iThemes Security

Changelog

8.1.8

• News: iThemes Security is becoming Solid Security soon. Learn More: https://go.solidwp.com/security-free-notice-ithemes-becoming-solidwp

8.1.7

• Important: Enforce encryption for Two-Factor secrets.
• Tweak: Add Stellar and Solid banners.
• Bug Fix: Don’t require “Write to Files” to be enabled to use the “Rotate Encryption Key” tool.

8.1.6

• Bug Fix: Fallback to the homepage when Enforce SSL encounters a non-safelisted redirect destination.
• Bug Fix: IP Detection on sites behind Load Balancers that appended their IP address to X-Forwarded-For and did not provide a Real IP header.

8.1.5

• Security Hardening: Prevent open redirects attacks against the Enforce SSL module. This attack requires spoofing the Host header which requires additional conditions to exploit. Thanks to nlpro for reporting the issue. Read More: https://ithemes.com/?p=84309
• Bug Fix: Update Password Strength library to the latest version. This fixes discrepancies between the realtime password strength estimation and the enforced password strength.

8.1.4

• Tweak: Add “All” tab to the Features page.
• Tweak: Don’t show “Ban” buttons in Security Dashboard if the user won’t be able to create a ban.
• Bug Fix: Prevent Headers Already Sent warning when a lockout occurs during a WP Cron request on some server setups.
• Bug Fix: Manually load Sodium Polyfill for servers that have an older version of libsodium installed.
• Bug Fix: Error when saving the File Change settings when the “notify_admin” setting was set.
• Bug Fix: Prevent a redirect loop when logging in on sites that take more than 5 seconds to load the Dashboard.

8.1.3

• Important: iThemes Security now requires PHP 7.3 and WordPress 5.9 or later.
• Security: Add support for encrypting Two-Factor Mobile App secrets. Enable via Tools -> Set Encryption Key.
• Security: Deprecate Automatic Proxy Detection. Instead, manually configure Proxy Detection or use Security Check. Fix IP spoofing attacks.
• Enhancement: Add “Ban Lockout” button to the Active Lockouts card.
• Bug Fix: File Logs not rotating.
• Bug Fix: PHP warning when loading Icon Fonts in certain configurations.
• Bug Fix: Don’t attempt to Hide Backend when a Cron request is being processed.
• Bug Fix: Prevent entering invalid date values when selecting a custom date range in the Security Dashboard.
• Bug Fix: Preliminary PHP 8.1 compatibility.
• Bug Fix: File Change “notify_admin” settings validation error.
• Thanks to Calvin Alkan for reporting the security issues fixed in this release.

8.1.2

• Tweak: Require a Title when creating a new Dashboard.
• Bug Fix: Don’t attempt to send a Site Scan notification for Clean scans preventing a fatal error after scheduled site scans.

8.1.1

• Bug Fix: Error when visiting the Notifications page after activating a module with notifications for the first time.
• Bug Fix: Update deprecated withState usages to useState.

8.1.0

• Important: iThemes Security now requires WordPress 5.8 or later.
• New Feature: Include the full iThemes Security Site Scanner in iThemes Security Free. Scheduled scans are disabled by default.
• Tweak: Add new “Go Pro” page that includes an overview of features in iThemes Security Pro.
• Bug Fix: Scroll to top of window when navigating.
• Bug Fix: Allow searching for Password Requirements.
• Bug Fix: Don’t load WordPress and System Tweaks modules when the ITSEC_DISABLE_MODULES constant is enabled.
• Bug Fix: Prevent incidentally loading the Two-Factor module when it is unregistered.
• Bug Fix: Conditionally display the NGINX File Path setting.
• Bug Fix: Allow saving Notifications when “default recipients must contain at least 1 item” error is present.
• Bug Fix: Help styling on WordPress 5.9.
• Bug Fix: Compatibility with plugins that expected a logged-in user during lockouts.

8.0.2

• Enhancement: Reintroduce Feature Flags management UI.
• Tweak: Reposition “Advanced” and “Tools” menu items to be more readable on lengthy screens.
• Bug Fix: When the Change Admin User tool is run, update any User Groups referencing the old user id.
• Bug Fix: WordPress footer would appear in the middle of the logs page.
• Bug Fix: Add missing translation strings file.

8.0.1

• Bug Fix: Sites that did not support HTTPS, but had the SSL module active, but not configured, on upgrade would get redirected to the HTTPS version of the site.
• Bug Fix: Unregister the iThemes Security Two-Factor module when the Two-Factor Feature Plugin is enabled.
• Bug Fix: Allow activation on WordPress 5.7.0.
• Bug Fix: Add missing textdomains.

8.0.0

• Important: iThemes Security now requires WordPress 5.7 and PHP 7.0 or later.
• New: iThemes Security gets a redesigned interface focused on making it easier to configure and find what you’re looking for. Read More: https://ithemes.com/?p=65086.
• New: Instantly search over everything in iThemes Security with a new instant search feature.
• New: Security Tools have been grouped into their own page. “Identify Server IPs” and “Security Check Pro” can be run manually without using Debug Mode.
• New: Relevant content from the Help Center, iThemes Blog, and iThemes YouTube channel is surfaced in a new Help area based on the current page. Click the “Help” button in the toolbar or the “Info” icon next to the page title to access it.
• New: The settings UI is now fully responsive and works great across mobile, tablet, and desktop devices.
• New: Two-Factor is now part of the core iThemes Security plugin.
• Enhancement: Improved keyboard and screen reader support.
• Enhancement: The Banned Users Card can add multiple bans at once.
• Tweak: Add a new Global setting to control “Automatically Temporarily Authorize Hosts”.
• Tweak: When the Global setting “Hide Security Menu in Admin Bar” is enabled, notices will no longer be printed on non-iThemes Security pages. Instead, you can access the Message Center from the Settings or Dashbaord toolbars.
• Tweak: The Database Backups module is no longer available if you have BackupBuddy installed. If this behavior isn’t desired, enable the “ITSEC_ENABLE_BACKUPS” constant.
• Tweak: The Geolocation API configuration used by Trusted Devices has been moved into it’s own dedicated “Geolocation” module.
• Tweak: Move “Have I Been Pwned” integration to the Core plugin.
• Tweak: Reduce filename length and complexity for built CSS and JS files.
• Removed: The following modules have been removed: 404 Detection, Away Mode, Change Content Directory, and Multisite Tweaks.
• Removed: The following WordPress and System Tweaks have been removed: Remove Windows Live Writer Header, EditURI Header, Comment Spam, Mitigate Attachment File Traversal Attack, Protect Against Tabnapping, Filter Long URL Strings, Filter Non-English Characters, Filter Request Methods, Remove File Writing Permissions.
• Removed: The “Backup Full Database” setting has been removed from the Backups module.
• Removed: The “Require SSL”, “Front End SSL Mode”, and “SSL for Dashboard” settings have been removed from the SSL module.
• Bug Fix: Fix fatal errors when using PHP 8.
• Bug Fix: Fix infinite loop when restricting who can use App Passwords on multisite installs.
• Bug Fix: Ensure the ITSEC_Setup class does not exist before trying to load it. Display schema errors on multisite in the Network Admin.
• Bug Fix: Labels for Disable PHP Execution in Plugins and Themes were reversed.
• Bug Fix: Add missing constants to the debug page.
• Bug Fix: Remove deleted recipients when saving notifications.
• Bug Fix: Correct Site Scan statuses for scans with no issues.
• Dev Note: Modules are now based on a module.json configuration file. If you are registering custom iThemes Security module, you should update it to include a module.json file that adheres to the core/module-schema.json JSON Schema.
• Dev Note: The Network Brute Force module had it’s folder updated to “network-brute-force” from “ipcheck”.
• Dev Note: New Object Oriented API for creating Password Requirements.
• Dev Note: New Settings and Modules REST API endpoints.
• Dev Note: New RPC REST API namespace. There is no backward compatibility promise for these API endpoints.

7.9.1

• Security: Fix Hide Backend Bypass, thanks to Julio Potier for reporting the issue.
• Tweak: Add filters to short-circuit lock APIs.
• Tweak: Remove non-SSL fallbacks for Security Check Pro and Version Management.
• Bug Fix: Tweak checkbox styles.
• Bug Fix: Improved compatibility with WP Engine.
• Bug Fix: Pass the WP_Error object to the wp_login_failed hook.
• Bug Fix: Prevent wp_no_robots deprecation warning on WordPress 5.7.

7.9.0

• Important: iThemes Security requires WordPress 5.4 or later.
• Enhancement: Add a setting for configuring the number of bans added to the server config files (.htaccess/nginx.conf).
• Enhancement: Store the time a ban was added, and the lockout module responsible for the ban.
• Enhancement: Overwrite Restrict Content Pro’s detected IP address with the IP detected by iThemes Security.
• Tweak: Disable SSL verification when performing the Security Check Loopback test. Some hosts can’t properly verify loopback requests. This verification is unnecessary in this circumstance, and disabling SSL verification aligns iThemes Security with default WordPress loopback behavior.
• Bug Fix: PHP warnings when invalid entries are stored in the WordPress Cron storage.
• Bug Fix: Update the list of tables added to wpdb.
• Bug Fix: Remove default value for text columns. This caused an issue on MySQL 8 and is unnecessary.
• Bug Fix: Missing borders in the sidebar widgets on WordPress 5.5.
• Bug Fix: Notice actions didn’t trigger when “Hide Admin Bar” is enabled.
• Bug Fix: Some users would be force to choose a strong password twice in a row.
• Bug Fix: Warning when saving the Ban Users module outside of the Settings Page without passing the legacy host_list setting.
• Bug Fix: Passwords Requirements compatibility with Restrict Content Pro.
• Bug Fix: PHP warnings that may occur when initializing default user groups on a new installation.

7.8.0

• New Feature: The new, improved WordPress Security Site Scan powered by iThemes checks if Google has detected malware and added your site to their threat list.
• Enhancement: Remove quick bans. Persist banned hosts to .htaccess or nginx.conf on an hourly schedule.
• Tweak: Cap banned hosts persisted to .htaccess or nginx.conf to the most recent 100. This number can be adjusted with the “itsec_ban_users_max_hosts_for_server_config” filter. Older banned hosts will be locked out after WordPress loads.
• Tweak: Ensure randomly generated passwords are considered strong by the Strong Passwords library.
• Tweak: Suggest a 32 character password when forcing a password change.
• Tweak: Change insensitive language to be more inclusive.
• Bug Fix: PHP warning when a user’s email address is updated outside of the user edit admin page.
• Bug Fix: Fix login interstitials on WP Engine when using a front-end login form.
• Bug Fix: PHP warning when checking opaque tokens.
• Bug Fix: PHP warning after successfully connecting a site to iThemes Sync via the login connection flow.
• Bug Fix: File Change Security Message would not appear for new installs.

7.7.1

• Bug Fix: PHP warning when evaluating password requirements.

7.7.0

• Important: iThemes Security requires PHP 5.6 or greater and WordPress 5.2 or greater.
• New Feature: Save Time Securing WordPress With User Groups!
• New Feature: Simplified connection flow when setting up iThemes Sync.
• Enhancement: Add a warning if a WordPress Salt is set to an invalid value.
• Enhancement: Include child log items in the logs list table. These are helpful for debugging issues.
• Enhancement: Improve performance of the logs page on sites with large number of log items.
• Enhancement: Check tables exist after completing a DB upgrade.
• Tweak: When logging $_SERVER, only log a snapshot of available properties.
• Bug Fix: The “Mulisite Tweaks -> Hide Updates” setting prevented auto-updates from running with WP Cron.
• Bug Fix: Backup event was not added when the WP Cron Scheduler was reset manually.
• Bug Fix: Admin Notices Popover was not being hidden when clicking outside the Popover on WP 5.3.
• Bug Fix: New Password Requirements for already created accounts were not enforced until the second login.
• Bug Fix: Update admin notices styling to be compatible with WordPress 5.4.
• Bug Fix: Periodically clear expired opaque tokens.
• Bug Fix: Don’t block registration page when “wp-signup.php” is the Hide Backend register slug.
• Bug Fix: Users with weak passwords would not be forced to change their password if the strong password requirement had been enabled after their password strength was checked.
• Bug Fix: Remove “get_magic_quotes()” call that existed for backwards compatibility with PHP versions 5.3 and earlier. This function call was causing a warning on PHP 7.4.
• Bug Fix: Warning when loading the settings page on PHP 7.4.
• Bug Fix: Warning when loading the debug page on PHP 7.4.

7.6.1

• Bug Fix: Properly notate that iThemes Security requires PHP 5.5 or greater.

7.6.0

• Breaking Change: iThemes Security requires PHP 5.5 or later.
• New Feature: iThemes Security now includes Security Check Pro to automatically and correctly determine your visitors IP addresses. Enable this scan by running Security Check and opting in to Security Check Pro or activate the Security Check Pro module in Advanced Modules. H/t Jeremy Voisin
• Enhancement: Run Security Check Pro IP Detection automatically once a day.
• Enhancement: Manually re-run Security Check Pro IP Detection from the Global Settings page.

7.5.0

• Breaking Change: iThemes Security requires PHP 5.4 or later.
• Enhancement: New Lockout Template screen.
• Enhancement: Add confirmation button to Login Interstitial Async Actions when on a different device.
• Enhancement: Add filter to “Lookup IP” link.
• Developer Note: There were significant changes to the internals of the iThemes Security Lockout API in this release. If you are using the ITSEC_Lockout class directly, all the API functions will continue to work, but will emit deprecation notices when legacy behavior is being used. Please update any integrations.
• Bug Fix: Brute Force module reporting invalid logins using an email address incorrectly.
• Bug Fix: Improve lockout compatibility with caching plugins.
• Bug Fix: Fix admin notice not being dismissed due to a REST API route that was more narrowly defined than necessary.
• Bug Fix: Admin Notices list did not refresh after dismissing a notice.
• Bug Fix: Strong Passwords zxcvbn Library was not evaluating penalty strings correctly.
• Bug Fix: Fix PHP warning if there are multiple detected proxy headers.

7.4.1

• Enhancement: New iThemes Sync Verb support for File Change.
• Tweak: Add additional information about the login attempt when calling the Network Brute Force API.
• Bug Fix: Hide Backend Bypass.
• Bug Fix: Strict Standards error during Sync request.
• Bug Fix: wp_die() if a login interstitial session fails to be created instead of throwing a fatal error.

7.4.0

• New: iThemes Security Admin Notices are now conveniently located in the new Security Messages Menu. Check your notices in the Security menu on the WordPress Admin Bar.
• Enhancement: Add Security Message when a Notification Center email fails to send.
• Enhancement: Replace Trace IP with IP Tracker Online.
• Tweak: Remove ‘DELETE’ method from “System Tweaks -> Filter Request Methods”

7.3.3

• Bug Fix: Hide backend bypass.

7.3.2

• Tweak: laat de log- beschrijvingskolom toe om te breken voor URL’s of andere tekenreeksen zonder spaties.
• Bug Fix: Hide Backend bypass on certain Apache configurations.
• Bug Fix: Properly return error that occurs during a backup.
• Bug Fix: Regex warning on PHP 7.3 in the File Change module.
• Bug Fix: Resolve warning when a user is set to “No Role”.

7.3.1

• Verbetering: als ITSEC_DISABLE_MODULES is ingesteld, voorkomt u dat de backend van de hide wordt uitgevoerd.
• Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.

7.3.0

• Enhancement: Add Per-Content SSL toggle to the upcoming Block Editor interface.
• Enhancement: Add filter to the recipients list for email notifications: “itsec_notification_{$notification}_email_recipients” and “itsec_notification_email_recipients”.
• Verbetering: Voeg definitie toe “ITSEC_DISABLE_TEMP_WHITELIST” om de tijdelijke IP Whitelisting voor ingelogde beheerders uit te schakelen.
• Verbetering: verbeter het omleiden na het verwerken van een aanmeldingsinterstitial van een front-end inlogformulier.
• Verbetering: voeg loopback-IP-detectie toe aan beveiligingscontrole.
• Verbetering: detecteer server-IP’s in beveiligingscontrole.
• Tweak: voeg extra veiligheidscontroles toe wanneer je naar systeem configuratiebestanden schrijft. Dit zal een “kritieke kwestie” registreren wanneer het schrijven van een leeg of gedeeltelijk configuratiebestand wordt gedetecteerd en voorkomen.
• Tweak: Verbetering van vergrendeling verbeteren om niet-werkende scans op sites met inconsistente cron-planning te voorkomen.
• Tweak: Verbeter “System Tweaks – Suspicious Query Strings – SQLI” om valse positieven te verminderen.
• Tweak: Verbeter “System Tweaks – Deactiveer PHP” om PHP-bestanden te blokkeren in apache-configuraties die bestanden met een slepende stip serveren.
• Tweak: Verwijder “Seznam Bot” van HackRepair List omdat deze niet aanwezig is in de laatste versie.
• Bug Fix: Include Hide Backend token when emailing a password reset URL.
• Bugfix: Berichtencentrum – Stuur alleen meldingen naar gebruikers met een exacte rol match van geselecteerde rollen in plaats van een fuzzy match op basis van geselecteerde mogelijkheden.
• Bug Fix: Error when trying to edit reusable blocks with per-post SSL enabled.
• Bugfix: waarschuwingen op PHP oplossen 5.2.

7.2.0

• Verbetering: toestaan dat de specifieke proxy- header wordt geselecteerd waarop een server is geconfigureerd. Verbeter de taal om aan te geven hoe belangrijk het is om deze instelling te configureren. H / t Filippo Cavallarin CEO bij wearesegment.com
• Verbetering: blokkeer toegang tot git- en svn-bibliotheken wanneer Systeemaanpassingen -> Bescherm systeembestanden is ingeschakeld.
• Tweak: update de jQuery-validatiebibliotheek naar 1.17.0
• Bug Fix: Improve detection of blocking the File Change Scan from being scheduled if one is already being run.
• Bug Fix: Prevent infinite recursion error when trying to access directories outside of the allowed file tree.

7.1.0

• Nieuwe functie: toestaan voor het globaal instellen van ontvangers voor beheerde meldingen. Alle nieuwe meldingen zijn standaard voor de ontvangers in deze lijst. Meldingen kunnen worden ingesteld om de standaardlijst te gebruiken of om naar een aangepaste lijst te schakelen.
• Enhancement: Added a setting to enable/disable the Grade Report feature of Pro.
• Tweak: Check if an IP is blacklisted on page load for compatibility with servers that cannot process server configuration level bans immediately.
• Tweak: Display a time diff until the next event on the Debug page.
• Tweak: Use Logging API for tracking Notification Center errors.
• Tweak: Register Scheduler Events whenever the plugin build changes.
• Tweak: Allow for filtering logs by any module recorded.
• Tweak: account voor externe back- upplug- in bij beveiligingscontrole.
• Bug Fix: 404 detection for plugins that mark is_404 later in the hook sequence.
• Bugfix: REST API-beveiliging blokkeerde de Taxonomies-route voor alle gebruikers.
• Bugfix: account voor elke CLI PHP SAPI in plaats van alleen WP-CLI in de SSL-module.
• Bug Fix: Fixed how the Grade Report enable/disable status is stored to fix admin page loading issues on some sites.
• Bug Fix: Fix serialization of closure error when a plugin registering a hook with a closure is in the boot-up stack and the notification center is triggered too early in the cycle.

7.0.4

• Verbetering: mitigatie toevoegen voor de kwetsbaarheid van WordPress- bijlage Bestandsverplaatsing en -verwijdering.
• Tweak: activeer een WordPress-actie wanneer instellingen worden bijgewerkt.
• Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.

7.0.3

• Veiligheid oplossing: Vaste SQL injection kwetsbaarheid in de loggings pagina . Opmerking: beheerdersrechten zijn vereist om dit beveiligingslek te misbruiken. Met dank aan Çlirim Emini, Penetration Tester op sentry.co.com, voor het melden van dit beveiligingslek.
• Bugfix: geef standaardwaarden voor ingeschakelde vereisten.

7.0.2

• Verbetering: gebruikersinterface toevoegen om te annuleren in voortgang Bestandscontrole.
• Enhancement: Voeg basic admin debug pagina om te helpen diagnosticeren en oplossen van problemen. Vooral met de gebeurtenissen.
• Verbetering: voeg JSON- editor voor foutopsporinginstellingen toe .
• Verbetering: continu de wachtwoordsterkte voor gebruikers evalueren in plaats van alleen tijdens registratie.
• Verbetering: Introduceer wachtwoordvereistenmodule voor het beheren en afdwingen van wachtwoordvereisten .
• Bugfix: instellingen voor wachtwoordvereisten zouden in sommige gevallen niet goed worden opgelost.
• Bug Fix: Away Mode blokkeerde gebruikers die al waren ingelogd niet tijdens de “afwezigheidsperiode”.
• Bugfix: forceer de vereiste sterke wachtwoorden tijdens de beveiligingscontrole.
• Bugfix: Zorg ervoor dat de planningsvergrendeling wordt gewist door de Cron Scheduler als er geen lopende gebeurtenissen plaatsvinden.
• Bug Fix: If a password requirement has been disabled or is no longer available, don’t consider the password as needing a change.
• Bug Fix: Only hide “Acknowledge Weak Password” checkbox if the user was not allowed to use a weak password.
• Bugfix: wachtwoordsterkte zou niet worden geëvalueerd als het wachtwoord was ingesteld met aangepaste PHP- of CLI-opdrachten.
• Bugfix: voorkom dat bestandswijziging in de eerste stap vastloopt in een oneindige herplanningslus.
• Bugfix: verwijder de gedistribueerde opslagtabel bij het ongedaan maken van de installatie.
• Tweak: schrijf niet naar de instelling van de bijgehouden bestanden als de bestandshash niet is gewijzigd.
• Tweak: als er geen laatste wijzigingsdatum voor het wachtwoord is vastgelegd voor de gebruiker, behandel dan de registratiedatum als laatste wijzigingsdatum.

7.0.1

• Bug Fix: Fixed an “Uncaught Error: Call to undefined function esc_like()” error that could occur when exporting or erasing personal data.
• Bug Fix: Skip recovery if File Change storage is empty.

7.0.0

• New Feature: Added support for the new WordPress privacy features.
• Enhancement: Added minimal API for adding additional entries to the Security admin menu.
• Enhancement: File Change Scan uses a new batching mechanism to prevent crashing on hosts but still generating only one report per-day.
• Enhancement: Introduce Distributed Storage framework for reducing the amount of data stored in the WordPress options table. This should improve performance for large sites using File Change.
• Enhancement: Introduced Login Interstitial framework to consolidate code between Password Requirements & Two Factor.
• Bug Fix: Added ability to show object data for classes that are not loaded to the Logs page.
• Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings feature in order to avoid blocking privacy export/erasure request confirmations.
• Bug Fix: Ensure all users with the manage_options capability are available when selecting contacts in the Notification Center.
• Bug Fix: Fix clearing or previous file scans results.
• Bug Fix: Fix warnings on debug file change log items.
• Bug Fix: Fixed logging system references to “fatal-error” that should be “fatal”.
• Bug Fix: Improve File Change recovery system on high-traffic websites.
• Bug Fix: Improve clearing of previous File Change file hashes.
• Bug Fix: Improved detection of REST API requests on sites without a home dir.
• Bug Fix: Internal links to a filtered logs page.
• Bug Fix: Prevent PHP warning about converting an array to a string when adding notification data.
• Bug Fix: Prevent PHP warning when completing database backups that are not emailed to any recipients.
• Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password page.
• Bug Fix: Resolve warnings when upgrading file change settings.
• Minor: File Scan “chunk” option is removed.
• Minor: Make recovering file scan log smaller.
• Minor: Page Load Scheduler: Unschedule single events before running them. This mirrors the behavior of the WP Cron scheduler.
• Minor: Security Digest now includes all lockouts that have occurred since the last email.
• Minor: Shrink storage size of file scans.
• Minor: Specifying a manual file scan list has been removed.
• Minor: Track raw memory used by the file change scanner as well.
• Minor: Updated list of File Change excluded file types to include more media extensions.
• Misc: Added comment to prevent Tide from marking the plugin as not compatible with PHP 5.3.
• Tweak: Add description for File Change recovery related logs.
• Tweak: Don’t report removed files if the removal is caused by a new file extension being excluded.
• Tweak: File Change: Move “latest_changes” entry to a separate storage bucket to improve performance on large sites.
• Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk.

6.9.2

• Bug Fix: Fixed situation that could cause lockout notifications being sent for whitelisted IPs.
• Bug Fix: Fixed issue where saving Global Settings would be blocked by an unwritable “Path to Log Files” path when the “Log Type” is set to “Database Only”.
• Bug Fix: Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule.

6.9.1

• Security Fix: Fixed display of unescaped data on logs page.
• Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests.
• Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems.

6.9.0

• Enhancement: Updated logging system to keep track of more information and have more options to filter and sort log entries.
• Enhancement: Improved efficiency of File Change Detection scanning.
• Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites.

6.8.1

• Enhancement: Display user lockouts in Lockout Sidebar.
• Bug Fix: Load translations on the plugins_loaded hook.
• Bug Fix: Fixed method that could be used to discover hidden login slug on some sites.
• Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan results if a scan previously failed.
• Bug Fix: Update to the REST API “Restricted Access” feature to protect against methods to work around the restricted access.
• Bug Fix: Prevent login page being hidden when following the “Confirm Email Address” notification URL.
• Bug Fix: Hide Backend notifications not being properly sent when first enabled.

6.8.0

• New Feature: Introduces a scheduling framework for handling events. Cron is now used by default, and will switch to using an alternate scheduling system if it detects an error. To disable this detection set ITSEC_DISABLE_CRON_TEST in your wp-config.php file.
• Important: The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have been deprecated. Use ITSEC_USE_CRON instead.
• Enhancement: Preserve notification settings when the responsible module is deactivated.
• Bug Fix: Process 404 lockouts on the ‘wp’ hook to prevent a headers have already been sent warning message.
• Bug Fix: Ensure Hide Backend emails are properly sent when activating Hide Backend before saving the Notification Center for the first time.
• Bug Fix: Prevent warning from being issued on new installs by allowing previous settings to be preserved if they exist.
• Bug Fix: Better handle WP_Error objects in mail errors that occurred before updating to first patch release.
• Bug Fix: A non static method was being called statically.
• Bug Fix: Fix occasional duplicate backups and file scans.
• Bug Fix: Fixed issue where scheduled events could repeat on sites that do not properly support WordPress’s cron system.
• Bug Fix: Reactivating Away Mode now replaces the active file if you had previously removed it.
• Bug Fix: Ensure lockouts take effect immediately, even on systems where changes to server configuration files do not take effect immediately.

6.7.0

• Nieuwe functie: introduceert het kenniscentrum, een centrale plaats voor het beheren en aanpassen van e- mailmeldingen verzonden door iThemes Security.
• Verbetering: geüpdatet query’s en instructies voorbereiden om rekening te houden met wijzigingen in de functie esc_sql() in WordPress 4.8.3.
• Bug Fix: Corrected some Javascript and CSS links not generating correctly on Windows servers.

6.6.1

• Bug Fix: Fixed SQL query bug that resulted in the “Minutes to Remember Bad Login (check period)” setting being ignored.
• Bugfix: bug opgelost die verhindert dat wp-admin / install.php blokkering correct werkt op nginx-servers.
• Bugfix: probeer geen SSL-omleiding te doen wanneer WP CLI wordt uitgevoerd.

6.6.0

• New Feature: Added a new setting in WordPress Tweaks: “Login with Email Address or Username”.
• Enhancement: Host email images from the plugin instead of relying on iThemes servers to help email clients marking messages as spam or blocking images.
• Bug Fix: Error when searching for modules preventing modules from appearing.
• Bugfix: gebruik de tabel wp_options bij het verkrijgen van vergrendelingen in Multisite.
• Bug Fix: Prevent duplicate daily digest emails on sites with high load.
• Misc: Added Magic Links, a new Pro-only feature, to be activated by Security Check.
• Misc: Rearranged modules to be listed alphabetically.

6.5.1

• Bug Fix: Fixed logical error that prevented backups from executing.
• Bug Fix: Fixed issue that could cause database locks to flood the database.

6.5.0

• Enhancement: Simplified the SSL module to offer a simple Enable/Disable setting and simplified explanations. The legacy settings are available by selecting Advanced.
• Enhancement: Added the itsec-get-ip filter to allow code to supply the remote IP directly.
• Enhancement: Enabling SSL support will only log you out if you are not already on an https connection.
• Enhancement: Improve password requirements compatibility with plugins and systems that integrate with WordPress Users.
• Removed Old Feature: Removed the “Replace jQuery With a Safe Version” feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern.
• Bug Fix: Bumped version number of some scripts to ensure that they refresh properly.
• Bug Fix: Fixed way to work around Hide Backend on some hosts.

6.4.0

• Enhancement: Replaced file locking with database locking. This method of locking is compatible with all systems as it does not require the ability to write files. It also allows for locking to work on sites that have multiple front-end servers with a shared database. Since file locking is no longer used, the Global Settings > Disable File Locking setting was removed.
• Enhancement: Add “Copy to Clipboard” functionality for server and wp-config rules.
• Bug Fix: Prevent 404s when following links in email notifications on a site with Hide Backend enabled.
• Bug Fix: Ensure uninstall process is not run when another version of iThemes Security is still active.
• Bug Fix: Fixed method of working around Hide Backend.
• Bug Fix: Warnings are no longer generated when saving a user profile with a role of “No role for this site” selected.

6.3.0

• Important: The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.
• New Feature: Added support for iThemes Sync to run the Security Check feature from inside the Sync service.
• New Feature: Added support for the ITSEC_DISABLE_MODULES define.
• Bug Fix: Removed warning: “Non-static method ITSEC_Setup::uninstall() should not be called statically”.
• Bug Fix: Fixed the ability to manually enter a page number to navigate to on the Security > Logs page.
• Bug Fix: Fixed source of warning that could appear when creating a backup while running a PHP version less than 5.4.
• Bug Fix: Fixed source of notice that could appear when reseting a user’s password when the Strong Passwords Enforcement feature is enabled.
• Bug Fix: Fixed bugs that prevented reporting of specific error messages related to updating the wp-config.php file.
• Bug Fix: Fixed an infinite loop that could occur when expiring a cookie and Hide Backend is enabled.
• Bug Fix: Fixed compatibility issue with the Jetpack plugin when Hide Backend is enabled which could prevent Jetpack from redirecting users to the wordpress.com login page.
• Bug Fix: Fixed issue where access to wp-admin/admin-post.php when Hide Backend is enabled.
• Bug Fix: Fixed issue that could prevent “Register” and “Lost your password?” links from working properly on the login page when Hide Backend is enabled.
• Bug Fix: Fix fatal error when updating a profile.
• Bug Fix: Fix strong passwords not being recognized as strong on the profile page.
• Bug Fix: Fix fatal error when registering a new user without specifying a role ( iThemes Exchange ).
• Bug Fix: Compatability with JetPack SSO and Password Requirements.
• Bug Fix: Ensure viewport meta is defined when loading the password requirements update password form.
• Bug Fix: Hide Backend is now compatible with Jetpack Single Sign On.
• Bug Fix: Hide Backend now hides registration pages on multisite sites.
• Bug Fix: Fixed password-protected posts not properly handling the password when Hide Backend is enabled.
• Enhancement: Removed AhrefsBot from the HackRepair blacklist as they are legitimate bot.
• Enhancement: Improved efficiency of Hide Backend code, increasing site performance when the feature is enabled.
• Enhancement: Enforce strong passwords during log-in. Can be disabled via the ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
• Enhancement: Use canonical roles library to determine if a new user or an updated role requires a strong password.
• Enhancement: Introduce password requirements module to centralize handling of password updates.
• Enhancement: The Hide Backend hidden login URL is no longer leaked by password-protected content.
• Enhancement: Allow for searching through modules and settings.
• Enhancement: Link to other module settings pages without forcing the page to refresh.
• Enhancement: Fire an action, “itsec_change_admin_user_id”, when the admin user id changes.
• Enhancement: Changed default Hide Backend Register Slug from wp-register.php to wp-signup.php since WordPress switched from using wp-register.php to wp-signup.php for registrations. This will not affect existing sites.
• Enhancement: Hide Backend functions purely in PHP code now rather than relying half on PHP code and half on .htaccess and nginx.conf modifications. This allows Hide Backend to function on web servers and server configurations that it was previously not compatible with.
• Misc: Updated or added phpDoc to many functions.
• Misc: Updated Disable File Locking description.

6.2.1

• Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups.
• Bug Fix: Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file.
• Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file.

6.2.0

• Enhancement: Improved plugin performance by reducing the number of queries made on each page.
• Enhancement: Reduced memory and CPU usage due to various code improvements.
• Bug Fix: A database backup will no longer be created when first activating the plugin.
• Bug Fix: Added compatibility for MySQL strict mode in database creation syntax.
• Bug Fix: Removed warning about a “non well formed numeric value encountered” in PHP 7.1.
• Bug Fix: Modifications to wp-config.php, .htaccess, and nginx.conf files are now properly re-added upon reactivation.
• Bug Fix: Fixed full settings for Hide Backend being displayed after disabling the feature and saving the settings.
• Bug Fix: Enabling or disabling the Hide Backend feature will update the “Log Out” link so that it works as expected without having to load a new page.
• Bug Fix: Enabling or disabling the Hide Backend feature now properly updates the .htaccess/nginx.conf file on enable and disable rather than at some future point.
• Bug Fix: Fixed issue that could cause improper database table creation on multisite sites.
• Bug Fix: Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server.

6.1.1

• Bug Fix: Fixed bug that prevented Away Mode from activating on some sites.

6.1.0

• Enhancement: Added logging for failed two-factor, OAuth, and REST API authentications.
• Enhancement: Added logging details about the source of login failures and the type of authentication that failed.
• Enhancement: Due to improvements in tracking authentication failures, brute force attempts using alternate authentication methods are more reliably found and blocked.
• Enhancement: The server’s IP is treated as whitelisted and will not be considered for lockouts or bans.
• Enhancement: Reduced memory usage when creating a backup.
• Enhancement: Changed log entry description of “IP Flagged as bad by iThemes IPCheck” to “IP Flagged by Network Brute Force Protection”. This should help clarify the meaning of the log entry.
• Enhancement: Improved efficiency of the Network Brute Force Protection feature.
• Bug Fix: Fixed bug that prevented Network Brute Force Protection from working properly on some sites.

6.0.0

• Bug Fix: Removed “comodo” from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo’s AutoSSL feature of cPanel/WHM is able to function.
• Updated Feature: Updated the “REST API” feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning.
• Enhancement: Updated Security Check to enforce setting the “REST API” setting to “Restricted Access”.

5.9.0

• New Feature: Added a “REST API” feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.

5.8.1

• Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached.

5.8.0

• Enhancement: Updated the lockouts notification email to a new design. This new design also cleaned up the translation strings to allow better translations.
• New Feature: Added a “Protect Against Tabnapping” feature in the WordPress Tweaks section. Details of what this feature protects against can be found here: https://www.jitbit.com/alexblog/256-targetblank—the-most-underestimated-vulnerability-ever/
• Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended.

5.7.1

• Bug Fix: Remote IP is now correctly identified if the server is behind a reverse proxy that sends requests with more than one IP listed in a single header.
• Bug Fix: Fixed the link for a user in the logs page so that it properly works on sites that are inside a subdirectory.
• Bug Fix: Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
• Bug Fix: Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
• Enhancement: Improved the logic for determing the requesting IP address to better handle situations where the site is behind a reverse proxy.
• Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.
• Enhancement: All links in Security that have target=”_blank” now have added rel attributes to protect against tabnapping.
• Misc: Updated remaining ip-lookup.net links to instead link to traceip.net in keeping with other links that were previously updated to traceip.net.

5.7.0

• Bug Fix: Fixed data save issue that could cause multiple notification emails to be sent in a short period of time.
• Bug Fix: Fixed issue that could cause the malware scanner to fail on sites that change the arg_separator.output php.ini value from its default value.
• Bug Fix: Removed redundant entries in the HackRepair blacklist.
• Bug Fix: Enabling Protect System Files in System Tweaks will now only block install.php for the current site. This fixes the issue where the setting can block installation of a site in a subdirectory.
• Bug Fix: Fixed problem that could cause requests for iThemes Security data from iThemes Sync to fail due to large amounts of log entries.
• Bug Fix: Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a non-boolean value.
• Bug Fix: Replaced static references to wp-includes with the WPINC define.
• Bug Fix: Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control code characters and are not associated with a language.
• Bug Fix: Added escaping to some translation strings.
• Bug Fix: Removed unused files from the WordPress Tweaks module directory.
• Bug Fix: Fixed the Daily Digest email reversing the user and host lockout counts.
• Bug Fix: The database backup email no longer sends from the email address configured in Settings > General. It now defaults to the same from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address.
• Enhancement: Updated the server config rules generated by the System Tweaks settings. They are now more consistent between Apache, LiteSpeed, and nginx. They are also more efficient and have been improved to limit accidentally blocking non-targeted requests.
• Enhancement: Updated the database backup email to a new design.
• Enhancement: Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled.
• New Feature: Added setting to block requests for PHP files in the plugins directory in System Tweaks.
• New Feature: Added setting to block requests for PHP files in the themes directory in System Tweaks.

5.6.4

• Bug Fix: Fixed issue that reported invalid counts for host and user lockouts in the daily digest email.
• Bug Fix: Fixed issue that caused the daily digest email to be sent every day, even if no lockouts occurred and no file changes were found.
• Bug Fix: Fixed issue that could prevent saving of File Change settings, resulting in an error messages of “A validation function for file-change received data that did not have the required entry for latest_changes.”
• Bug Fix: Fixed iThemes Security Pro logo appearing in daily digest emails.

5.6.3

• Bug Fix: Removed the “Wget” user agent from the Hack Repair blacklist as it can block wp-cron jobs on some hosts.
• Bug Fix: Fixed error “PHP message: PHP Fatal error: ‘continue’ not in the ‘loop’ or ‘switch’ context”.
• Enhancement: Added new Daily Digest email design.

5.6.2

• Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue.
• Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue.
• Bug Fix: The Security > Security Check link now works as expected in multisite.
• Bug Fix: Fixed bug that could prevent the “Filter Long URL Strings” feature from working properly.
• Bug Fix: Removed restrictions in the “Filter Long URL Strings” feature that were unrelated to request length.
• Bug Fix: Corrected a settings description typo in Global Settings.
• Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to “Block”.
• Misc: Added placeholder for the Version Management module of iThemes Security Pro.
• Misc: Updated build number to trigger some updates.

5.6.1

• Bug Fix: Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites.
• Bug Fix: Prevented some notices from displaying to users who do not need to see them.
• Bug Fix: Limited notices to only display on specific pages on the dashboard.
• Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks.
• Code Cleanup: Removed legacy code that is no longer needed.
• Enhancement: Started tracking when a user was last seen as logged in and active for future use.
• Misc: Added a placeholder for the Pro feature “User Security Check”.

5.6.0

• New Feature: Added a new Security Check section on the settings page. This new feature adds a tool to quickly ensure that the recommended features are enabled and the recommended settings are used.
• Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode.
• Enhancement: The “Ban Lists” setting of Banned Users is now enabled by default.