6.3.0
Feature3 Fix18 Tweak12Features
- Added support for iThemes Sync to run the Security Check feature from inside the Sync service.
- Added support for the ITSEC_DISABLE_MODULES define.
- Allow for searching through modules and settings.
Fixes
- Compatability with JetPack SSO and Password Requirements.
- Ensure viewport meta is defined when loading the password requirements update password form.
- Fix fatal error when registering a new user without specifying a role ( iThemes Exchange ).
- Fix fatal error when updating a profile.
- Fix strong passwords not being recognized as strong on the profile page.
- Fixed an infinite loop that could occur when expiring a cookie and Hide Backend is enabled.
- Fixed bugs that prevented reporting of specific error messages related to updating the wp-config.php file.
- Fixed compatibility issue with the Jetpack plugin when Hide Backend is enabled which could prevent Jetpack from redirecting users to the wordpress.com login page.
- Fixed issue that could prevent "Register" and "Lost your password?" links from working properly on the login page when Hide Backend is enabled.
- Fixed issue where access to wp-admin/admin-post.php when Hide Backend is enabled.
- Fixed password-protected posts not properly handling the password when Hide Backend is enabled.
- Fixed source of notice that could appear when reseting a user's password when the Strong Passwords Enforcement feature is enabled.
- Fixed source of warning that could appear when creating a backup while running a PHP version less than 5.4.
- Fixed the ability to manually enter a page number to navigate to on the Security > Logs page.
- Hide Backend is now compatible with Jetpack Single Sign On.
- Hide Backend now hides registration pages on multisite sites.
- Removed warning: "Non-static method ITSEC_Setup::uninstall() should not be called statically".
- The Hide Backend hidden login URL is no longer leaked by password-protected content.
Tweaks
- Changed default Hide Backend Register Slug from wp-register.php to wp-signup.php since WordPress switched from using wp-register.php to wp-signup.php for registrations. This will not affect existing sites.
- Enforce strong passwords during log-in. Can be disabled via the ITSEC_DISABLE_PASSWORD_REQUIREMENTS constant.
- Fire an action, "itsec_change_admin_user_id", when the admin user id changes.
- Hide Backend functions purely in PHP code now rather than relying half on PHP code and half on .htaccess and nginx.conf modifications. This allows Hide Backend to function on web servers and server configurations that it was previously not compatible with.
- Improved efficiency of Hide Backend code, increasing site performance when the feature is enabled.
- Introduce password requirements module to centralize handling of password updates.
- Link to other module settings pages without forcing the page to refresh.
- Removed AhrefsBot from the HackRepair blacklist as they are legitimate bot.
- The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.
- Updated Disable File Locking description.
- Updated or added phpDoc to many functions.
- Use canonical roles library to determine if a new user or an updated role requires a strong password.