1.0.0 - 2014-03-25 - Chris Wiegman Initial Release 1.0.1 - 2014-03-25 - Packaging Bot (modules/free) Initial Release 1.0.2 - 2014-03-25 - Chris Wiegman update iThemes packager slugs so licensing will function 1.0.3 - 2014-03-25 - Packaging Bot (core) Initial Release 1.0.4 - 2014-03-26 - Packaging Bot (lib/icon-fonts) Fixed issue with admin menu icons not functioning properly on sites that have an ABSPATH or WP_CONTENT_DIR of "/". 1.0.5 - 2014-03-27 - Packaging Bot (core) Initial Release 1.0.6 - 2014-03-27 - Packaging Bot (modules/free) Initial Release 1.0.7 - 2014-04-01 - Packaging Bot (core) Fixed history.txt (for iThemes customers) Moved upgrade to separate function for more seamless update Upgrade system rewritten for better functionality Make sure 404 doesn't fail if there is not a 404.php in the theme Make sure WordPress root URLs render correctly Filewrite now only builds rules on demand. Fixed dismiss button on intro modal for small screens General cleanup and typo fixing 1.0.8 - 2014-04-01 - Packaging Bot (modules/free) Updated modules/free to version 1.0.3 1.0.9 - 2014-04-01 - Packaging Bot (modules/pro) Existing pro modules use new upgrade system when upgrading between versions 1.0.10 - 2014-04-01 - Packaging Bot (modules/free) Updated modules/free to version 1.0.4 1.0.11 - 2014-04-02 - Packaging Bot (modules/free) only save post meta for ssl when the value is true fixed missing admin user settings if only one part had been changed SSL Redirection working properly on front end. No more redirect errors hide backend will warn of the new url when saving hide backend will now email the notification email(s) when the login area has been moved Added BackupBuddy coupon 1.0.12 - 2014-04-02 - Packaging Bot (core) Added ability to manually purge log table 1.0.13 - 2014-04-03 - Packaging Bot (core) Added "Show intro" button next to screen options to bring the intro modal back Added ability to use HTML in error messages Minor copy and other tweaks 1.0.14 - 2014-04-03 - Packaging Bot (modules/free) Private posts will now work with hide backend Added an option for custom login action that can bypass hide login Allow admin-ajax.php to bypass hide backend Added filters for external backup plugins to register with the dashboard Enable theme compatibility mode by default Miscellaneous copy and function doc fixes 1.0.15 - 2014-04-05 - Packaging Bot (core) Execute permanent ban on the correct lockout count, not the next one Updated quick ban rules to match standard ban rules (will work with proxy) 1.0.16 - 2014-04-05 - Packaging Bot (modules/free) Fixed an NGINX rule that didn't actually block XMLRPC.php Updated rule order on ban users Fixed a bug that could prevent away from from turning off in certain time configurations (this resulted in the return to homepage on login) Updated some function doc 1.0.17 - 2014-04-05 - Packaging Bot (core) Update plugin build 1.0.18 - 2014-04-05 - Packaging Bot (modules/free) Fixed bug preventing file change scanning from advancing when chunked Don't autoload file list on non-multisite installations Make sure away mode settings transfer from 3.x or disable away mode 1.0.19 - 2014-04-08 - Packaging Bot (modules/free) Make sure unset admin user field remains if the other setting has been fixed Removed admin user from settings table of contents Make sure array input is trimmed in file change module Correct input type on file change settings sanitization Use full URL on file change warning redirect to prevent invalid target Reduce erroneous hide backend change warnings When accessing htaccess or wpconfig make sure opening settings changes are 664 instead of 644 to reduce issues Update hackrepair.com's Agents blacklist 1.0.20 - 2014-04-08 - Packaging Bot (core) Make sure global settings save button matches others Fixed link in locout email Email address settings retain end of line Sanitize email addresses on save and not just use Make sure whitelist is actually an array before trying to process Make sure rewrite rules show on dashboard when file writing isnt allowed Added extra information to dashboard server information to help troubleshooting 1.0.21 - 2014-04-08 - Packaging Bot (modules/free) Clean up away mode to prevent lockouts on update or other points 1.0.22 - 2014-04-10 - Packaging Bot (core) Updated core to version 1.0.9 1.0.23 - 2014-04-10 - Packaging Bot (modules/free) Updated modules/free to version 1.0.11 1.0.24 - 2014-04-14 - Packaging Bot (core) Updated core to version 1.0.10 1.0.25 - 2014-04-14 - Packaging Bot (modules/free) Updated modules/free to version 1.0.12 1.0.26 - 2014-04-17 - Packaging Bot (core) Make sure logs directory is present before trying to use it Log a message when witelisted host triggers a lockout Don't create log files if they're not going to be used Miscellaneous typos and orther bugfixes Add pro tab if pro modules need it Upgrade module loader to only load what is needed 1.0.27 - 2014-04-17 - Packaging Bot (modules/free) Make sure backup directory is present before trying to use it Make sure backup file method is respected on all backup operations Added ability to limit number of backups saved to disk Minor typo and other fixes Only load front-end classes as needed Add link to free support at .org forums Remove select(?ed) from suspicious query strings for 3.9 compatibility Fixed domain mapping issue (requires http://wordpress.org/plugins/wordpress-mu-domain-mapping/ domain mapping plugin) Remove array type errors on 404 pages Remove remaining create function calls 1.0.28 - 2014-04-17 - Packaging Bot (modules/pro) Updated modules/pro to version 1.0.2 1.0.29 - 2014-04-18 - Packaging Bot (core) Make sure uploads directory is only working in blog 1 in multisite Better checks for run method in module loader 1.0.30 - 2014-04-18 - Packaging Bot (modules/free) XMLRPC soft block should now work with WordPress mobile app 1.1.1 - 2014-04-21 - Packaging Bot (core) Make sure "remove write permissions" works Better descriptions on white list Add pro table of contents if needed Make sure security admin bar item works Make sure lockout message only happens when needed Suppress errors on readlink calls Make sure class is present for permanent ban Make sure white list is an array Fix white listed IPs not working 1.1.2 - 2014-04-21 - Packaging Bot (modules/free) Log when Away-mode is triggered Make sure away mode file isn't accidently deleted Make sure away mode doesn't even allow access to the login form (as it didn't in 3.x) Enhance warnings on "Change content directory" settings Better descriptions on white lists Fixed XMLRPC label Better XMLRPC Dashboard status Don't allow logout action on wp-login.php with hide backend 1.1.3 - 2014-04-21 - Packaging Bot (modules/free) Better check for variable in SSL admin 1.1.4 - 2014-04-24 - Packaging Bot (core) Miscelaneous typos and other fixes Remove extra file lock on saving .htaccess, nginx.conf and wp-config.php. Only flock will be used in these operations 1.1.5 - 2014-04-24 - Packaging Bot (modules/free) Fixed a function not found error in the brute force module Improved content filtering in SSL so that more images and other content will link with appropriate protocol. Fixed hide backend in cases where a lockout has expired Miscelaneous typos and other fixes. 1.2.1 - 2014-05-07 - Packaging Bot (core) Updated core to version 1.2.0 1.2.2 - 2014-05-07 - Packaging Bot (modules/free) Updated modules/free to version 1.2.0 1.2.3 - 2014-05-07 - Packaging Bot (modules/pro) Updated modules/pro to version 1.0.3 1.3.1 - 2014-05-19 - Packaging Bot (modules/pro) Updated modules/pro to version 1.1.0 1.3.2 - 2014-05-19 - Packaging Bot (modules/free) Updated modules/free to version 1.2.1 1.3.3 - 2014-05-19 - Packaging Bot (core) Updated core to version 1.2.1 1.4.1 - 2014-05-28 - Packaging Bot (modules/pro) Updated modules/pro to version 1.2.0 1.4.2 - 2014-05-28 - Packaging Bot (modules/free) Updated modules/free to version 1.2.2 1.4.3 - 2014-05-28 - Packaging Bot (core) Updated core to version 1.3.0 1.5.1 - 2014-06-11 - Packaging Bot (core) Updated core to version 1.4.0 1.5.2 - 2014-06-11 - Packaging Bot (modules/free) Updated modules/free to version 1.2.3 1.5.3 - 2014-06-11 - Packaging Bot (modules/pro) Updated modules/pro to version 1.3.0 1.5.4 - 2014-06-12 - Packaging Bot (modules/free) Updated modules/free to version 1.2.4 1.5.5 - 2014-06-12 - Packaging Bot (modules/pro) Updated modules/pro to version 1.3.1 1.5.6 - 2014-06-12 - Packaging Bot (core) Updated core to version 1.4.1 1.5.7 - 2014-06-12 - Packaging Bot (modules/free) Updated modules/free to version 1.2.5 1.5.8 - 2014-06-12 - Packaging Bot (modules/free) Updated modules/free to version 1.2.6 1.5.9 - 2014-06-12 - Packaging Bot (modules/free) Updated modules/free to version 1.2.7 1.5.10 - 2014-07-02 - Packaging Bot (core) Updated core to version 1.4.2 1.5.11 - 2014-07-02 - Packaging Bot (modules/free) Updated modules/free to version 1.2.8 1.5.12 - 2014-07-02 - Packaging Bot (modules/pro) Updated modules/pro to version 1.3.2 1.6.1 - 2014-07-28 - Packaging Bot (modules/pro) Added malware scheduler Fixed missing user on all logs for User Logging feature Fixed various typos throughout the dashboard Enhanced dashboard code for better performance 1.6.2 - 2014-07-28 - Packaging Bot (modules/free) Added on-demand malware scanning for the homepage Fixed Error in 404 scanning if path field was empty Updated hackrepair.com's default blacklist Modified support reminder to ask users to upgrade rather than donate Use get_home_path() in place of ABSPATH to account for WordPress core in a different directory than wp-content Use PHP comments in index.php file to account for the possibility of a scan including the file in which case the html comment could result in an error Fixed various typos throughout the plugin dashboard Added ability to prevent file change scanning from running on a given page load by defining ITSEC_FILE_CHECK_CRON to true Cleaned up file change logging reports to me more clear when no files have been changed Added feature to immediately ban user "admin" when no user "admin" exists on the site and a host tries to log in with it anyway Added blank line to end of all textarea input to make it easier to input data Added brute force checks to XMLRPC calls to prevent brute force attacks against XMLRPC 1.6.3 - 2014-07-28 - Packaging Bot (core) Added malware and malware scheduling modules Added better URL validation to ITSEC_LIB Added exception for 127.0.0.1 to prevent a local server from being locked out of a site during wp-cron or other calls Added button to quickly add current IP address to permanent whitelist Added appropriate message for logs page when logs are not available due to "file only" logging being selected 1.6.4 - 2014-07-28 - Packaging Bot (modules/free) Fixed an inadvertant disabling of file change scans intrudced in 4.3 1.6.5 - 2014-07-29 - Packaging Bot (modules/pro) Updated descriptions an instructions in malware scheduling to make the feature easier to use Numerous typo corrections throughout dashboard 1.6.6 - 2014-07-29 - Packaging Bot (modules/free) Updated modules/free to version 1.3.2 1.6.7 - 2014-07-29 - Packaging Bot (core) Make sure pro core module loads to remove upsell when pro has already been purchased. 1.6.8 - 2014-07-30 - Packaging Bot (modules/free) Clean up notifications for file change detection and malware scanning 1.6.9 - 2014-07-30 - Packaging Bot (core) Clean up notifications for file change detection and malware scanning 1.6.10 - 2014-08-11 - Packaging Bot (core) Ensure that individual module updates fire when updating the plugin Added function to retrieve current URL from the front-end 1.6.11 - 2014-08-11 - Packaging Bot (modules/free) Remove error message if WP_Error is returned with wp_remote_post in malware scan Fixed bug where away-mode was still enabled after one-time period has passed which could result in away mode activating when it should not Fixed error in brute force protection that counts valid logins with XML-RPC as bad logins towards a brute force lockout. 1.6.12 - 2014-08-11 - Packaging Bot (modules/pro) Modified malware scheduling for simpler interface and less resource usage Add file lock during scheduled malware scans to prevent multiple concurrent scans 1.6.13 - 2014-08-20 - Packaging Bot (core) Updated core to version 1.5.4 1.6.14 - 2014-08-20 - Packaging Bot (modules/free) Low Severity Security Fix - Lack of access control patched - Sucuri (reported 19Aug2014) Fixed an error in XMLRPC blocking when $username variable cannot be found 1.6.15 - 2014-08-20 - Packaging Bot (modules/pro) Fixed Notice: Undefined index: type in ...modules/pro/settings/class-itsec-settings-admin.php on line 171 1.7.1 - 2014-09-09 - Packaging Bot (core) New Feature: Add IPCheck Brute Force API integration New Feature: Add ability to receive a daily digest email instead of individual emails per event. Enhancement: Added "Go Pro" menu item to admin menus. Enhancement: Added button to release IP address from temporary whitelist. Fixed: introduction screen should now display completely on computers with low-resolution screens. Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible. Fixed: Scrolling table of contents should not cover side-bar items on pro. Fixed: When changing admin user login form will no show the correct path when WordPress is not installed in the same directory as the website address. Fixed: File locking will try to create the iThemes Directory if it isn't already present rather than just saying a lock could not be attained. 1.7.2 - 2014-09-09 - Packaging Bot (modules/free) New Feature: Add IPCheck Brute Force API integration Enhancement: Reordered sidebar items to make it easier for the user to get to the information they need from iThemes Fixed: The plugins_loaded hook which fires on logout will now fire later to improve compatibility with iThemes Exchange Fixed: multisite bug that still showed BackupBuddy (if present) even though BackupBuddy is not multisite compatible. Fixed: Added an extra flag in an attempt to reduce duplicate file-change detection executions. Fixed: Added missing index.php files to directories that were missing them to ensure no information could be attained if directory is turned on. Fixed: Make sure hide backend rewrite rules are consistent with the correct location of the WordPress login page when WordPress is not installed in the main website folder. Fixed: Fixed an error whereas an empty filter could display an error when building the log tables. 1.7.3 - 2014-09-09 - Packaging Bot (modules/pro) Fixed: Added missing index.php files to directories that were missing them to ensure no information could be attained if directory is turned on. 1.7.4 - 2014-09-09 - Packaging Bot (modules/free) Fixed: Fixed an error that could occur on multisite due to a missing "core" object 1.7.5 - 2014-09-09 - Packaging Bot (modules/free) Fixed: Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations 1.7.6 - 2014-09-09 - Packaging Bot (modules/pro) Fixed: Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations 1.7.7 - 2014-09-09 - Packaging Bot (core) Fixed: Fixed typos in digest email. Fixed: Fixed typos in default network lockout message. Fixed: Force stylesheet reload for new nags and other items by pushing plugin build number to stylesheet registrations 1.7.8 - 2014-09-10 - Packaging Bot (modules/pro) Fixed: Fixed a bug that could prevent multi-site users from scheduling malware scans 1.7.9 - 2014-09-10 - Packaging Bot (modules/free) Fixed: fixed possible undefined api_error variable on line 316 if WordPress believes the email address is invalid. Fixed: failed calls to various apis will no longer throw a php error on failure. 1.7.10 - 2014-09-11 - Packaging Bot (lib/icon-fonts) Add support for ContactBuddy 1.8.1 - 2014-09-15 - Packaging Bot (modules/pro) Updated modules/pro to version 1.6.0 1.8.2 - 2014-09-15 - Packaging Bot (modules/free) Enhancement: Added a link to the actual timezone settings in the general settings page (instead of the top of the page) Fixed: Fixed missing "no changes" text in file change emails. Fixed: Formatting of individual file change emails will now work. Fixed: Fixed a bug in ban users user agents that would cause a crash on Apache if the user agent contained a space Fixed: When an invalid backup directory is detected it will not fail but will instead reset it to the original. 1.8.3 - 2014-09-15 - Packaging Bot (core) New Feature: Automatically generate strong passwords New Feature: Password expiration Fixed: When an invalid log directory is detected it will not fail but will instead reset it to the original. Fixed: No more duplicate digest emails Fixed: No more "Array" message appearing in digest emails from user lockouts Fixed: HTML in traditional file log emails will display correctly. Fixed: From address in notification emails will now display correctly. Fixed: MySQL errors will no longer appear for missing iThemes Security tables. Instead it will attempt to recreate them. 1.8.4 - 2014-09-15 - Packaging Bot (modules/pro) Fixed: Updated malware-scheduling to reduce errors when last scans is saved as something other than an array. 1.8.5 - 2014-09-16 - Packaging Bot (modules/pro) Updated modules/pro to version 1.6.2 1.8.6 - 2014-09-16 - Packaging Bot (modules/free) Enhancement: Updated copy on Virustotal API key to indicate that a private key is not needed. Fixed: More complete check for user id when resettings password will prevent undefined index login on line 62 error. Fixed: Fixed a bug that prevented the api key from saving after resetting the key. Fixed: Removed errors that could occur due to the use of custom capabilities and roles. 1.8.7 - 2014-09-16 - Packaging Bot (core) Updated core to version 1.7.1 1.8.8 - 2014-09-17 - Packaging Bot (core) Updated core to version 1.7.2 1.8.9 - 2014-09-17 - Packaging Bot (modules/free) Updated modules/free to version 1.4.6 1.8.10 - 2014-09-17 - Packaging Bot (modules/pro) Updated modules/pro to version 1.6.3 1.8.11 - 2014-10-09 - Packaging Bot (core) Fixed: fixed duplicate ID issue from user_id_exists calls. Fixed: Fixed an error in the lockout module that results in an error for users of multisite Fixed: Notification emails will no longer send if not turned on Fixed: Duplicate messages will not be allowed in digest emails Fixed: Duplicate digest emails will have a far lesser chance of sending Fixed: User lockout count in email notifications will now be correct 1.8.12 - 2014-10-09 - Packaging Bot (modules/free) Updated modules/free to version 1.4.7 1.8.13 - 2014-10-09 - Packaging Bot (core) Fixed: Error on line 1312 when iThemes API is actived with version 4.4.15 1.9.1 - 2014-10-13 - Packaging Bot (modules/pro) New Feature: Dashboard widget. Get important information and handle user blocking right from the WordPress Dashboard. 1.9.2 - 2014-10-13 - Packaging Bot (modules/free) New Pro Feature: Dashboard widget. Get important information and handle user blocking right from the WordPress Dashboard. Fixed: When using wp-cron for file checking cron check will run daily instead of hourly. 1.9.3 - 2014-10-13 - Packaging Bot (core) New Pro Feature: Dashboard widget. Get important information and handle user blocking right from the WordPress Dashboard. 1.10.1 - 2014-10-21 - Packaging Bot (core) New Pro Feature: File change scanning will now compare WordPress core files to the WordPress.org repository. Fixed: Make sure php_gid is always defined to prevent error message if the function is not usable. Fixed: Link to BackupBuddy in admin bar will now work correctly. 1.10.2 - 2014-10-21 - Packaging Bot (modules/free) New Pro Feature: File change scanning will now compare WordPress core files to the WordPress.org repository. 1.10.3 - 2014-10-21 - Packaging Bot (modules/pro) New Feature: File change scanning will now compare WordPress core files to the WordPress.org repository. 1.10.4 - 2014-10-28 - Packaging Bot (modules/free) Enhancement: More time/date information is now shown in the logs for file change scanning Fixed: Filechange will no longer show false positives with every change in DST (although this will cause run round of such notifications on update). Fixed: Link to malware scanning logs will work. 1.11.1 - 2014-11-04 - Packaging Bot (modules/pro) New Feature: Temporary privilege escalation Fixed: App passwords in two-factor authentication will now correctly authenticate themselves. 1.11.2 - 2014-11-04 - Packaging Bot (core) New Pro Feature: Temporary privilege escalation 1.11.3 - 2014-11-05 - Packaging Bot (modules/pro) Fixed: App passwords in two-factor authentication will now correctly authenticate themselves. 1.11.4 - 2014-11-05 - Packaging Bot (core) Security Fix: Fixed possible XSS vulnerability in ITSEC_Lib. - Low priority - Thanks to http://planetzuda.com 1.11.5 - 2014-11-14 - Packaging Bot (lib/updater) Enhancement: Reduced caching to allow updates to appear more quickly. Enhancement: Authenticating users now uses the new authentication system. 1.12.1 - 2014-12-04 - Packaging Bot (modules/pro) New Feature: wp-cli integration New Feature: Override two-factor authentication temporarily with iTheme Sync Fixed: Online files will be handled correctly if there is no path Fixed: Malware scheduling will be disabled if Malware detection is disabled Fixed: Online files will no longer show an error if file hash hadn't been correctly saved 1.12.2 - 2014-12-04 - Packaging Bot (modules/free) New Feature: Perform file scan via iThemes Sync New Feature: Perform malware scan via iThemes Sync Fixed: Make sure to esc urls on SSL redirects (unreported minor security fix) Fixed: Added filters to SSL to try to catch more assets Fixed: Suspicious query strings feature should no longer conflict with many plugins Fixed: File change detection should no longer throw an error if opendir failed 1.12.3 - 2014-12-04 - Packaging Bot (core) New Pro Feature: wp-cli integration New Feature: Temporarily whitelist your IP address via iThemes Sync New Feature: Override proxy IP detection New feature: Hide admin bar (if desired) Enhancement: Added filter to allow for custom log pages Enhancement: Added debug constant to help troubleshoot multiple emails Enhancement: Added constant to force digest emails via wp-cron instead of custom timing Fixed: Various missing variable fixes were added Fixed: MySQL errors on MySQL 5.6 during activation were fixed. Fixed: HTML emails now contain HTML tag Fixed: Lockout count in emails should now be more accurate 1.12.4 - 2014-12-11 - Packaging Bot (modules/pro) New Feature: wp-cli integration New Feature: Override two-factor authentication temporarily with iTheme Sync Fixed: Online files will be handled correctly if there is no path Fixed: Malware scheduling will be disabled if Malware detection is disabled Fixed: Online files will no longer show an error if file hash hadn't been correctly saved 1.12.5 - 2014-12-16 - Packaging Bot (modules/free) New Feature: Perform file scan via iThemes Sync New Feature: Perform malware scan via iThemes Sync Fixed: Make sure to esc urls on SSL redirects (unreported minor security fix) Fixed: Added filters to SSL to try to catch more assets Fixed: Suspicious query strings feature should no longer conflict with many plugins Fixed: File change detection should no longer throw an error if opendir failed 1.12.6 - 2014-12-16 - Packaging Bot (core) New Pro Feature: wp-cli integration New Feature: Temporarily whitelist your IP address via iThemes Sync New Feature: Override proxy IP detection New feature: Hide admin bar (if desired) Enhancement: Added filter to allow for custom log pages Enhancement: Added debug constant to help troubleshoot multiple emails Enhancement: Added constant to force digest emails via wp-cron instead of custom timing Fixed: Various missing variable fixes were added Fixed: MySQL errors on MySQL 5.6 during activation were fixed. Fixed: HTML emails now contain HTML tag Fixed: Lockout count in emails should now be more accurate 1.13.1 - 2014-12-16 - Packaging Bot (modules/pro) New Feature: Google reCAPTCHA Enhancement: update storage methods for malware scanning engine for more efficient use of the database Fixed: Settings import will now take .json files without error 1.13.2 - 2014-12-16 - Packaging Bot (modules/free) Fixed: Removed unneeded fields in malware 1.13.3 - 2014-12-16 - Packaging Bot (core) New Pro Feature: Google reCAPTCHA 1.13.4 - 2015-01-05 - Packaging Bot (modules/pro) Enhancement: Two-factor allows for multiple app passwords Fixed: Two-factor now works with Exchange's login widgets Fix/Enhancement: Refactoring of numerous pro modules for better efficiency Fix: Error wwith invalid index in reCAPTCHA 1.13.5 - 2015-01-05 - Packaging Bot (modules/free) Fix/Enhancement: Code refactoring of numerous modules Fix: Hiding available updates in multi-site will no longer block wp-cli from detecting updates. Fix: Removed leftover JavaScript debugging statements. 1.13.6 - 2015-01-05 - Packaging Bot (core) New Feature: Add file/folder permissions check to Dashboard Fix/Enhancement: Minor refactoring of various core components 1.13.7 - 2015-01-12 - Packaging Bot (modules/pro) Fix: Fixed CSS error on Dashboard caused when other plugins override the .clear style rules. 1.13.8 - 2015-01-12 - Packaging Bot (modules/free) Updated modules/free to version 1.5.3 1.13.9 - 2015-01-12 - Packaging Bot (core) Fix: Fixed duplicate module listsing on log page dropdown Fix: Fixed missing lockouts on iThemes Sync dashboard 1.14.1 - 2015-01-21 - Packaging Bot (modules/pro) Enhancement: Online file change scanning will now count in iThemes products Fix: Recaptcha will not show up on pages without recpatha code or while logged in Fix: Dashboard widget CSS will be less prone to hijacking by other plugins 1.14.2 - 2015-01-21 - Packaging Bot (modules/free) Updated modules/free to version 1.6.0 1.14.3 - 2015-01-21 - Packaging Bot (core) New Feature: Change WordPress Salts Enhancement: Refactored ITSEC_Lib and ITSEC_Files for better usability and new functions to make changing salts possible 1.14.4 - 2015-01-23 - Packaging Bot (modules/pro) Bug Fix: Rolled-back Recaptcha modifications in order to fix login bug when Recaptcha user login is enabled. 1.14.5 - 2015-01-27 - Packaging Bot (modules/pro) Bug Fix: Fixed issue in the Online Files feature that could cause high server load on some sites. 1.14.6 - 2015-01-27 - Packaging Bot (core) Bug Fix: Generating wp-config.php file updates no longer produces warnings. 1.14.7 - 2015-01-27 - Packaging Bot (core) Bug Fix: Fixed .htaccess file modifications failing. 1.14.8 - 2015-02-05 - Packaging Bot (modules/pro) Fix: More efficient checks for online file scanning Fix: Recaptcha script will not enqueue on pages where it isn't needed Fix: General typo and minor bug fixes. 1.14.9 - 2015-02-05 - Packaging Bot (core) Fix: Quick banning IPs will now work correctly if existing htaccess rules are in place Fix: minor bug fixes and typo corrections. 1.14.10 - 2015-02-20 - Packaging Bot (modules/pro) Updated modules/pro to version 1.11.8 1.14.11 - 2015-02-20 - Packaging Bot (modules/free) Updated modules/free to version 1.6.1 1.14.12 - 2015-02-20 - Packaging Bot (core) Enhancement: Limit the number of lockouts that can be displayed at any given time in the dashboard. Fix: Make sure header error messages are suppressed when performing a lockout. Fix: Fix error message from missing login information when displaying lockouts. 1.14.13 - 2015-02-26 - Packaging Bot (modules/free) Bug Fix: When a file scan is run from iThemes Sync, a warning will no longer be added to the site's error log. 1.14.14 - 2015-02-26 - Packaging Bot (core) Bug Fix: Fixed regression that prevented adding wildcard IP's in the form of 'XXX.XXX.XXX.*' to Ban Hosts. 1.14.15 - 2015-03-20 - Packaging Bot (core) Enhancement: Translation files can now be stored in WP_LANG_DIR/plugins/ithemes-security-pro for iThemes Security Pro and WP_LANG_DIR/plugins/better-wp-security for iThemes Security free version. Bug Fix: The file permissions check will no longer list a warning if the plugins directory has permissions of 755. 1.14.16 - 2015-03-20 - Packaging Bot (modules/free) Bug Fix: Fixed incorrect text describing the "Backups to Retain" database backup setting. 1.14.17 - 2015-03-20 - Packaging Bot (modules/pro) Enhancement: Settings import now allows for renamed export files. Enhancement: Settings import now provides better error messages. Bug Fix: Settings import no longer respects MIME types sent by the browser. This avoids issues with some browsers/operating systems reporting the MIME type of the uploaded file incorrectly. 1.14.18 - 2015-04-14 - Chris Jean (modules/free) Bug Fix: Security fix for XSS vulnerability. Thanks to Ole Aass (@oleaass) for finding and disclosing this vulnerability to the iThemes Security team. 1.14.19 - 2015-04-15 - Chris Jean Bug Fix: Fixed issue that may prevent some sites from seeing the available update. 1.14.20 - 2015-04-23 - Packaging Bot (lib/updater) Compatibility Fix: Updated plugin and theme update data format to match changes in WordPress 4.2. 1.15.0 - 2015-06-04 - Chris Jean Bug Fix: Added support for Apache 2.4 without the access_compat module. Bug Fix: Fixed condition where forcing SSL on front-end pages could cause infinite redirection loops with specific setups of nginx to Apache reverse proxy servers. Bug Fix: Fixed scenarios where the site would be forced to load via https but scripts, stylesheets, and images would load via http. Bug Fix: Fixed invalid nginx.conf rule generation for the Reduce Comment Spam feature. Bug Fix: Corrected invalid parsing of some IP formats in Ban Hosts list. Bug Fix: Improved error handling when reading or updating config files. Bug Fix: Fixed various warnings that would display when changing settings. Enhancement: Updated to use new file modification API. Enhancement: Added HackRepair.com blacklist for Nginx. Enhancement: Improved Nginx support for System Tweak features. Enhancement: Updates to wp-config.php, .htaccess, and nginx.conf files now support more systems. Enhancement: Combined the "Force SSL for Dashboard" and "Force SSL for Login" settings to a unified "Force SSL for Dashboard" setting. This is due to how the FORCE_SSL_LOGIN define was deprecated in WP 4.0.0. Enhancement: Added comments to wp-config.php, .htaccess, and nginx.conf updates that indicate which settings affect the specific entries. Enhancement: Added translation support for previously static strings, including strings used for comments in wp-config.php, .htaccess, and nginx.conf files. Enhancement: Improved generation of valid referers for use by the Reduce Comment Spam feature. Enhancement: Broadened the server support in the import settings code. Enhancement: Added new library classes for managing files, directories, and config files. 1.15.1 - 2015-06-04 - Chris Jean Bug Fix: Fixed bad release that had some outdated files. 1.15.2 - 2015-06-08 - Packaging Bot (core) Bug Fix: Fixed "Fatal error: Call to undefined method ITSEC_Lib_File::get_full_file_permissions()" which could occur when saving settings. 1.15.3 - 2015-06-09 - Chris Jean Bug Fix: Warnings when file writes fail are now hidden. Bug Fix: Fixed a situation where creation of a zipped export file would fail, but an email would still be sent as if the zip was created successfully. Enhancement: Improved error messages for when file writes fail. Enhancement: Improved error messages for when export file creation fails. Enhancement: Improved error messages for situations when the .htaccess, nginx.conf, or wp-config.php files may need to be manually updated. Enhancement: Fixed tabbing for "Ban User Agents" section in .htaccess files to match tabbing used by other sections. 1.15.4 - 2015-06-16 - Chris Jean Bug Fix: Fixed handling of wp-config.php files that are one directory up from the ABSPATH directory. 1.16.0 - 2015-07-06 - Chris Jean Feature Removal: Removed the malware scanning and malware wp-cli integration features as VirusTotal no longer supports scanning from WordPress sites. A replacement is in the works. Bug Fix: The close button on the "Thank you for activating iThemes Security" message now appears in the correct location. Bug Fix: Removed the site's URL being displayed in the "Replace jQuery With a Safe Version" setting details. Bug Fix: Updated .htaccess rules to be compatible with Apache 2.4 without the auth compat module. Bug Fix: Enabling and disabling the "Remove File Writing Permissions" setting now updates the file permissions properly. Bug Fix: Web servers that cannot be recognized now default to Apache. Enhancement: Updated the hackrepair lists. 1.16.1 - 2015-07-14 - Chris Jean Enhancement: Updated link to iThemes support. 1.17.0 - 2015-08-03 - Chris Jean Feature Removal: Removed the "Remove WordPress Generator Meta Tag" and "Display Random Version" features as they are not recommended due to limited security benefit and creating compatibility issues. Enhancement: Improved the reCaptcha feature's integration into comments. It now supports more themes than ever before and bypasses captcha validation for logged in users. Enhancement: Added support for WordPress 4.3's updated password user interface and password generator. Enhancement: Added the ability to undo the Content Directory change. Bug Fix: No longer tries to load a non-existent JavaScript file for the salts module. Bug Fix: Fixed an issue with one-time database backups on multisite installs. Bug Fix: Fixed issues related to locating .htaccess or nginx.conf files on sites with WordPress installed in a separate directory. Bug Fix: Fixed issues with PHP blocking in uploads directory not working with certain non-standard setups. Bug Fix: Minor change to fix a warning that can appear after changing the Content Directory. Bug Fix: Fixed a PHP fatal error that could occur on some servers when adding a ban to the site's .htaccess or nginx.conf file. Bug Fix: Fixed some issues with profile pages on multisite setups that affected both two factor authentication and the password generator. 1.17.1 - 2015-08-17 - Chris Jean Bug Fix: Fixed "Call to undefined function get_home_path()" error. 1.18.0 - 2015-09-14 - Chris Jean New Feature: Added malware scanning provided by Sucuri SiteCheck. New Feature: Added malware scanning scheduling with email reporting if issues are found. Enhancement: Two Factor now supports authentication codes provided via email. Enhancement: Two Factor now supports backup verification codes. Enhancement: Two Factor login prompts are now shown after providing valid username and password details and only for users that have Two Factor enabled. 1.18.1 - 2015-09-14 - Chris Jean Bug Fix: Fixed potential fatal error and warning when upgrading old malware scheduling settings. Bug Fix: Fixed issue that could prevent two-factor apps on iOS devices from properly adding sites that have spaces in their names. Enhancement: Improved the UI for setting up the TOTP provider for two-factor authentication. 1.18.2 - 2015-09-15 - Chris Jean Compatibility Fix: Added support for ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY. Setting it to true can bypass "SSL peer certificate or SSH remote key was not OK" errors on servers with bad SSL configurations. Bug Fix: Fixed "Call to undefined function wp_roles()" error that can occur in older versions of WordPress. Bug Fix: Fixed an issue with Sync Two-Factor override. 1.18.3 - 2015-09-21 - Chris Jean Bug Fix: Removed warnings that could appear when saving two-factor settings in a user's profile page. Compatibility Fix: Fixed time-based one-time password authentication code generation on 64-bit servers running 32-bit PHP 5.6.3+. Compatibility Fix: Updated code triggered by the ITSEC_TEST_MALWARE_SCAN_DISABLE_SSLVERIFY define. This avoids plugin compatibility issues that prevent disabling the SSL peer verification. 1.18.4 - 2015-09-22 - Chris Jean Compatibility Fix: Additional fixes for time-based one-time password authentication code generation on 64-bit servers running 32-bit PHP. 1.18.5 - 2015-09-29 - Chris Jean Enhancement: Increased number of bits in time-based one-time password authentication code secret from 80 bits to the current recommendation of 160 bits. Bug Fix: Fixed issue that caused some iOS devices to fail to scan the time-based one-time password authentication QR code properly. 2.0.0 - 2015-10-15 - Chris Jean New Feature: Added "Multiple Authentication Attempts per XML-RPC Request" setting to the WordPress Tweaks section. When this setting is set to "Block", iThemes Security will block brute force login attacks against XML-RPC as described by Sucuri in this blog post: https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html Enhancement: Updated text describing the XML-RPC setting in the WordPress Tweaks section to better explain what the setting is for and which setting is recommended. Enhancement: Improved IP detection when proxy detection is active by processing the header set by CloudFlare. Enhancement: Added a filter named itsec_filter_remote_addr_headers which can be used to change which headers are searched for the client IP. This allows for tailoring the IP detection for specific reverse proxies and load balancers. Bug Fix: Updated the Banned Users settings to no longer add a newline to the Ban Hosts input each time the settings page is saved. 2.0.1 - 2015-10-27 - Chris Jean Bug Fix: Enforce use of application passwords for all API uses when two factor is enabled and configured. 2.0.2 - 2015-11-10 - Chris Jean Enhancement: Removed Yandex and Sogou from the HackRepair blacklist as they are legitimate search engine bots. Enhancement: Added detailed information about Sucuri malware scan errors to Malware Scan log details. Bug Fix: No longer enables display of database errors when an event is logged. 2.1.0 - 2016-01-11 - Chris Jean & Aaron D. Campbell Security Fix: Fixed PHP code that could allow AJAX requests to list directories and files outside the directory structure of the WordPress installation. Note that these AJAX requests required a logged in user with admin-level privileges. This vulnerability was unable to be exploited by non-privileged or anonymous requests. Bug Fix: Updated the SSL feature to use 301 redirects rather than 302 redirects. Bug Fix: Fixed situations where security nonces would incorrectly trigger "security check" errors when enabling specific combinations of features on the settings page. Bug Fix: Enabling scheduled database backups and setting a backup interval of 0 days no longer results in a backup being created on every page load. Feature Removal: Removed the "Security Status" portion of the Security > Dashboard page. This is in preparation for a new tool that provides suggestions tailored to the site and server that Security is running on. Enhancement: Updated the way the feature modules function in order to allow them to be redesigned in a more efficient and flexible way for future releases. Enhancement: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit. Enhancement: Updated the Database Backup feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit. Enhancement: Added localization support for some non-localized strings. 2.1.1 - 2016-01-14 - Chris Jean & Aaron D. Campbell Bug Fix: Module-specific data is properly initialized/removed on plugin activation, deactivation, and uninstallation. 2.1.2 - 2015-01-15 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed issue that could block logins if the reCAPTCHA feature's settings have reCAPTCHA for user logins enabled while the reCAPTCHA feature itself is disabled. Bug Fix: Fixed reCAPTCHA settings being unable to save on multisite installations. Enhancement: Improved detection of multiple active versions of iThemes Security. 2.1.3 - 2016-01-26 - Chris Jean & Aaron D. Campbell Bug Fix: Removed the following warning that could appear on some sites: "Notice: Trying to get property of non-object in ithemes-security-pro/pro/privilege/class-itsec-privilege.php on line 247" Bug Fix: Comparisons of IPv4 addresses and ranges now include the IP's at the edge of the ranges. Bug Fix: IPv4 tests now work as expected when deciding if a blacklisted IP or range overlaps a whitelisted IP's and ranges. Bug Fix: Fixed styling issue that affected the display of the horizontal tabs on settings pages in WordPress 4.5. Bug Fix: Replaced old module sorting order in settings screens. Bug Fix: Fixed PHP 7 compatibility issue that triggers the following error: "Uncaught Error: Call to undefined function mysql_get_client_info()". Bug Fix: Fixed warnings and errors that could occur when deleting the plugin. Enhancement: When a lockout is being executed, wp_logout() will only be called if the current page request comes from a logged in user. This prevents plugins that log logout events from logging log outs from unknown users. Enhancement: Improved the descriptions used for some of the data displayed in the "System Information" section of Security > Dashboard. Enhancement: Added "Use MySQLi" entry to the "System Information" section of Security > Dashboard to show whether the MySQLi driver is enabled. Enhancement: Updated the "SQL Mode" entry in the "System Information" section of Security > Dashboard to show the full details if that value is set. 2.1.4 - 2016-01-27 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed the following error that could occur on multisite "PHP Fatal error: Uncaught Error: Call to undefined function wp_get_current_user()". Bug Fix: Fixed warning that could occur on a failed login when Local Brute Force Detection is disabled. 2.1.5 - 2016-02-03 - Chris Jean & Aaron D. Campbell Bug Fix: Updated Two-Factor code to avoid how iOS mishandles some characters in site names. Bug Fix: All data added to the options table by iThemes Security is removed on uninstall. Bug Fix: Fixed the cause of the following warning: call_user_func_array() expects parameter 1 to be a valid callback, class 'ITSEC_SSL_Setup' does not have a method 'execute_deactivate' Bug Fix: Multiple activated installs of iThemes Security are now supported without fatal errors being generated on subsequent activations. Only one install will run at a time however. Bug Fix: Fixed cause of the following warning: array_intersect(): Argument #2 is not an array in ithemes-security-pro/pro/two-factor/class-itsec-two-factor-helper.php on line 238 Enhancement: Improved code that ensures that tables and options table entries created by iThemes Security are removed on uninstall only when no other iThemes Security plugin is active. 2.2.0 - 2016-02-11 - Chris Jean & Aaron D. Campbell New Feature: Added support for IPv6 addresses. This includes support for IPv6 in lockouts, ban hosts, and white lists. Bug Fix: Updated Two-Factor code to avoid how iOS mishandles some characters in site names. Bug Fix: Fixed issue that could cause username-based lockouts to fail for long usernames. Enhancement: Updated descriptions of valid IP and IP range formats for the Lockout White List and the Ban Hosts settings. 2.2.1 - 2016-02-11 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed an issue which would show that an update was available even after updating to 2.2.0. 2.2.2 - 2016-02-11 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed issue that added unnecessary files to the 2.2.1 release. 2.2.3 - 2016-02-15 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed issue that prevented wildcard IP ranges from being blacklisted or whitelisted. Bug Fix: Removed warnings generated when the Away Mode module is disabled and iThemes Sync contacts the site. Enhancement: Updated host entries in log details to link to traceip.net rather than ip-adress.com. This is because ip-adress.com does not support IPv6 addresses. Enhancement: Updated host entries in dashboard lockout details to link to traceip.net rather than ip-adress.com. This is because ip-adress.com does not support IPv6 addresses. Enhancement: Updated some translatable strings relating to blacklisting and whitelisting to allow for better translations. Enhancement: Added details about how wildcard IP ranges are converted to CIDR format (this improves performance). 2.2.4 - 2016-02-18 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed formatting issue that could cause raw HTML output in the malware scan logs. Enhancement: Improved error handling and reporting for malware scan issues. 2.2.5 - 2016-02-29 - Chris Jean & Aaron D. Campbell Security Fix: Hardened the created backups and logs directories. Thanks to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue. Security Fix: More secure backup and log file names. Thanks to Nicolas Chatelain (SYSDREAM IT Security Services) for notifying us of this issue. Bug Fix: Two-Factor details no longer show on the user profile page when there are no enabled providers. Bug Fix: The "NGINX Conf File" setting is now properly respected, causing the generated NGINX configuration file to be stored in that location. Enhancement: Generated database backup file names now contain a human-readable timestamp in the format of YYYYMMDD-HHMMSS. Enhancement: Zipped database backup files no longer contain a deeply nested directory structure. Instead, they only contain the sql file. Enhancement: When the "Force Unique Nickname" feature is enabled, the generated display name now uses an improved randomization function. Enhancement: Improved tabbing of rules in generated nginx.conf files. Enhancement: Removed the "See what's new button" as it has fulfilled its purpose. 2.2.6 - 2016-03-01 - Chris Jean & Aaron D. Campbell Bug Fix: Updated code that generates the backups and logs directories to ensure that it attempts to create the parent directory if it does not exist yet. Bug Fix: Removed warnings that could be generated if the logs directory could not be created. Bug Fix: Database backup files sent via email no longer have a name without an extension if zipping up the file fails. 2.2.7 - 2016-03-03 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed temporary whitelisting by preventing a temporarily whitelisted IP from being locked out. 2.2.8 - 2016-03-17 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed issue that could cause a fatal error after changing the content directory. Bug Fix: Updated the link to sign up for security guide download to point to a https address. This is better security and prevents warnings when submitting from a http site in some browsers. Bug Fix: If a cryptographically secure log file name can't be generated, queue up log file writes until we can. Bug Fix: Recaptcha no longer causes notices when used on BuddyPress Enhancement: Two-factor profile settings now work with front end profile plugins 2.2.9 - 2016-03-29 - Chris Jean & Aaron D. Campbell Security Fix: No longer using document.location to build 'Show Intro' link in admin - Thanks to David Lodge (Pen Test Partners) for notifying us of this issue. Bug Fix: Fixed some notices when certain multisite options are used on BuddyPress Enhancement: New itsec_white_ips filter to allow plugins that work with external services to whitelist service IPs 2.2.10 - 2016-04-19 - Chris Jean & Aaron D. Campbell Security Fix: Better caps checks for dismissal of changed file dialog - Thanks to Julio Potier for notifying us of this issue. Bug Fix: Make file change warning dialog text properly translatable Enhancement: Adding 'itsec_log_event' action for logged events 2.2.11 - 2016-05-02 - Chris Jean & Aaron D. Campbell Bug Fix: Throw a real 403 instead of a faked 404 for hide backend - Fixes compatability with certain plugins including WordPress SEO. Hat tip to Joost de Valk (@jdevalk) and the @Yoast team for bringing this issue to our attention. 2.2.12 - 2016-05-05 - Chris Jean & Aaron D. Campbell Bug Fix: Fix issues with `getrecent` and `getlockouts` WP-CLI commands 2.3.0 - 2016-05-23 - Chris Jean & Aaron D. Campbell Enhancement: New user interface with both grid and list views for managing settings. Enhancement: New automatic temp whitelisting of IPs for users that manage iThemes Security settings. Enhancement: Better feedback on errors when modifying wp-config.php or server config files. Enhancement: Improved code efficiency of the Away Mode feature so that it takes less processing time when active. Enhancement: Rather than disabling features that have invalid user input, the user now can fix the issue before saving. New Feature: Global settings now has a "Show Error Codes" setting that can provide an error message's specific error code when it is enabled. Bug Fix: More than one IP can now be temp whitelisted. 2.3.1 - 2016-05-24 - Chris Jean & Aaron D. Campbell Enhancement: Improved the efficiency of the plugin's loading code, reducing the amount of time taken to run the plugin. Bug Fix: Fixed a bug where some modules would be enabled or disabled when they shouldn't be after upgrading to the latest version. Bug Fix: Will not send notification emails about the new login address when Hide Backend is enabled and doing an upgrade. Compatibility Fix: Updated handling of wp_remote_get() responses in preparation for changes coming in WordPress 4.6. 2.3.2 - 2016-05-24 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed fatal error that could happen when registering for Network Brute Force Protection. 2.3.3 - 2016-05-25 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed error that would prevent nginx servers from being able to make use of the "Reduce Comment Spam" feature of the WordPress Tweaks module. Bug Fix: Restored missing log filter for 404 Detection log entries. 2.3.4 - 2016-05-25 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed links to Settings, Logs, and creating a backup on Multisite. Enhancement: The "Write to Files" setting is now enabled by default. 2.3.5 - 2016-05-26 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed bug that could cause some sites to lose settings when upgrading or importing settings. Bug Fix: Fixed bug that could cause Security to look at old file and directory locations after importing settings from one site to a different site. Bug Fix: Removed some status messages that would display after doing an import. 2.3.6 - 2016-05-27 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed SQL query for Database Backups when "Backup Full Database" is enabled. 2.4.0 - 2016-06-07 - Chris Jean & Aaron D. Campbell New Feature: Added a new File Permissions section on the settings page to bring back the directory and file permissions listing feature found on the Security > Dashboard page of older plugin versions. Bug Fix: Fixed a situation where adding a very large list of IP's in the Ban Hosts list would generate an invalid .htaccess file on some servers. Bug Fix: Fixed a bug that could prevent email notifications from scheduled malware scans from being sent. Enhancement: The Database Backups, Local Brute Force Protection, Network Brute Force Protection, Strong Password Enforcement, and WordPress Tweaks features are now active by default on new installations. Enhancement: The Malware Scan Scheduling, Two-Factor Authentication, and User Logging features are now active by default on new installations. Enhancement: The WordPress Tweaks feature now uses the "Disable File Editor" setting by default on new installations. Enhancement: The WordPress Tweaks feature now sets the "Multiple Authentication Attempts per XML-RPC Request" setting to "Block" by default on new installations. Enhancement: Improved the styling of notices. 2.5.0 - 2016-06-15 - Chris Jean & Aaron D. Campbell New Feature: Added a new Security Check section on the settings page. This new feature adds a tool to quickly ensure that the recommended features are enabled and the recommended settings are used. Bug Fix: Fixed the ability to remove the itsec_away.confg file in order to disable Away Mode. Bug Fix: Removed a potential warning when authentication a user using a Two-Factor Authentication provider. Enhancement: The "Ban Lists" setting of Banned Users is now enabled by default. 2.6.0 - 2016-06-29 - Chris Jean & Aaron D. Campbell New Feature: A notification recommends that users enable two-factor authentication for their user when Two-Factor Authentication is enabled and their user is not using a two-factor authentication provider. 2.6.1 - 2016-07-12 - Chris Jean & Aaron D. Campbell Enhancement: Improved styling and wording for Two-Factor Authentication settings and notice. Bug Fix: Removed notices that could be generated on user profile pages. 2.7.0 - 2016-07-26 - Chris Jean & Aaron D. Campbell Enhancement: New, simpler flow for setting up Two-Factor Authentication! 2.8.0 - 2016-08-09 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed a potential logging issue that could prevent some lockout notices from being properly logged on non-English sites. Bug Fix: Prevented some notices from displaying to users who do not need to see them. Bug Fix: Limited notices to only display on specific pages on the dashboard. Compatibility Fix: Changed name of the $HTTP_RAW_POST_DATA variable to avoid erroneously tripping PHP 7 compatibility checks. Code Cleanup: Removed legacy code that is no longer needed. Enhancement: New User Security Check module! 2.8.1 - 2016-08-09 - Chris Jean & Aaron D. Campbell Bug Fix: Fix issue with how date string translations were handled, causing current date to show when it shouldn't. 2.8.2 - 2016-08-09 - Chris Jean & Aaron D. Campbell Bug Fix: Disabled ability to select "Change role to..." in User Security Check. Bug Fix: The User Security Check feature can no longer be used to remove a user from all roles. 2.9.0 - 2016-08-25 - Chris Jean & Aaron D. Campbell New Feature: The Version Management feature add a variety of ways to keep your site up to date automatically, to notify you of when your site has updates lingering for too long, and to watch for old WordPress installs on your hosting account. Bug Fix: The Security > Security Check link now works as expected in multisite. 3.0.0 - 2016-08-29 - Chris Jean & Aaron D. Campbell New Feature: View the password strength of users in the User Security Check module New Feature: View how long ago a user's password was changed in the User Security Check module New Feature: Send an E-Mail reminder to a user, telling them to enable two factor authentication, from the User Security Check module New Feature: Inactive Users E-Mail shows you users that have not been active for at least 30 days New Feature: Dasboard widget now includes a summary of users with weak passwords and those not using two-factor authentication 3.0.1 - 2016-09-01 - Chris Jean & Aaron D. Campbell Bug Fix: Changed typos of "Constributor" to "Contributor". Bug Fix: Fixed caching issue when retrieving a list of WordPress version release dates for use by the old WordPress sites scanner. Bug Fix: Avoid additional orphaned session when logging in using Two-Factor Authentication. Enhancement: Reduced the amount of server memory used when generating the strength of a user's password. 3.0.2 - 2016-09-07 - Chris Jean & Aaron D. Campbell Bug Fix: Fixed fatal error that could happen when calculating user password strength on strato.de servers. Details about the bug on strato.de servers can be found here: https://bugs.php.net/bug.php?id=69188 Bug Fix: Removed "PHP Notice: Undefined property: stdClass::$user_pass" warning that could appear in logs on certain login failures. Enhancement: Added support for the ITSEC_DISABLE_PASSWORD_STRENGTH define which can disable calculation of user password strength. This is useful on servers that do not have enough available memory to load the directories used to calculate password strength. To disable calculation of password strength, add the following to the wp-config.php file of the site: define( 'ITSEC_DISABLE_PASSWORD_STRENGTH', true ); 3.0.3 - 2016-09-13 - Chris Jean Bug Fix: Limited the dashboard widget to only check user details if there are less than 1,000 users. This is to prevent load issues on sites with large numbers of users. Bug Fix: Fixed bug that could cause Scan For Old WordPress Sites to report a site running the latest version as running an old version. Bug Fix: Fixed issue that could cause numerous cron jobs to scan for outdated software to build up in the database. Bug Fix: Notices about inactive users is now sent to the addresses in the "Notification Email" setting in Global Settings rather than the site's administrative email contact. 3.0.4 - 2016-09-27 - Chris Jean Security Fix: Fixed issue where a locked out but not yet blacklisted IP/user could receive different HTTP headers when testing a valid username/password combination. Thanks Leon Atkinson of 18INT for contacting us about this issue. Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue. Bug Fix: Corrected a settings description typo in Global Settings. Bug Fix: Fixed bug that could result in issues authenticating over XML-RPC when the WordPress Tweaks > Multiple Authentication Attempts per XML-RPC Request setting is set to "Block". Enhancement: Updated the Application Passwords feature to support REST API requests. 3.0.5 - 2016-10-10 - Chris Jean Bug Fix: Removed warnings that could occur when User Logging is active and the site runs BuddyPress. Bug Fix: Removed the "Wget" user agent from the Hack Repair blacklist as it can block wp-cron jobs on some hosts. Enhancement: Added new Daily Digest email design. 3.0.6 - 2016-10-10 - Chris Jean Bug Fix: Fixed error "PHP message: PHP Fatal error: 'continue' not in the 'loop' or 'switch' context". 3.0.7 - 2016-10-13 - Chris Jean Bug Fix: Added compatibility for two-factor logins to work properly in WP Engine sites. Bug Fix: Added missing tag on two-factor login pages. Bug Fix: Fixed issue that reported invalid counts for host and user lockouts in the daily digest email. Bug Fix: Fixed issue that caused the daily digest email to be sent every day, even if no lockouts occurred and no file changes were found. 3.0.8 - 2016-10-13 - Chris Jean Bug Fix: Fixed issue that could prevent saving of File Change settings, resulting in an error messages of "A validation function for file-change received data that did not have the required entry for latest_changes." 3.1.0 - 2016-10-27 - Chris Jean Bug Fix: Fixed data save issue that could cause multiple notification emails to be sent in a short period of time. Bug Fix: Fixed issue that could cause the malware scanner to fail on sites that change the arg_separator.output php.ini value from its default value. Bug Fix: Removed redundant entries in the HackRepair blacklist. Bug Fix: Enabling Protect System Files in System Tweaks will now only block install.php for the current site. This fixes the issue where the setting can block installation of a site in a subdirectory. Bug Fix: Fixed problem that could cause requests for iThemes Security data from iThemes Sync to fail due to large amounts of log entries. Bug Fix: Scheduled backups now run if the ITSEC_BACKUP_CRON define is set with a non-boolean value. Bug Fix: Replaced static references to wp-includes with the WPINC define. Bug Fix: Moved blocking of query strings containing %0[0-9A-F] characters from the Non-English Characters setting to the Suspicious Query Strings setting as those characters are control code characters and are not associated with a language. Bug Fix: Added escaping to some translation strings. Bug Fix: Removed unused files from the WordPress Tweaks module directory. Bug Fix: Fixed the Daily Digest email reversing the user and host lockout counts. Bug Fix: The database backup email no longer sends from the email address configured in Settings > General. It now defaults to the same from address that the wp_mail() function uses. This will fix the mail being blocked by some mail servers due to a spoofed from address. Enhancement: Updated the server config rules generated by the System Tweaks settings. They are now more consistent between Apache, LiteSpeed, and nginx. They are also more efficient and have been improved to limit accidentally blocking non-targeted requests. Enhancement: Updated the database backup email to a new design. Enhancement: Added a note that the Filter Request Methods setting in System Tweaks should not be enabled if the WordPress REST API is used. This is becasue the DELETE HTTP method is blocked when the setting is enabled. New Feature: Added setting to block requests for PHP files in the plugins directory in System Tweaks. New Feature: Added setting to block requests for PHP files in the themes directory in System Tweaks. 3.1.1 - 2016-11-15 - Chris Jean Bug Fix: Remote IP is now correctly identified if the server is behind a reverse proxy that sends requests with more than one IP listed in a single header. Bug Fix: Fixed the link for a user in the logs page so that it properly works on sites that are inside a subdirectory. Bug Fix: Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins. Bug Fix: Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role. Bug Fix: Removed warning that could happen when updating a user without changing their password. Enhancement: Improved the logic for determing the requesting IP address to better handle situations where the site is behind a reverse proxy. Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected. Enhancement: All links in Security that have target="_blank" now have added rel attributes to protect against tabnapping. Misc: Updated remaining ip-lookup.net links to instead link to traceip.net in keeping with other links that were previously updated to traceip.net. 3.2.0 - 2016-11-29 - Chris Jean Enhancement: Updated the lockouts notification email to a new design. This new design also cleaned up the translation strings to allow better translations. New Feature: Added a "Protect Against Tabnapping" feature in the WordPress Tweaks section. Details of what this feature protects against can be found here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ Misc: Updated the description for the Lockout Period setting to indicate that the default value of 15 minutes is recommended. 3.2.1 - 2016-12-06 - Chris Jean Bug Fix: Fixed issue that could cause database backup emails to be sent without the backup zip attached. 3.3.0 - 2016-12-08 - Chris Jean New Feature: Added a "REST API" feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API. 3.4.0 - 2016-12-28 - Chris Jean Bug Fix: Removed "comodo" from the list of user agents blocked by the HackRepair.com blacklist. This ensures that Comodo's AutoSSL feature of cPanel/WHM is able to function. Updated Feature: Updated the "REST API" feature in the WordPress Tweaks section. The feature now has proper support for protecting privacy on your site without preventing the REST API from functioning. Enhancement: Updated Security Check to enforce setting the "REST API" setting to "Restricted Access". 3.5.0 - 2017-01-13 - Chris Jean Bug Fix: Fixed issue that could notify that WordPress 4.7.1 (the current version) is an outdated version of WordPress. Removed Feature: Removed additional authentication method for REST API requests. 3.6.0 - 2017-02-07 - Chris Jean New Feature: Ability to require Two Factor for users with specific roles. New Feature: Ability to require Two Factor for vulnerable users. New Feature: Ability to require Two Factor when the site is vulnerable. Enhancement: Added logging details about which two-factor provider was used when a two-factor authentication failed. Enhancement: Improved efficiency of the Two Factor feature. Enhancement: Added check for the ITSEC_DISABLE_INACTIVE_USER_CHECK define which allows for disabling the inactive user email notification. Enhancement: Added check for the ITSEC_DISABLE_TWO_FACTOR define which allows for disabling all two-factor authentication. This should only be used temporarily to gain access to the site when locked out due to loss of valid two-factor methods. Bug Fix: Fixed logging for failed recaptcha submissions. 3.6.1 - 2017-02-08 - Chris Jean Bug Fix: Removed warning that could occur when upgrading from pre-3.6.0 versions of iThemes Security Pro. Bug Fix: Fixed scenario that could cause users to have to provide two-factor authentication during login when the Two-Factor Authentication feature is disabled. Bug Fix: Fixed link sent to users when using User Security Check to send an email reminder to a user prompting them to configure two-factor. Bug Fix: Fixed bug that could prevent generation of new two-factor codes on the profile page. 3.6.2 - 2017-02-09 - Chris Jean Bug Fix: Fixed bug that prevented Away Mode from activating on some sites. 3.7.0 - 2017-03-09 - Chris Jean New Feature: Added the ability to create Application Passwords that are valid for the REST API, XML-RPC requests, or both. New Feature: When a user has an Application Password that is valid for use by the REST API, authenticated REST API requests can be made using HTTP Basic Authentication which allows for including the username and and password with the request. New Feature: Application Passwords that are valid for the REST API can be set to read-only. This allows for creation of services that can have full access to site data without giving permission to modify site data. Enhancement: Improved efficiency of code, reducing memory and processor usage. Enhancement: Improved plugin performance by reducing the number of queries made on each page. Enhancement: Reduced memory and CPU usage due to various code improvements. Bug Fix: Removed warning that could occur when a plugin provides fake user variables. Bug Fix: A database backup will no longer be created when first activating the plugin. Bug Fix: Added compatibility for MySQL strict mode in database creation syntax. Bug Fix: Removed warning about a "non well formed numeric value encountered" in PHP 7.1. Bug Fix: Modifications to wp-config.php, .htaccess, and nginx.conf files are now properly re-added upon reactivation. Bug Fix: Fixed full settings for Hide Backend being displayed after disabling the feature and saving the settings. Bug Fix: Enabling or disabling the Hide Backend feature will update the "Log Out" link so that it works as expected without having to load a new page. Bug Fix: Enabling or disabling the Hide Backend feature now properly updates the .htaccess/nginx.conf file on enable and disable rather than at some future point. Bug Fix: Fixed issue that could cause improper database table creation on multisite sites. 3.7.1 - 2017-03-14 - Chris Jean Bug Fix: Fixed a bug that could prevent settings from saving properly if the site was migrated to a new server or a new home path on the server. 3.7.2 - 2017-03-23 - Chris Jean Bug Fix: When a requesting IP address cannot be found, default to 127.0.0.1. This fixes issues with some alternate cron setups. Bug Fix: Having more than one iThemes Security modification in a .htaccess, nginx.conf, or wp-config.php file will no longer result in having all the file content between each section removed when updating the file. Bug Fix: Modifications to the wp-config.php file added by W3 Total Cache now have their Windows-style newlines preserved when iThemes Security updates the file. 3.7.3 - 2017-04-11 - Chris Jean New Feature: Added support for the new Invisible reCAPTCHA. Enhancement: Removed AhrefsBot from the HackRepair blacklist as they are legitimate bot. Bug Fix: Removed warning that could appear: "Undefined offset: 0 in ithemes-security-pro/pro/user-security-check/class-itsec-user-security-check.php" Bug Fix: Removed warning: "Non-static method ITSEC_Setup::uninstall() should not be called statically". 3.7.4 - 2017-04-13 - Chris Jean Bug Fix: Fixed a timing issue that prevented Privilege Escalation from giving the escalated user access to Appearance > Customize. Bug Fix: Reimplemented support for some removed reCAPTCHA class functions to fix a compatibility issue with iThemes Exchange. 3.7.5 - 2017-05-15 - Chris Jean Bug Fix: Updated reCAPTCHA logic to fix a compatibility issue with iTheme Exchange's usage of Security's reCAPTCHA feature. 3.8.0 - 2017-05-25 - Chris Jean & Timothy Jacobs New Feature: Added support for iThemes Sync to run the Security Check feature from inside the Sync service. Bug Fix: Fixed the ability to manually enter a page number to navigate to on the Security > Logs page. Bug Fix: Fixed source of warning that could appear when creating a backup while running a PHP version less than 5.4. Bug Fix: Fixed source of notice that could appear when reseting a user's password when the Strong Passwords Enforcement feature is enabled. Bug Fix: Fixed bugs that prevented reporting of specific error messages related to updating the wp-config.php file. Misc : Updated or added phpDoc to many functions. 3.9.0 - 2017-06-06 - Chris Jean New Feature: Added support for iThemes Sync to import and export settings. 4.0.0 - 2017-06-21 - Chris Jean & Timothy Jacobs Bug Fix: Fixed an infinite loop that could occur when expiring a cookie and Hide Backend is enabled. Bug Fix: Fixed compatibility issue with the Jetpack plugin when Hide Backend is enabled which could prevent Jetpack from redirecting users to the wordpress.com login page. Bug Fix: Fixed issue where access to wp-admin/admin-post.php when Hide Backend is enabled. Enhancement: Centralized shared code used by Password Expiration, Two-Factor Authentication, and User Security Check. Enhancement: Improved efficiency of Hide Backend code, increasing site performance when the feature is enabled. Enhancement: Enforce strong passwords during log-in. Can be disabled via the ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant. Enhancement: Use canonical roles library to determine if a new user or an updated role requires a strong password. Enhancement: Introduce password requirements module to centralize handling of password updates. Misc: Updated Disable File Locking description. 4.1.0 - 2017-07-05 - Chris Jean & Timothy Jacobs Important: The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies. Bug Fix: Update malware scan scheduling email settings when the admin user id is updated. Bug Fix: Fixed compatibility of Two Factor with Jetpack's Single Sign On feature. Bug Fix: Fixed issue that could prevent "Register" and "Lost your password?" links from working properly on the login page when Hide Backend is enabled. Bug Fix: Fix fatal error when updating a profile. Bug Fix: Fix strong passwords not being recognized as strong on the profile page. Bug Fix: Fix fatal error when registering a new user without specifying a role ( iThemes Exchange ). Bug Fix: Compatability with JetPack SSO and Password Requirements. Bug Fix: Ensure viewport meta is defined when loading the password requirements update password form. Bug Fix: Hide Backend is now compatible with Jetpack Single Sign On. Bug Fix: Hide Backend now hides registration pages on multisite sites. Enhancement: Add recaptcha support for WooCommerce. Enhancement: Allow multiple recaptchas on a single page. Enhancement: The Hide Backend hidden login URL is no longer leaked by password-protected content. Enhancement: Allow for searching through modules and settings. Enhancement: Link to other module settings pages without forcing the page to refresh. Enhancement: Fire an action, "itsec_change_admin_user_id", when the admin user id changes. Enhancement: Changed default Hide Backend Register Slug from wp-register.php to wp-signup.php since WordPress switched from using wp-register.php to wp-signup.php for registrations. This will not affect existing sites. Enhancement: Hide Backend functions purely in PHP code now rather than relying half on PHP code and half on .htaccess and nginx.conf modifications. This allows Hide Backend to function on web servers and server configurations that it was previously not compatible with. New Feature: Added support for the ITSEC_DISABLE_MODULES define. 4.1.1 - 2017-07-05 - Chris Jean & Timothy Jacobs Bug Fix: Fixed password-protected posts not properly handling the password when Hide Backend is enabled. 4.2.0 - 2017-07-24 - Chris Jean & Timothy Jacobs New Feature: Added support for email notifications when automatic updates are installed. Enhancement: Multisite Support for Settings Exports Enhancement: Added warnings to the Version Management settings page if the system or site configuration could prevent automatic updates from working as expected. Enhancement: Added support for validating the Recaptcha hostname by using the 'itsec_recaptcha_validate_host' filter. Enhancement: Refresh module settings after an import has been completed. Enhancement: Notify the user of invalid file paths for Log Files, Backups and NGINX Conf file during an import. Enhancement: Replaced file locking with database locking. This method of locking is compatible with all systems as it does not require the ability to write files. It also allows for locking to work on sites that have multiple front-end servers with a shared database. Since file locking is no longer used, the Global Settings > Disable File Locking setting was removed. Enhancement: Add "Copy to Clipboard" functionality for server and wp-config rules. Bug Fix: Prevent 404s when following links in email notifications on a site with Hide Backend enabled. Bug Fix: Ensure uninstall process is not run when another version of iThemes Security is still active. Bug Fix: Fixed method of working around Hide Backend. Bug Fix: Warnings are no longer generated when saving a user profile with a role of "No role for this site" selected. 4.3.0 - 2017-08-07 - Chris Jean & Timothy Jacobs Enhancement: Periodically retry malware scans when there is a temporary error with the scanning service before alerting users of the issue. Enhancement: Improved compatibility for Recaptcha on the front-end on slower to load websites. Removed Old Feature: Removed the "Replace jQuery With a Safe Version" feature as its use (protecting against a specific jQuery bug: https://bugs.jquery.com/ticket/9521) is many years old and is no longer a concern. Bug Fix: Bumped version number of some scripts to ensure that they refresh properly. Bug Fix: Fixed way to work around Hide Backend on some hosts. Bug Fix: Bumped version number of some scripts to ensure that they refresh properly. 4.4.0 - 2017-08-17 - Chris Jean & Timothy Jacobs New Feature: Security Check now attempts to automatically determine the location of the remote IP in the $_SERVER variable in order to protect against IP spoofing. New Feature: Security Check now attempts to automatically determine if the site supports https connections. If support is found, it asks the user if they wish to redirect http requests to https. Enhancement: Changed Two Factor login confirmation code emails to avoid spam filters. 4.4.1 - 2017-08-23 - Chris Jean & Timothy Jacobs Bug Fix: Fixed logical error that prevented backups from executing. Bug Fix: Fixed issue that could cause database locks to flood the database. 4.5.0 - 2017-08-31 - Chris Jean & Timothy Jacobs New Feature: Introduces Magic Links module. Users can now request a magic login link when logging in during a brute force attack on their username. New Feature: Added a new setting in WordPress Tweaks: "Login with Email Address or Username". Enhancement: Host email images from the plugin instead of relying on iThemes servers to help email clients marking messages as spam or blocking images. Bug Fix: Improved Recaptcha compatibility with WooCommerce. Bug Fix: Error when searching for modules preventing modules from appearing. Bug Fix: Use the wp_options table when acquiring locks in Multisite. Bug Fix: Prevent duplicate daily digest emails on sites with high load. Misc: Added Magic Links, a new Pro-only feature, to be activated by Security Check. Misc: Rearranged modules to be listed alphabetically. 4.5.1 - 2017-09-19 - Chris Jean & Timothy Jacobs Bug Fix: Fixed SQL query bug that resulted in the "Minutes to Remember Bad Login (check period)" setting being ignored. Bug Fix: Fixed bug that prevents wp-admin/install.php blocking from working properly on nginx servers. Bug Fix: Don't attempt to do an SSL redirect when WP CLI is running. 4.6.0 - 2017-10-25 - Chris Jean, Timothy Jacobs and Saylor Bullington New Feature: Introduces the Notification Center, a centralized place to manage and customize email notifications sent by iThemes Security. Bug Fix: Corrected some Javascript and CSS links not generating correctly on Windows servers. Bug Fix: Properly restrict Application Password's to read only REST API rqeuests when overriding the HTTP method used. Bug Fix: Ensure scheduled malware scan cron hook is setup when the module is activated. Tweak: Simplify script enqueuing for Two Factor. 4.6.1 - 2017-10-26 - Chris Jean & Timothy Jacobs Bug Fix: Only enable the Lockout email notification is the Daily Digest was previously disabled. Bug Fix: Fix JavaScript error when loading the Notification Center on some systems. Bug Fix: Don't store WP Error objects for mail errors preventing a fatal error for rare PHPMailer errors. Bug Fix: Prevent error on upgrade warning the subject line was empty. Bug Fix: Ensure file change notification is properly enabled/disabled on upgrade. Bug Fix: Fallback to correct default subject lines. Bug Fix: Don't enable all administrators as the recipients for emails where all custom email addresses did not have corresponding users. Upgrade Routine: Properly enable lockout and file change notifications, uncheck all administrators as recipients when necessary. 4.6.2 - 2017-11-01 - Chris Jean & Timothy Jacobs Enhancement: Updated queries and prepare statements to account for changes to the esc_sql() function in WordPress 4.8.3. Bug Fix: Fixed the File Change module being incorrectly enabled when upgrading. 4.6.3 - 2017-11-02 - Chris Jean & Timothy Jacobs Bug Fix: Fixed source of the following warning: "mysql_real_escape_string() expects parameter 1 to be string, object given". 4.6.4 - 2017-11-06 - Chris Jean & Timothy Jacobs Bug Fix: Don't display file change admin notifications if the Notify Admin setting is not enabled. 4.6.5 - 2017-11-27 - Chris Jean & Timothy Jacobs Enhancement: Preserve notification settings when the responsible module is deactivated. Bug Fix: Process 404 lockouts on the 'wp' hook to prevent a headers have already been sent warning message. Bug Fix: Ensure Hide Backend emails are properly sent when activating Hide Backend before saving the Notification Center for the first time. Bug Fix: Prevent warning from being issued on new installs by allowing previous settings to be preserved if they exist. Bug Fix: Better handle WP_Error objects in mail errors that occurred before updating to first patch release. Bug Fix: A non static method was being called statically. 4.7.0 - 2017-12-07 - Chris Jean & Timothy Jacobs New Feature: Introduces a scheduling framework for handling events. Cron is now used by default, and will switch to using an alternate scheduling system if it detects an error. To disable this detection set ITSEC_DISABLE_CRON_TEST in your wp-config.php file. Important: The ITSEC_FILE_CHECK_CRON and ITSEC_BACKUP_CRON constants have been deprecated. Use ITSEC_USE_CRON instead. Bug Fix: Fix occasional duplicate backups and file scans. 4.7.1 - 2017-12-11 - Chris Jean & Timothy Jacobs Bug Fix: Fixed issue where scheduled events could repeat on sites that do not properly support WordPress's cron system. 4.7.2 - 2017-12-28 - Chris Jean & Timothy Jacobs Bug Fix: Make Cron scheduler available in more circumstances. Bug Fix: Events with the Twice Daily schedule would not be carried over when switching scheduler strategies. Bug Fix: Backup schedules respect the interval chosen. Bug Fix: Prevent multiple cron tests from being scheduled at once. Bug Fix: Cron test being stuck in a loop preventing a site from switching back to the cron scheduler. Bug Fix: Prevent warnings when a single and recurring event were scheduled at the same time. Tweak: Sort scheduled events in WP CLI command. 4.7.3 - 2017-01-04 - Chris Jean & Timothy Jacobs Enhancement: Add 'site_title' as an available tag for the Two Factor email. Bug Fix: Fix scheduling retries for Malware Scans on sites that don't fully support WordPress's cron system. Bug Fix: Reactivating Away Mode now replaces the active file if you had previously removed it. Bug Fix: Ensure lockouts take effect immediately, even on systems where changes to server configuration files do not take effect immediately. Bug Fix: Warning on new installations when activating certain Version Management features. 4.7.4 - 2017-01-29 - Chris Jean & Timothy Jacobs New Feature: Online Files Comparison now supports WordPress.org plugins. Enhancement: Add support for changing position of the Invisible Recaptcha badge. Enhancement: Display user lockouts in Lockout Sidebar. Tweak: Use the current site URL instead of the network URL when sending Two Factor Email codes. Bug Fix: Fixed issue that could prevent Sync from loading Malware Scan results if a scan previously failed. Bug Fix: Fixed method that could be used to discover hidden login slug on some sites. Bug Fix: Hide Backend notifications not being properly sent when first enabled. Bug Fix: Load translations on the plugins_loaded hook. Bug Fix: Log logins with User Logging when logging in with Two Factor. Bug Fix: Prevent login page being hidden when following the "Confirm Email Address" notification URL. Bug Fix: Update to the REST API "Restricted Access" feature to protect against methods to work around the restricted access. 4.8.0 - 2017-02-08 - Chris Jean & Timothy Jacobs Enhancement: Updated logging system to keep track of more information and have more options to filter and sort log entries. Enhancement: Improved efficiency of File Change Detection scanning. Enhancement: Added malware scan support for scanning all sites in a Multisite Network. Bug Fix: Fixed issue that could register loading the logging page as a failed login attempt on some sites. 4.8.1 - 2017-02-08 - Chris Jean & Timothy Jacobs Bug Fix: Fixed schema issue with new logs table. 4.8.2 - 2018-02-12 - Chris Jean & Timothy Jacobs Bug Fix: Fixed "undefined offset" error when displaying specific migrated old log entries. 4.8.3 - 2018-02-12 - Chris Jean & Timothy Jacobs Bug Fix: Fixed issue that could cause login attempts to bypass recaptcha protection. 4.8.4 - 2018-02-21 - Chris Jean & Timothy Jacobs Enhancement: Cleaned up styling in settings to make some settings stand out better. Minor: Use plugin build for cache busting assets. Minor: Extract scheduling loop system to iThemes Security Core for future development. Bug Fix: Fixed issue preventing the Two-Factor override from iThemes Sync from working as expected. Bug Fix: Cannot use object of type WP_Error as array in Malware Scanner. Bug Fix: Reordered loading of logging class to allow for logging earlier. 4.8.5 - 2018-03-01 - Chris Jean & Timothy Jacobs Security Fix: Fixed display of unescaped data on logs page. Thanks to Paweł Kuryłowicz from SecuRing for finding and reporting this issue. Enhancement: The logging system now differentiates between WP-CLI commands, WP-Cron scheduled events, and normal page requests. Bug Fix: Fixed the File Change scanner in that it previously could fail to exclude selected directories on some systems. 4.8.6 - 2018-03-06 - Chris Jean & Timothy Jacobs Bug Fix: Fixed situation that could cause lockout notifications being sent for whitelisted IPs. Bug Fix: Fixed issue where saving Global Settings would be blocked by an unwritable "Path to Log Files" path when the "Log Type" is set to "Database Only". Bug Fix: Fixed issue that prevented log database entries from purging and log file entries from rotating on a schedule. 4.8.7 - 2018-03-20 - Chris Jean & Timothy Jacobs New Feature: Add WP CLI commands for running the Security Check Scan, managing Modules and enrolling in Network Brute Force. Bug Fix: When using the Cron scheduling system, malware scans that had failed and been scheduled to retry would fail to reschedule the original scan event upon success. Bug Fix: Added ability to show object data for classes that are not loaded to the Logs page. Bug Fix: Fixed logging system references to "fatal-error" that should be "fatal". Bug Fix: Prevent PHP warning when completing database backups that are not emailed to any recipients. Bug Fix: Prevent PHP warning about converting an array to a string when adding notification data. 4.9.0 - 2018-03-29 - Chris Jean & Timothy Jacobs Enhancement: File Change Scan uses a new batching mechanism to prevent crashing on hosts but still generating only one report per-day. Minor: Updated list of File Change excluded file types to include more media extensions. Minor: File Scan "chunk" option is removed. Minor: Specifying a manual file scan list has been removed. Minor: Security Digest now includes all lockouts that have occurred since the last email. Bug Fix: Don't prompt for security check when visiting the settings page after running the security check WP CLI command. 4.9.1 - 2018-03-30 - Chris Jean & Timothy Jacobs Bug Fix: Prevent WP admin dashboard JavaScript from crashing when the File Change module is not loaded. Minor: Track raw memory used by the file change scanner as well. Minor: Page Load Scheduler: Unschedule single events before running them. This mirrors the behavior of the WP Cron scheduler. 4.9.2 - 2018-04-04 - Chris Jean & Timothy Jacobs Bug Fix: Warning when uninstalling a plugin while File Change module is active. Minor: Shrink storage size of file scans. Minor: Make recovering file scan log smaller. 5.0.0 - 2018-04-12 - Chris Jean & Timothy Jacobs New Feature: Added Grade Report, a tool to identify security weaknesses on the site with options to fix the detected issues. Bug Fix: Ensure all users with the `manage_options` capability are available when selecting contacts in the Notification Center. Enhancement: Added minimal API for adding additional entries to the Security admin menu. 5.0.1 - 2018-04-12 - Chris Jean & Timothy Jacobs Big Fix: Fixed a fatal error condition that could occur on the Grade Report page when specific combinations of manual roles for Two-Factor Protection > User Type Protection were selected. 5.0.2 - 2018-04-17 - Chris Jean & Timothy Jacobs Tweak: Move Online Files hashes to a separate storage setting to improve performance on sites with large number of plugins or themes. Tweak: Add description for File Change recovery related logs. Tweak: Don't report removed files if the removal is caused by a new file extension being excluded. Bug Fix: Improved detection of REST API requests on sites without a home dir. Bug Fix: Improve File Change recovery system on high-traffic websites. Bug Fix: Fix warnings on debug file change log items. 5.1.0 - 2018-04-19 - Chris Jean & Timothy Jacobs New Feature: Add Two-Factor On-Board flow. Enhancement: Support disabling enforced Two-Factor the first time a user logs-in. Enhancement: Introduced Login Interstitial framework to consolidate code between Password Requirements & Two Factor. Bug Fix: Resolve warnings when upgrading file change settings. Bug Fix: Allow read-only Application Passwords to make HEAD requests. 5.1.1 - 2018-04-25 - Chris Jean & Timothy Jacobs Enhancement: Allow for customizing access to the Application Passwords feature. Misc: Added comment to prevent Tide from marking the plugin as not compatible with PHP 5.3. Tweak: Differentiate between "Enforced Two-Factor" and "Configured Two-Factor" in User Security Check. Bug Fix: Improve clearing of previous File Change file hashes. Bug Fix: Internal links to a filtered logs page. Bug Fix: Prevent duplicate "user-logged-in" log items when logging-in with Two Factor. Bug Fix: Prevent multiple session tokens from being created when logging-in with Two Factor. Bug Fix: Prevent missing provider information when logging a successful Two Factor authentication. Bug Fix: Fixed incorrect detail text for Local Brute Force Protection on the Grade Report. 5.1.2 - 2018-05-02 - Chris Jean & Timothy Jacobs Tweak: Two-Factor Flow: Allow the user to proceed after downloading or copying the backup codes without dismissing the notice. Tweak: File Change: Only scan a maximum of 10 plugins in a single chunk. Tweak: File Change: Move "latest_changes" entry to a separate storage bucket to improve performance on large sites. Bug Fix: Fix error on Multisite settings page when Two-Factor is not enabled. Bug Fix: Properly enforce strong passwords when on the WP Login Reset Password page. Bug Fix: Fix clearing or previous file scans results. Bug Fix: iThemes Licensing: Fixed the "View details" link failing to work properly after updating. Bug Fix: iThemes Licensing: Fixed an issue that could cause data changes to not save properly on specific background page requests. Bug Fix: iThemes Licensing: Added a compatibility fix to avoid conflicts with plugins that change the plugin_action_links filter value from an array to a string. Compatibility Fix: iThemes Licensing: Updated handing of wp_remote_get() response due to changes documented in https://core.trac.wordpress.org/ticket/33055. Enhancement: iThemes Licensing: Added ability to manage licensing from WP-CLI. 5.1.3 - 2018-05-03 - Chris Jean & Timothy Jacobs Bug Fix: iThemes Licensing: Fixed fatal error that could occur when clicking the "View details" link for an available plugin update. 5.1.4 - 2018-05-22 - Chris Jean & Timothy Jacobs Enhancement: The number of users listed in the User Security Check model is now limited to 20 by default. This can be modified by using the itsec_user_security_check_users_per_page filter. Enhancement: Introduce Distributed Storage framework for reducing the amount of data stored in the WordPress options table. This should improve performance for large sites using File Change. 5.2.0 - 2018-05-24 - Chris Jean & Timothy Jacobs New Feature: Added support for the new WordPress privacy features. Enhancement: Removed sending the remote_ip argument to Google's reCAPTCHA server as it reduces the amount of personal information that is sent. Bug Fix: Changed the rules generated by the Filter Suspicious Query Strings feature in order to avoid blocking privacy export/erasure request confirmations. 5.2.1 - 2018-05-24 - Chris Jean & Timothy Jacobs Bug Fix: Fixed "Cannot modify header information - headers already sent" warning issue that could happen when using reCAPTCHA on sites that add customizations to the login page. Bug Fix: Fixed an "Uncaught Error: Call to undefined function esc_like()" error that could occur when exporting or erasing personal data. Bug Fix: Skip recovery if File Change storage is empty. 5.2.2 - 2018-05-31 - Chris Jean & Timothy Jacobs Enhancement: Add UI to cancel in progress File Scan. Enhancement: Improved rendering of the Grade Report grade pie chart on HiDPI screens. Enhancement: Include current grade in the Security Digest. Tweak: Don't write to the tracked files setting if the file hash has not changed. Tweak: Exclude File Change storage settings from Importer/Exporter. Bug Fix: Ensure scheduling lock is cleared by the Cron Scheduler when not proceeding with running events. Bug Fix: Away Mode would not lock out users who were already logged-in during the "away" period. Bug Fix: Prevent File Change from getting stuck in an infinite rescheduling loop on the first step. Bug Fix: Issue with Importing settings when File Change is active. 5.3.0 - 2018-06-07 - Chris Jean & Timothy Jacobs New Feature: Integration with Have I Been Pwned to prevent users from using passwords found in data breaches. Enhancement: Introduce Password Requirements module for managing and enforcing password requirements. Enhancement: Continually evaluate password strength for users instead of only during registration. Enhancement: Add basic admin debug page to help diagnosing and resolving issues. Particularly with the events. Bug Fix: Password strength would not be evaluated if password was set using custom PHP or CLI commands. Bug Fix: Only hide "Acknowledge Weak Password" checkbox if the user was not allowed to use a weak password. Bug Fix: Ensure Grade Report instructions in the Security Digest is accurate when the Grade score is capped. 5.3.1 - 2018-06-11 - Chris Jean & Timothy Jacobs Enhancement: Only pre-select Two-Factor methods during on-board process if the user requires Two-Factor. This should help prevent users from rolling through the on-board process too quickly. Enhancement: Show if a "force password change" is in-effect and allow for the change to be removed. Enhancement: Add debug settings JSON editor. Tweak: If no last password change date is recorded for the user, treat their registration date as the last change date. Bug Fix: If a password requirement has been disabled or is no longer available, don't consider the password as needing a change. Bug Fix: Remove distributed storage table on uninstall. Bug Fix: Don't display backup Two-Factor method form if it is not available to the user. Previously it would only be prevented from being submitted. 5.3.2 - 2018-06-12 - Chris Jean & Timothy Jacobs Bug Fix: Accessing password requirement settings would not resolve properly in some instances. 5.3.3 - 2018-06-18 - Chris Jean & Timothy Jacobs Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability. Tweak: Recommend Strong Passwords and Refuse Compromised Passwords in the Grade Report. Bug Fix: Provide default values for enabled requirements. 5.3.4 - 2018-06-27 - Chris Jean & Timothy Jacobs Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability. Tweak: Display the subject line of the Two-Factor Email when logging in. Tweak: Fire a WordPress action whenever settings are updated. Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings. Bug Fix: Don't track post status transitions to the identical post status. 5.3.5 - 2018-07-09 - Chris Jean & Timothy Jacobs Enhancement: Add setting to customize On-Board text. Enhancement: Require user to confirm Two-Factor email method when signing up via On-Boarding. Can be disabled by disabling the new Two-Factor Email Confirmation email in the Notification Center. Enhancement: Add setting for customizing who is required to use two-factor when "Vulnerable User Protection" and "Vulnerable Site Protection" are enabled and who is presented the On-Board flow. Tweak: Check if an IP is blacklisted on page load for compatibility with servers that cannot process server configuration level bans immediately. Bug Fix: Provide better error messages in case the server for SSL support detection is non-responsive. 5.4.0 - 2018-07-17 - Chris Jean & Timothy Jacobs New Feature: Granular Version Management control. Select which plugins or themes to auto-update. Optionally, use the delay feature to wait for a release to be stable for a certain number of days for sensitive or critical plugins. New Feature: Optionally, receive an email notification whenever your Grade Report changes. A maximum of once per-day. Tweak: Grade report notice styling and disable the "Resolve Issues" button when working. Tweak: Add Security Check Pro debug page. Tweak: Display a time diff until the next event on the Debug page. Compatibility Fix: 404 detection for plugins that mark is_404 later in the hook sequence. Bug Fix: Plugin and theme updates were hidden after updating a single package via the Grade Report. Bug Fix: Correct grammar for Email Two-Factor method. Bug Fix: Warning when using Grade Report when the Password Requirements module is disabled by constant. Bug Fix: The Dashboard Widget did not count users who didn't have a primary provider set. Bug Fix: Show "File Scan" button on dashboard widget even if "Write to Files" is disabled. 5.4.1 - 2018-07-24 - Chris Jean & Timothy Jacobs Enhancement: Log Plugin activation/deactivation/uninstall and Theme switching in the User Logging module. Enhancement: Log WordPress, Plugin and Theme installs & updates in the Version Management module. Tweak: Use Logging API for tracking Notification Center errors. Tweak: Register Scheduler Events whenever the plugin build changes. Tweak: Allow for filtering logs by any module recorded. Bug Fix: Account for any CLI PHP SAPI instead of just WP-CLI in the SSL Module. Bug Fix: Incorrect notice for delayed plugins if the custom per-plugin setting had been switched off. Bug Fix: Incorrect User Logging log when logging in via the Login Interstitial framework. 5.4.2 - 2018-07-31 - Chris Jean & Timothy Jacobs New Feature: Allow for globally setting recipients for admin-targeted notifications. All new notifications will default to the recipients in this list. Notifications can be set to use the default list or switch to a custom list. Enhancement: Allow for disabling Grade Report for certain users. This will hide the Grade Report in the admin and remove it from the Security Digest sent to those users. If one of these users is configured to receive the "Grade Report Change" email they WILL still receive that notification. Tweak: Account for 3rd-party Backup Plugin in Security Check. Tweak: On upgrade, disable "Grade Report Change" email when more than one recipient is designated to receive the notification. 5.4.3 - 2018-08-01 - Chris Jean & Timothy Jacobs Bug Fix: Fix serialization of closure error when a plugin registering a hook with a closure is in the boot-up stack and the notification center is triggered too early in the cycle. 5.4.4 - 2018-08-06 - Chris Jean & Timothy Jacobs Enhancement: Added a setting to enable/disable the Grade Report feature of Pro. 5.4.5 - 2018-08-07 - Chris Jean & Timothy Jacobs Bug Fix: Fixed how the Grade Report enable/disable status is stored to fix admin page loading issues on some sites. 5.4.8 - 2018-08-14 - Chris Jean & Timothy Jacobs Enhancement: Add schedule options to the "Grade Report Change" email. Bug Fix: Don't send "Grade Report Change" email if the grade is reverted back to the original grade during the waiting period before sending the notification. Bug Fix: Plugins were deactivated when updating through Grade Report. Bug Fix: REST API Protection blocked the Taxonomies route for all users. 5.5.0 - 2018-10-02 - Chris Jean & Timothy Jacobs New Feature: Trusted Devices identifies the devices users use to login and can apply additional restrictions to unknown devices. Enhancement: Allow a device to be remembered and bypass Two-Factor for 30 days. Requires "Trusted Devices" to be active. Enhancement: Display Recaptcha in the wp_login_form() template function. Enhancement: Block access to git and svn repositories when System Tweaks -> Protect System Files is enabled. Tweak: Update jQuery Validation library to 1.17.0 Tweak: Don't require Two-Factor on-boarding if the user is required to use Two-Factor because of a vulnerable site. Tweak: Update jQuery Validation library to 1.17.0 Bug Fix: Improve detection of blocking the File Change Scan from being scheduled if one is already being run. Bug Fix: Prevent infinite recursion error when trying to access directories outside of the allowed file tree. Bug Fix: Grade Report styling issue on IE 11. 5.5.1 - 2018-10-05 - Chris Jean & Timothy Jacobs Tweak: Delete a user's device fingerprints when their account is deleted. Bug Fix: Ensure you can save Two-Factor when "Trusted Devices" is disabled on a new site. 5.5.2 - 2018-10-10 - Chris Jean & Timothy Jacobs Enhancement: Allow for selecting the particular Proxy header a server is configured to use. Improve the language to indicate the importance of configuring this setting. H/t Filippo Cavallarin CEO at wearesegment.com 5.5.3 - 2018-10-10 - Chris Jean & Timothy Jacobs Bug Fix: Fix issue with saving Global settings if Security Check Pro has detected the correct Proxy Header to use. 5.5.4 - 2018-11-01 - Chris Jean & Timothy Jacobs Enhancement: Add support for displaying status messages about services that might be encountering issues without updating the plugin. Enhancement: Add support for suppressing malware email notifications if the Malware Scanner is experiencing wide spread issues without updating the plugin. 5.5.5 - 2018-12-04 - Chris Jean & Timothy Jacobs Enhancement: Add Per-Content SSL toggle to the upcoming Block Editor interface. Enhancement: Add filter to the recipients list for email notifications: "itsec_notification_{$notification}_email_recipients" and "itsec_notification_email_recipients". Enhancement: Detect Server IPs in Security Check. Enhancement: Update jquery.file-upload plugin to the latest version ( 9.28.0 ). Tweak: Improve File Change locking to help prevent failing scans on sites with inconsistent cron scheduling. Tweak: Improve "System Tweaks – Suspicious Query Strings – SQLI" to reduce false positives. Tweak: Improve "System Tweaks – Disable PHP" to block PHP files in apache configurations that serve files with a trailing dot. Tweak: Add additional safety checks when writing to system config files. Tweak: Remove "Seznam Bot" from HackRepair List as it isn't present in the latest version. Tweak: Add Recaptcha Opt-in styles wherever the recaptcha is displayed, not just WP Login. Bug Fix: Notification Center - Only send notifications to users with an exact role match of selected roles instead of a fuzzy match based on selected capabilities. Bug Fix: Resolve warnings on PHP 5.2. Bug Fix: Don't run Trusted Devices checks on authenticated loopback requests. Please re-run "Security Check" to initialize this detection. This should resolve conflicts with plugins that make authenticated loopback requests as a form of async processing. Bug Fix: Persist and reload storage to avoid Imported settings being lost in some circumstances. Bug Fix: Trigger module activation/deactivation routines when using the Importer. Bug Fix: Remove "Nekudo" GeoIP service as it has been sunset. 5.5.6 - 2018-12-04 - Chris Jean & Timothy Jacobs Bug Fix: Don't try to get users with the selected role if no roles are selected. 5.5.7 - 2018-12-06 - Chris Jean & Timothy Jacobs Tweak: Use new "determine_locale()" function for loading the plugin textdomain. Bug Fix: Update Grade Report Software version fallback data. 5.5.8 - 2018-12-11 - Chris Jean & Timothy Jacobs Bug Fix: Only re-add Trusted Devices restricted capabilities filter if it was registered in the first place. Bug Fix: Error when trying to edit reusable blocks with per-post SSL enabled. 5.6.0 - 2019-01-10 - Chris Jean & Timothy Jacobs New Feature: Introducing the iThemes Security Dashboard. See a real-time overview of the security activity on your website with this dynamic dashboard. Turn it on by activating the Security Dashboard module. Enhancement: Add loopback IP detection to Security Check. Enhancement: Add define "ITSEC_DISABLE_TEMP_WHITELIST" to disable the Temporary IP Whitelisting for logged-in administrators. Tweak: Only run Remote Messages API on Pro versions. 5.6.1 - 2019-01-14 - Chris Jean & Timothy Jacobs Bug Fix: Prevent dashboard error when the "Show Avatars" setting is disabled. Bug Fix: Styling issue that made "Identified Loopback IP" look like an error message instead of a success. 5.7.0 - 2019-01-16 - Chris Jean & Timothy Jacobs New Feature: reCAPTCHA v3 support. Can toggle between loading the api on all pages ( recommended ) or only the required pages. Adjust the Block Threshold from the recommended default of "0.5" based on the data in the Google reCAPTCHA console. New Feature: On page reCAPTCHA opt-in to allow users to agree to Google's ToS without refreshing the page. 5.8.0 - 2019-02-13 - Chris Jean & Timothy Jacobs New Feature: Add "Click to Continue" button to email Two-Factor method to simplify usage. Enhancement: Don't require logging in again after overriding Two-Factor in Sync in mid-login. Enhancement: Improve redirecting after processing a login interstitial from a front-end login form. Tweak: Add display description for log when safe guarding against an empty config file write. Bug Fix: Include Hide Backend token when emailing a password reset URL. Bug Fix: Duplicate key error when consolidating Dashboard Events. Bug Fix: Fix Recaptcha opt-in CSS not always loading. 5.9.0 - 2019-02-19 - Chris Jean & Timothy Jacobs New Feature: A new dashboard widget powered by the iThemes Security Dashboard. Bug Fix: Prevent "headers already sent" warning when logging in with the Two-Factor email method on certain systems. Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links. 5.9.1 - 2019-02-20 - Chris Jean & Timothy Jacobs Enhancement: When ITSEC_DISABLE_MODULES is set, prevent hide backend from running. Bug Fix: Error on the WordPress dashboard screen when the Security Dashboard module does not completely load. 5.9.2 - 2019-02-20 - Chris Jean & Timothy Jacobs Bug Fix: Load new dashboard widget on Multisite network admin dashboard properly. 5.9.3 - 2019-03-12 - Chris Jean & Timothy Jacobs Important: Replace Google QR Code API with an iThemes Security hosted solution. Google's API will be shutdown on March 14th, 2019. If you'd like to generate QR codes locally, a plugin is available in the members panel under "Plugins": iThemes Security - Local QR Code. Enhancement: Add support for deleting dashboards. Enhancement: Order cards in the dashboard widget in the same order as the mobile breakpoint in the Security Dashboard. Enhancement: New WP-CLI command for retrieving, releasing and creating lockouts. Tweak: Improve dashboard a11y. Tweak: Improve dashboard performance by decreasing the bundle size, improving cache stability, and async loading less used libraries. Tweak: Allow the log description column to word break for URLs or other strings with no spaces. Bug Fix: Hide Backend bypass on certain Apache configurations. Bug Fix: Properly return error that occurs during a backup. Bug Fix: Regex warning on PHP 7.3 in the File Change module. Bug Fix: Resolve warning when a user is set to "No Role". Bug Fix: Removing the last role or user from a shared dashboard would not work. 5.9.4 - 2019-03-22 - Chris Jean & Timothy Jacobs Bug Fix: Hide backend bypass. 5.9.5 - 2019-05-06 - Chris Jean & Timothy Jacobs Bug Fix: For WordPress 5.2 installs, prevent updating a plugin via Grade Report if the new plugin update has PHP version requirements that are not met. 6.0.0 - 2019-05-30 - Chris Jean & Timothy Jacobs New: iThemes Security Admin Notices are now conveniently located in the new Security Messages Menu. Check your notices in the Security menu on the WordPress Admin Bar. Enhancement: Add filters to customize the available Two Factor providers for a user. Enhancement: Add a dismissible warning if iThemes Security isn't licensed. Tweak: Remove "pin" link from a Security Profile when that profile has already been pinned. Tweak: Remove 'DELETE' method from "System Tweaks -> Filter Request Methods" Tweak: Minor UI and a11y improvements to the Security Dashboard. 6.0.1 - 2019-06-06 - Chris Jean & Timothy Jacobs Enhancement: Add Security Message when a Notification Center email fails to send. Enhancement: Add Security Message when the Malware Scanner finds malware or encounters an error. Enhancement: Replace Trace IP with IP Tracker Online. 6.0.2 - 2019-06-28 - Chris Jean & Timothy Jacobs Enhancement: New iThemes Sync Verb support for File Change. Tweak: Add additional information about the login attempt when calling the Network Brute Force API. Bug Fix: Ensure Dashboard classes are always loaded. 6.0.3 - 2019-08-12 - Chris Jean & Timothy Jacobs Enhancement: new iThemes Sync Verb support for overriding a specific Two-Factor request. Bug Fix: Hide Backend Bypass. Bug Fix: Strict Standards error during Sync request. Bug Fix: wp_die() if a login interstitial session fails to be created instead of throwing a fatal error. 6.1.0 - 2019-09-04 - Timothy Jacobs Breaking Change: iThemes Security requires PHP 5.4 or later. New Feature: Make WordPress Security Easy With Passwordless Logins Enhancement: Make Magic Links work in a wider variety of situations. Enhancement: New Lockout Template screen. Bug Fix: WordPress 5.3 Compatibility Bug Fix: Brute Force module reporting invalid logins using an email address incorrectly. Developer Note: There were significant changes to the internals of the iThemes Security Lockout API in this release. If you are using the ITSEC_Lockout class directly, all the API functions will continue to work, but will emit deprecation notices. Please update your integrations. 6.1.1 - 2019-09-05 - Timothy Jacobs Bug Fix: PHP Warning while logging interstitial updates. 6.1.2 - 2019-09-09 - Timothy Jacobs Enhancement: Add confirmation button to Passwordless Login or One-Click Two-Factor when on a different device than you started with. When Trusted Devices is active, include information about the device the login will be processed on. Bug Fix: Fix Passwordless Login release notice not being dismissed due to a REST API route that was more narrowly defined than necessary. 6.1.3 - 2019-10-01 - Timothy Jacobs Bug Fix: Strong Passwords zxcvbn Library was not evaluating penalty strings correctly. 6.2.0 - 2019-10-29 - Timothy Jacobs New Feature: Integrate Passwordless Login with WooCommerce, Easy Digital Downloads, and Lifter LMS. Enhancement: Add filter to "Lookup IP" link. Bug Fix: PHP warning when inserting lockouts. Bug Fix: WooCommerce Shop Managers were unable to verify their Two-Factor Mobile App code via their WP-Admin profile. Bug Fix: WordPress 5.3 compatibility with Passwordless Login. 6.2.1 - 2019-11-01 - Timothy Jacobs Bug Fix: Error when saving Passwordless Login settings page when no integrations are available. 6.2.2 - 2019-11-12 - Timothy Jacobs Bug Fix: Improve lockout compatibility with caching plugins. Bug Fix: Admin Notices list did not refresh after dismissing a notice. Bug Fix: Fix PHP warning if there are multiple detected proxy headers. 6.2.3 - 2019-11-14 - Timothy Jacobs Tweak: Add stub Passwordless Login settings page for WordPress.org users. Bug Fix: PHP warning if lockout_active field is missing. 6.2.4 - 2019-11-18 - Timothy Jacobs Bug Fix: The username first Passwordless Login flow was not working on WordPress 5.3 6.3.0 - 2019-12-09 - Timothy Jacobs Enhancement: Run Security Check Pro IP Detection automatically once a day. Enhancement: Manually re-run Security Check Pro IP Detection from the Global Settings page. 6.3.1 - 2019-12-10 - Timothy Jacobs Bug Fix: Properly notate that iThemes Security requires PHP 5.5 or greater. 6.3.2 - 2019-12-12 - Timothy Jacobs Enhancement: Allow LastPass to autofill password fields. Bug Fix: Passwordless Login would trip some ModSecurity rules when used with LastPass autofill. Bug Fix: The username first Passwordless Login flow was not working on WordPress 5.3 if the user did not have permission to use Passwordless Login. Bug Fix: Harden Version Management against plugins that were populating invalid update API data. Bug Fix: The "Mulisite Tweaks -> Hide Updates" setting prevented auto-updates from running with WP Cron. Bug Fix: Remove "get_magic_quotes()" call that existed for backwards compatibility with PHP versions 5.3 and earlier. This function call was causing a warning on PHP 7.4. 6.3.3 - 2020-01-07 - Timothy Jacobs Important: Updated Trusted Devices MaxMind GeoLite2 integration to account for their new Terms of Service to account for the CCPA. Users must now provide a free license key when using the MaxMind GeoLite2 Geolocation method. Bug Fix: Backup event was not added when the WP Cron Scheduler was reset manually. Bug Fix: Admin Notices Popover was not being hidden when clicking outside the Popover on WP 5.3. 6.4.0 - 2020-02-12 - Timothy Jacobs, Josh Oakes Important: iThemes Security requires PHP 5.6 or greater and WordPress 5.2 or greater. New Feature: Save Time Securing WordPress With User Groups! New Feature: Simplified connection flow when setting up iThemes Sync. Bug Fix: Warning when loading the settings page on PHP 7.4. Bug Fix: Warning when loading the debug page on PHP 7.4. 6.4.1 - 2020-02-13 - Timothy Jacobs Bug Fix: A fatal error could occur when upgrading to User Groups if a custom role had been selected for Two-Factor or Passwordless Login that has since been deleted but the module's settings had not been updated. 6.4.2 - 2020-02-17 - Timothy Jacobs, Josh Oakes Tweak: Harden iThemes Sync connection flow by adding a second verification check. Bug Fix: Prevent UnknownIdentifierException errors when modules are loaded before expected. Bug Fix: Add additional type checks. 6.5.0 - 2020-03-10 - Timothy Jacobs Enhancement: Add super admins as a selectable role for User Groups. Enhancement: Add reCAPTCHA to the Reset Password form. Enhancement: Add support for resending a Two-Factor Email code. Enhancement: Add support for resending a Passwordless Login email. Enhancement: Allow selecting users across all sites in a network for User Groups, Security Profile cards, and User Security Check. Enhancement: Include all super admins by default in the Security Profile card, even if they are not a member of the network's main site. Enhancement: Display all of a user's roles in the Security Profile card. Enhancement: When logging in with Passwordless Login, skip Two-Factor if the primary Two-Factor method is Email. Enhancement: Force a space after each Two-Factor Backup Code to assist with copying and pasting. Enhancement: Include the website URL in the download file for Two-Factor Backup Codes. Enhancement: Add a warning if a WordPress Salt is set to an invalid value. Enhancement: Allow re-entering the Two-Factor Onboard flow even after Two-Factor is setup by visiting /wp-login.php?itsec_after_interstitial=2fa-on-board directly. Enhancement: Add a new WP CLI command for managing user Two-Factor enrollment. Enhancement: Add a new WP CLI command for retrieving logs. Enhancement: Include child log items in the logs list table. These are helpful for debugging issues. Enhancement: Improve performance of the logs page on sites with large number of log items. Tweak: Only show Lockout Bypass Magic Link for valid users. Tweak: When logging $_SERVER, only log a snapshot of available properties. Bug Fix: New Password Requirements for already created accounts were not enforced until the second login. Bug Fix: User Security Check would not display in Multisite. Bug Fix: Prevent fatal error if invalid user IDs are encountered by User Groups. Bug Fix: Infinite loop when trying to use Application Passwords on Multisite. Bug Fix: User Logging did not correctly capture the user id of the logged-out user on WordPress 5.3. Bug Fix: Warnings when doing a settings import. Deprecated: The "getlockouts", "releaselockout", and "getrecent" WP CLI commands. Use the "lockout" and "log" commands instead. They will be removed in a future release.