to a more appropriate wording
- TWEAK: In the file scanner results show the file sizes in a human readable format
- TWEAK: Updated the default message for attempts to access wp-admin
- TWEAK: Internal refactor of the update code to improve code clarity.
- TWEAK: Port the ‘Block fake Googlebots’ feature to the PHP-based firewall
- TWEAK: Remove requirement for at least one IP for ‘Blacklist’, ‘Login whitelist’ and ‘Login lockout IP whitelist’ to be enabled.
- TWEAK: Added error message when a user tries to block their own IP on registration approval
- TWEAK: Added method to update badge on AJAX call
- TWEAK: internal refactor of the AIOWPSecurity_Utility_File class to improve code clarity
- TWEAK: Seasonal notice content update for 2024
5.2.9 – 06/Mar/2024
- FIX: Remove call to update_event_table_column_to_timestamp in update routine
- FIX: Remove call to wp_timezone() which is only available in WP 5.3+
5.2.8 – 05/Mar/2024
- FIX: The user check that affects the Duo authentication plugin
- FIX: Database update routine is now run without needing to visit the admin interface or each individual site in a multisite
- FIX: Some settings in the firewall menu not resetting after deactivating and reactivating the plugin.
- TWEAK: Audit log and 404 events CSV export file date time column is now in a human readable format not unix timestamp
- TWEAK: Debug log table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Global meta table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Permanent block table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Refactor list item actions to further improve code clarity
- TWEAK: Removed blacklist admin menu as previously announced
- TWEAK: Removed miscellaneous admin menu as previously announced
- TWEAK: Removed various admin menu tabs as previously announced
- TWEAK: Store IP lookup result for other types of entries in the login lockdown table
- TWEAK: Update the footer review prompt
- TWEAK: Max file upload size limit to 250 MB by aiowps_max_allowed_upload_config filter removed
- TWEAK: Improve comment spam detection to not interfere with other forms
5.2.7 – 06/Feb/2024
- SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.
5.2.6 – 06/Feb/2024
- SECURITY: Removed unnecessary use of the “tab” query parameter on various admin menu pages to prevent a non-persistent XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect. (This would allow an attacker who deliberately targets you whilst logged in as an administrator and persuades you to visit a link he controls to inject unwanted scripts on a single visit to your AIOS admin page).
- FEATURE: Added logout event to the audit logs
- FEATURE: Add ability to delete the default readme.html file and wp-config-sample.php file
- FIX: Correct some translation calls that were using the wrong text domain
- FIX: PHP notice caused by the file scanner being unable to read its data file
- FIX: Unlock request button was not showing and redirects to 127.0.0.1
- FIX: Database errors for the aiowps_login_lockdown table during plugin installation
- TWEAK: Refactor the 6G UI
- TWEAK: Added an option to set the Cloudflare Turnstile CAPTCHA theme
- TWEAK: Added CSS styling for audit log details column
- TWEAK: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite
- TWEAK: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
- TWEAK: Display json string instead of null if json_decode does not work for audit log details
- TWEAK: Event table existing datetime field converted to timestamp to be timezone independent
- TWEAK: Various tweaks to get codebase up to coding standards
- TWEAK: Various tweaks to ensure multiple sentences are not passed to a single translation function
- TWEAK: Fix the broken UI for RSS and Atom firewall settings and added a more info box
- TWEAK: Fix the issue of unique ID in DOM
- TWEAK: Merge Username and Display Name tabs in User Security Settings
- TWEAK: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu
- TWEAK: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab
- TWEAK: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu
- TWEAK: Moved the ‘WP Rest API’ tab into the Firewall Menu
- TWEAK: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu
- TWEAK: Moved the ‘Salt’ tab into the User security menu
- TWEAK: Moved ‘Blacklist Manager’ tab into the Firewall menu.
- TWEAK: Password resets, removed and deleted users are now recorded in the audit log
- TWEAK: Stop 404 IP from being locked if there’s a current lock on that IP
- TWEAK: Unify date and time conversion with users timezone support
- TWEAK: Changed how empty data in ip lookup result is stored in the database
- TWEAK: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
- TWEAK: Add captcha support for Contact Form 7
- TWEAK: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
- TWEAK: Enhance reset password email by adding IP info
- TWEAK: Remove defunct imagetoolbar meta tag
- TWEAK: Login lockout tables existing datetime field converted to timestamp to be timezone independent
- TWEAK: Code improvements – utilising WP_Error objects instead of arrays
5.2.5 – 25/Oct/2023
- SECURITY: On a multisite install, if using the AIOS feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the feature. Thanks to Naveen Muthusamy for disclosing this defect.
- FEATURE: Block POST requests that have a blank user-agent and referer
- FEATURE: Added reverse IP Lookup data to the login lockdown notification email
- FIX: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
- FIX: Prevent the firewall message store from filling up with unused entries
- FIX: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
- FIX: An issue that prevented MainWP updates from being performed correctly
- FIX: Prevent user enumeration via the REST API and oEmbed protocol
- FIX: User agent blacklist not matching all strings correctly
- FIX: Logged in user table not showing the correct information
- TWEAK: Improve comment spam detection by using hidden fields and cookies
- TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
- TWEAK: The menu actions in the dashboard admin menu are now processed via AJAX
- TWEAK: Converted checkboxes in the admin menu pages to switches
- TWEAK: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
- TWEAK: Combined various user admin menus into a new ‘User Security’ admin menu
- TWEAK: Export configuration filename now reflects the local timezone.
- TWEAK: Improve the UI/UX of the file scanner making way for future improvements
- TWEAK: Redesign the feature manager badges
- TWEAK: Removed various admin menu tabs as previously announced
- TWEAK: Add features that depend on other plugins to the feature manager conditionally
- TWEAK: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
- TWEAK: Audit log date and time are now displayed in the sites timezone
- TWEAK: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
- TWEAK: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the “rename login page” setting is on.
5.2.4 – 16/Aug/2023
- FIX: Ported firewall settings from disabling on upgrade
5.2.3 – 09/Aug/2023
- FIX: Fatal error “set_value() on null” when the firewall config is missing
- FIX: PHP notices when running under cron
- FIX: Revert change that caused the Brute force login whitelist to show the server IPs and not the users
- TWEAK: Add communication mechanism so that firewall can send data to WordPress
- TWEAK: Remove incorrect mentions of the .htaccess file on PHP Firewall rules
5.2.2 – 04/Aug/2023
- FEATURE: An allow list of IP addresses which bypass the firewall rules
- FIX: Fix get_class() on null fatal error when updating via ManageWP
- FIX: No such file or directory notice generated by the firewall’s config file
- FIX: Only send the upgrade email if one or more of the ported rules had been enabled
- FIX: Fake Google bots are now blocked if bot server IP address does not resolve to a hostname
- FIX: Google reCaptcha now appears correctly on the WooCommerce checkout page
- FIX: Prevent Woocommerce auto login if manual registration approval is turned on
- FIX: Premium upgrade tab UI overlapping issue.
- FIX: Allow maintenance mode to be controlled via WP-CLI (Premium)
- FIX: Use the correct site id for login success events added to audit log table on Multisite
- FIX: Added missing features to the feature manager list
- FIX: A warning when using the update all command via WP-CLI
- TWEAK: AIOS settings based IP address is now used instead of the REMOTE_ADDR server variable for multiple wrong 2FA code notification
- TWEAK: Added ‘aios_audit_log_record_event’ filter to allow events to not be recorded
- TWEAK: Improve the feature item manager code structure making way for future improvements
- TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist.
- TWEAK: Move the ‘Custom rules’ tab from the ‘Firewall’ section to its own tab in the ‘Tools’ section
- TWEAK: Move the ‘Prevent hotlinking’ tab to the ‘File protection’ tab in the ‘Filesystem Security’ menu
- TWEAK: Moved all CAPTCHA settings to the ‘CAPTCHA settings’ tab in the ‘Brute Force’ menu
- TWEAK: Moved the ‘Password tool’ tab to the ‘Tools’ admin menu
- TWEAK: Moved the ‘Visitor lockout’ tab to the ‘Tools’ admin menu
- TWEAK: Moved the ‘User registration honeypot’ tab to the ‘Brute force’ admin menu
- TWEAK: Remove ‘Account activity table’ as these entries are also recorded in the audit log
- TWEAK: Removed the ‘Failed login records’ tab as previously announced, these are now recorded in the audit log
- TWEAK: Improve list table code performance
- TWEAK: Removed use of $_GET, $_POST, $_REQUEST from all template files making way for future improvements
5.2.1 – 12/Jul/2023
- FIX: Include helper class file from loader
- TWEAK: Conditionally load TFA block JavaScript
5.2.0 – 10/Jul/2023
- SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the existing data), to know what site users’ passwords are. This information has limited value (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog has been expanded in response to incorrect reports which suggested a wider problem (for example, they did not mention that the attacker needs to already be logged in as an admin to read the log, or that upgrading to 5.2.0 deletes the affected data).
- SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
- FIX: After editing a file reset permissions back to the original permissions
- FIX: Corrected some broken links in the plugin
- FIX: Fatal error: cannot declare class
- FIX: Normalise all arguments in the stacktrace
- FIX: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
- FIX: Too many redirects error for forced logout users solved
- TWEAK: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
- TWEAK: Reset password page missing translation and generate password button added for renamed login page
- TWEAK: Added ‘aios_audit_log_event_user_ip’ filter to allow filtering of IP addresses in the audit log
- TWEAK: Added action hook “aios_reset_all_settings” for reset all settings.
- TWEAK: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2
5.1.9 – 09/May/2023
- FEATURE: IP addresses – Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.
- FEATURE: Detect spambots posting comments and discard it completely or mark as spam.
- FEATURE: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)
- FEATURE: Added a “Delete all” and “Delete filtered” bulk action to the audit log table
- FIX: Prevent Cloudflare Turnstile being added to login forms when no credentials where set
- FIX: Change where the audit log event handler is loaded to prevent an error on plugin deletion
- FIX: Fix context class checks to support cli
- TWEAK: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled
- TWEAK: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled
- TWEAK: Change some nonce checks to use our internal function to check user capability and nonces
- TWEAK: User registrations and successful logins are now recorded in the audit log
- TWEAK: Added a commands class and refactored AJAX handlers
- TWEAK: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code
- TWEAK: Improve database table prefix feature UI.
- TWEAK: WordPress core updates are now recorded in the audit log
- TWEAK: Translation updates are now recorded in the audit log
- TWEAK: Add an entity changed event to the audit log when upgrader information is not available
- TWEAK: Automated emails sent by AIOS that failed to send due to from address
5.1.8 – 11/April/2023
- FIX: 404 detection – Individual record blacklisting, delete, temp block actions stopped working in 5.1.7
- FIX: Uncaught fatal error on null ‘set_value’
- FIX: Remove audit log event handler actions on plugin deletion to prevent an error
- FIX: Remove some audit log event handler on plugin deletion to prevent an error
- FIX: Get correct wp-config path when installed in a subdirectory
- TWEAK: AIOS_Helper::request_remote timed out exception ignored.
- TWEAK: Requests_IPv6 class name deprecated in WordPress 6.2.
- TWEAK: Failed login attempts are now recorded in the audit log
5.1.7 – 24/March/2023
- FIX: Prevent fatal error when calling get_server_detected_user_ip_address() when the firewall is not setup
- TWEAK: Clarify dashboard notice title and change image.
5.1.6 – 21/March/2023
- FEATURE: Added an audit log
- FEATURE: Add salt postfix option to improve your site’s security
- FEATURE: Shared library that can be used from the firewall.
- FIX: Rename login slug used like wp-login-RANDOM_SUFFIX showing 404 page issue solved and code clean up for multisite activation.
- FIX: Divi child theme conflict – Call to undefined function et_builder_get_fonts() in functions.php on line 208 solved.
- FIX: Captcha settings tab in multisite installation for subsites not showing
- FIX: Cron reschedule event error for hook aios_15_minutes_cron_event if plugin deactivated or uninstalled
- TWEAK: Stop user enumeration now shows 403 forbidden error code instead of 500 server error
- TWEAK: PHP 8.1 warning rawurldecode passing null instead type string is deprecated for block request string 6g rule
- TWEAK: Code clean up for disable cookie based brute force constant as rule moved to firewall
- TWEAK: Comment spam IP monitoring page UI
- TWEAK: Updated seasonal notices
- TWEAK: Improve internal code structure making way for future improvements
- TWEAK: Remove mention of the 6g firewall rules being .htaccess based as they are now php based
- TWEAK: Added new internal function to check user capability and nonces
- TWEAK: Improve config code with inline saving.
- TWEAK: Allow audit log to be filtered and exported to CSV
5.1.5 – 13/February/2023
- FEATURE: Added Cloudflare Turnstile CAPTCHA support
- FIX: Notices about undefined array key HTTP_USER_AGENT solved.
- FIX: New v5 features not saved in export file and not properly reset after uninstallation.
- FIX: File permission change being applied to the last record not selected one. Also, no longer change permissions when they are already tighter than the suggested.
- FIX: Fatal error ‘Call to a member function contains_contents() on null’
- TWEAK: Removed wrong information about login whitelist being implemented via htaccess.
- TWEAK: Refactoring settings tasks for WP CLI AIOS premium commands.
- TWEAK: Page load performance issue due to incompatible tfa premium plugin active check improved.
- TWEAK: Make sure translation domain is registered before attempting to use it
- TWEAK: Replaced click with press in text because users could be on mobile etc and not using a mouse.
- TWEAK: Registration, comment, Buddypress and bbPress admin pages to show notice enable the captcha settings.
- TWEAK: Improve the UI/UX for the 404 detection tab
- TWEAK: Improve internal code structure making way for future improvements
- TWEAK: PHP 8.2 deprecation warning for dynamic properties
- TWEAK: Remove the unintended ability for directory traversal and lack of escaping when outputting files with the “view system log” feature. This facility is only available to an administrator (who can of course already do anything on the site, so this has no security implications) and allow them to view (the last 50 lines) from any file or list any directory on the system where the web server has read access.
- FIX: Fatal error ‘Call to a member function contains_contents() on null’
- TWEAK: Firewall gets constants from a single source.
5.1.4 – 14/December/2022
- FEATURE: Add option to disable RSS and ATOM feeds.
- FIX: The IP address blacklist manager wasn’t working.
5.1.3 – 09/December/2022
- SECURITY: No longer save settings import files in a publicly accessible folder where they can be potentially indexed by search engines if the administrator does not actually import the settings (which deletes the import file)
- FEATURE: Implement firewall events system
- FIX: Protect subsites when firewall is loaded via plugins_hook
- TWEAK: Improve the UX for uploading import files
- TWEAK: Add a default CAPTCHA option making way for new CAPTCHAs in the future
5.1.2 – 07/December/2022
- FEATURE: User Agent – Blacklist manager functionality should be based on PHP instead .htaccess rules.
- FIX: Sorting by ‘status’ on the comment spam table
- FIX: Copy protection feature not working on iPhone
- FIX: Cookie based brute force prevention locks out if plugin deactivated and activated again.
- FIX: The notice to reapply .htaccess rules after reactivating the plugin is displayed on subsites.
- FIX: Various WordPress command line notices about undefined $_SERVER indexes
- FIX: Deactivate and reactivate plugin firewall settings file sync issue solved.
- TWEAK: 2FA setting page to show premium options for AIOS premium.
- TWEAK: Remove characters that should not have been on the scanner page
- TWEAK: Organise firewall rules into subdirectories
- TWEAK: Added GDPR question answer to the AIOS WP org plugin’s FAQ section.
- TWEAK: Allow AIOS management permission to be filtered via
aios_management_permission
filter - TWEAK: Make use of is_main_site() function.
- TWEAK: Copy IP to clipboard when clicking on it at WP Security -> Brute Force -> Login whitelist.
- TWEAK: Better context detection for the firewall
5.1.1 – 16/November/2022
- SECURITY: Fixed a failure to check bulk action nonces, leading …